Forums
Main Category
General (Technical,...
Regripper profileli...
 
Notifications
Clear all

Regripper profilelist entries

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
16 Posts
8 Users
0 Reactions
3,746 Views
RSS
passcodeunlock
 passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 9 years ago
Posts: 792
28/11/2016 3:24 am  

If it is about logging in to a domain, I would certainly use the domain server logs for my research and not the local workstation registry entries.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
28/11/2016 2:42 pm  

If it is about logging in to a domain, I would certainly use the domain server logs for my research and not the local workstation registry entries.

Well, IMHO you CANNOT do that. 😯
IF you have two data points, you cannot ignore one at your choice.

The whole idea of a complete timeline is to insert as much data points as possible from *whatever* source and
1) see if they ALL fit into a given "scheme"
2) provide reasons why this (or that) data point is "out".

jaclaz


   
ReplyQuote
passcodeunlock
 passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 9 years ago
Posts: 792
28/11/2016 4:11 pm  

I didn't say that the workstation logs shouldn't be used at all, I would just not rely on those in the matter of trust.

My point is to use the domain server logs for start, since those are harder to compromise then some local workstation registry entries )


   
ReplyQuote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
29/11/2016 1:56 pm  

Fascinating.

Good way to rescurrect a thread after a month and a half without actually providing valuable input, thumbs up.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
30/11/2016 2:28 am  

I didn't say that the workstation logs shouldn't be used at all, I would just not rely on those in the matter of trust.

My point is to use the domain server logs for start, since those are harder to compromise then some local workstation registry entries )

Well, your point is understood ) , but it is still not the right approach IMHO.

ALL data available should be retrieved, put into context and only then hypothesis should be made on what to trust, what to suspect, etc..

If you start giving "more credibility" to this piece of data (instead of that one) it is more likely that your hypothesis will be biased.

jaclaz


   
ReplyQuote
passcodeunlock
 passcodeunlock
(@passcodeunlock)
Prominent Member
Joined: 9 years ago
Posts: 792
02/12/2016 3:44 am  

That is your opinion, I can't help that )

I've seen many server/client bad practices followed by so named "experts", because they found something they considered valuable on a workstation. After lots of work for nothing they started having doubts about trusting the local workstation registry. They ended up using only server logs for the whole analyzing process and at the end they only verified if the workstation logs/registry entries are confirming the results they obtained.

When the server is trusted this way of doing things leads to results and not to bogus issues.

When they server can't be trusted, it doesn't matter what ways of analyzing are used to get at the end bogus results )


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: