Restore Point Foren...
 
Notifications
Clear all

Restore Point Forensics

20 Posts
7 Users
0 Likes
700 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

http//windowsir.blogspot.com/2006/10/restore-point-forensics.html

 
Posted : 20/10/2006 4:53 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan,
Great information on the blog…but didn't you just chastise someone for doing this (posting just a link)?

 
Posted : 20/10/2006 5:52 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Chastise? No, I wouldn't call it that. But then, the link I pointed to wasn't just a paper someone else had written.

 
Posted : 20/10/2006 6:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

So, let me get this straight, hogfly…if I suggest to someone in the list that I'd like to see something besides just a link to an article or paper that someone else wrote, that maybe it might benefit the community of the OP posted their opinions and thoughts on that article/paper, rather than just a link…you call that "chastising"?

Wow, there are some pretty thin-skinned people here.

I posted the link to my blog entry, in case others are interested. The link wasn't to a news article or a paper that someone else had written…it was stuff I'd put together as a result of research. IMHO, the difference is pretty obvious.

Maybe this just isn't the place for me…I'll have to see about unsubscribing. It's unfortunate, but my publisher has suggested to me that I write short articles for sites such as this…but if asking someone for their thoughts and opinions is "chastising", I'm not sure that this is a good forum…

 
Posted : 20/10/2006 6:06 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

Harlan forgive me if that came across as offensive. Believe me..I'm anything but thin-skinned. I'm very interested in your work and what you have contributed. PM coming since I don't want to ruin your thread here…

 
Posted : 20/10/2006 6:39 pm
(@kpryor)
Posts: 68
Trusted Member
 

I left a comment on your blog too, but wanted to say here just how cool this is. For a new guy like me, I can't get enough of that kind of info. Great job!
One thing, since I am a bit of a newbie (ok, a whole lot new), can I get what the initials SAM, WMI, FRU and FSP that you refer to stand for?
Thanks for a very interesting write-up.
KP

Edit also wanted to say that I would greatly miss your input here if you chose to leave. Please hang around, your posts here are most appreciated and educational.
KP

 
Posted : 20/10/2006 11:25 pm
(@kpryor)
Posts: 68
Trusted Member
 

Also wanted to say that I would be most interested in the scripts you mentioned for making the files more readable when they become available.
Thanks,
KP

 
Posted : 21/10/2006 12:58 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

KPryor,

SAM - Registry file from Windows systems that holds user info, account settings, group membership

WMI - Windows Management Instrumentation, MS's implementation of the WBEM web-based management infrastructure.

FSP - The Forensic Server Project, a framework I introduced in my book back in July '04 and have since updated. This is a "netcat on steroids" framework for using third-party tools to perform IR data collection. The FSP also refers to the forensic server component, which handles simple case management, data collection, archiving and logging, and will provide a platform for analysis.

FRU - First Responder Utility, the Windows-based client for the FSP.

 
Posted : 21/10/2006 1:24 am
(@kpryor)
Posts: 68
Trusted Member
 

Thanks Harlan!
KP

 
Posted : 21/10/2006 2:46 am
(@jimmyw)
Posts: 64
Trusted Member
 

There's no doubt that RPs can contain a wealth of information. Much of the information is in archived registry hives. For example, an old RP SAM may identify an account that was deleted subsequently to the RP's creation. I know that my curiosity has been piqued when I notice a few missing RIDs, as when I see 1002, 1003, followed by 1006. One of the problems I've found is going through so much RP data. A very handy tool would be one that could go through the RPs and note changes to selected registry hives, perhaps even changes to selected keys, or log files. I'm sure that would be quite an undertaking! Just a thought.

 
Posted : 23/10/2006 7:29 am
Page 1 / 2
Share: