Harlan -
Right now the project du jour is restore point forensics. I'm trying to add a few hours to my days or days to my weeks to get a lot more in-depth into these.
After that, it will probably getting much more involved with the different flavors of Vista.
I look forward to where ever you go with this.
Tony
Tony,
I covered a great deal regarding XP Restore Point forensics in my book, and on my blog….
Vista and memory analysis are primarily where I'm focusing my efforts…
H
Tony,
I covered a great deal regarding XP Restore Point forensics in my book, and on my blog….
Vista and memory analysis are primarily where I'm focusing my efforts…
H
I know. D The book, and a case I had where restore points became very fruitful, is what started me on exploring more on the subject.
Tony,
> The book, and a case I had…
If you don't mind me asking, what's missing then? What else would you like to know about Restore Points? What gaps need to be filled?
H
Mr. Carvey,
Coincidently I just completed your book without recognizing that you were a member here. I really found your book informative and resourceful! I have some feedback on it that I would reserve for a private conversation if so willing.
In light of the original conversation "what would we like to know"…
- P2P (who, what, where, why when) LimeWire, BearShare, Kazza etc… as part of the Gnutella network will evidence be stored in similar/same files. What files or reg keys hold valuable information? I have a white paper on LimeWire which is well… just OK.
- How about programs like Skype? I have not had the experience with this type of program yet, however it would be fun to learn more about.
- Investigating SOHO's…for example the perp is using and storing on his neighbors PC via the neighbors wireless connection…
- Any good scripts (EnScript or Perl) for carving out multimedia files from unallocated?
I could go on and on…so much to learn so little time!
-
As I work on a case it strikes me….
Aside from traversing the registry for the value "q"' (Google search entries) where else might we gather this data quickly and efficiently?
> - P2P (who, what, where, why when) LimeWire, BearShare, Kazza etc…
I suggest that you (the collective "you") load it up, monitor, search, etc.
> - How about programs like Skype?
Same thing…I'm one guy. Most folks want to know about all manner of things, but few are willing to pony up what's necessary to test this kind of thing out, even on loan.
> - Investigating SOHO's…for example the perp is using and storing on his
> neighbors PC via the neighbors wireless connection…
From a technical perspective, how is this different from any other investigation?
> - Any good scripts (EnScript or Perl) for carving out multimedia files from
> unallocated?
Not that I've seen, but most folks don't really realize what they're asking for when they raise this question.
> Aside from traversing the registry for the value "q"' (Google search
> entries) where else might we gather this data quickly and efficiently?
What data? Data related to Google searches? Why start in the Registry? Start in the Temp Internet Files and web cache…
Hope that helps,
H
Mr. Carvey,
My questions were posed based on the original message…
"What are those things you wish you knew more about, had some available documentation on, but simply did not have the time to research?
Was there a case in which you needed to tie some information together, but didn't know how? Was there something that caught your attention during a case, and you wished you had the time to research it?
Post those projects, thoughts, ideas, and questions. Others are going to run across them at one time or another."
I know the original post was several years ago, but I thought I would add to it. I agree that time and resources are extraordinarily limited and I may have misinterpreted the message as a request to conduct testing on areas that we (I) don't neccesarily have the time to do.
Follow up from yesterdays post;
Me - Any good scripts (EnScript or Perl) for carving out multimedia files from unallocated?
HC -Not that I've seen, but most folks don't really realize what they're asking for when they raise this question.
Me -Can you expand on this? How do most people interpret this statement, and where can they shore up their inquiry?
Me -Aside from traversing the registry for the value "q"' (Google search
entries) where else might we gather this data quickly and efficiently?
HC - What data? Data related to Google searches? Why start in the Registry? Start in the Temp Internet Files and web cache…
Me - I should have clarified that the TIF and Web Cache are the first places I do search, however it is on the rare occasion where I have a case where little housekeeping has been done on these storage areas and requires more in the way of investigation. This is where a Registry analysis comes in handy.
I appreciate your comments.
> I know the original post was several years ago, but I thought I would add to
> it.
I'm glad you did.
> I agree that time and resources are extraordinarily limited and I may have
> misinterpreted the message as a request to conduct testing on areas that
> we (I) don't neccesarily have the time to do.
Well, it wasn't so much a request of "what can *I* do for *you*??" but more of a probe to gauge where folks are at. It seems that the same issues continue to plague the community…P2P and IM artifacts pop up over and over again, and as new apps come out, those get thrown on the pile.
The sad thing is that there isn't a clearinghouse of sorts for this kind of research, nor is there a place folks can go and submit requests, providing OS versions, app name and versions, etc. There's just no way we're going to get the folks who actually have the need to research these things themselves and provide this information to others…
Harlan