All,
I am sure that there are roadblocks that we're all going to run into, at one time or another, when it comes to performing forensic analysis on Windows systems. That being the case, I'm wondering…what are the things you've run into or stumbled over? What are those things you wish you knew more about, had some available documentation on, but simply did not have the time to research?
Was there a case in which you needed to tie some information together, but didn't know how? Was there something that caught your attention during a case, and you wished you had the time to research it?
Post those projects, thoughts, ideas, and questions. Others are going to run across them at one time or another.
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Good topic. I've included a link to it in the newsletter…
Jamie
I don't know about that…it may not be all that good…so far, no responses.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
I agree with keydet89.
I sure will post the challenges I have came across and also some follow up that I can't seem to find time for.
I also wanted to share a good site.
http//forensictracer.com/
I have some unused credits left that I might loose after my monthly allotment. Please let me know if i can test something for you. Put the credits to good use rather than loosing them.
Here is one
I think a md5 collection of malware like keyloggers and backdoors is very usefull. I see several uses for it. Making one (and maintaining) costs too much time for one person.
Djazz,
Maintaining hash libraries is something that's already been addressed…for quite a while, and by many folks. These links should get you started
http//
http//
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Hi,
thanks for the links but I know how to make hash collections 😉 and that was not what i meant and wrote.
I was talking about making and maintaining a collection of 'known bads' instead of 'known goods'. For instance i think that there are several hundred keylogger programs. I don't have the time and resources to make a md5 collection of these.
That is a roadblock for me….
I think we all encounter these kinds of malware in our investigations and there should be a way to share this informations with others.
grtz
I was talking about making and maintaining a collection of 'known bads' instead of 'known goods'.
I think that one of the reasons the links for NSRL and NIST got to "known goods" is because that's a more finite and readily accessible list.
I think we all encounter these kinds of malware in our investigations and there should be a way to share this informations with others.
I agree with you about encountering it, though I haven't in a while and not with anything recent. There is, however, a way to share this information…when you find something, post it. Create a web site, FTP site, whatever. I've done this with Registry keys…there's nothing stopping anyone else from doing the same with "known bad" hashes.
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
regarding projects and interests I have a number of them, but one that recently popped up was what happens to documents from a forensics standpoint to office documents that are protected by digital rights management(DRM). Since these documents are protected by certicates and not just passwords, how would an investigator gain access to the contents? I need to read more about DRM for starters I suppose. It's definitely a project to explore though.
Wetstone has a program (Gargoyle) that uses a 'known bad' hash set. Quite an expensive program ($1K), but it can be run from a flashdrive on a live system, not bad for incident response.