tag:blogger.com,1999:blog-4080617372940068027.post6446276695168920908..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Triage Practical – Malware Event – Prefetch $MFT IDSCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4080617372940068027.post-31380684400640115862015-12-09T23:28:38.446-05:002015-12-09T23:28:38.446-05:00@anon,
It takes time to do the write-ups for the ...@anon,<br /><br />It takes time to do the write-ups for the approach I take to triage the malware event. There will be a time of two to three weeks before I post the solution. With this said, the solution was posted this evening.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-52139372356142979152015-12-09T23:26:58.918-05:002015-12-09T23:26:58.918-05:00@Nick,
In future practicals I'll include the ...@Nick,<br /><br />In future practicals I'll include the hashes for the files to make it easier to confirm the files downloaded correctly.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-44815088182858761162015-12-09T11:50:18.467-05:002015-12-09T11:50:18.467-05:00Nice job Corey, when can we expect the next additi...Nice job Corey, when can we expect the next addition?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-26092431938532598162015-12-03T02:25:47.206-05:002015-12-03T02:25:47.206-05:00Hi Mr.Harrell, I really enjoyed doing this challen...Hi Mr.Harrell, I really enjoyed doing this challenge. Hope you continue posting more as it would be very beneficial to beginners like me. I have posted my writeup here. http://anirudhrata.blogspot.in/2015/12/jiir-triage-practical-event-prefetch-writeup.htmlanirudhratahttps://www.blogger.com/profile/05590681410036364408noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-25767177422433103542015-12-02T11:40:52.954-05:002015-12-02T11:40:52.954-05:00@Corey,
As I'm writing up my analysis for thi...@Corey,<br /><br />As I'm writing up my analysis for this practical, I had a suggestion for further practicals.<br /><br />Would it be possible to include a hash listing of the provided evidence files? <br /><br />Maintaining and verifying the integrity of evidence should be included in any investigative process. This would also allow us to verify that the evidence is exactly as you saw it so we get the same results.Anonymoushttps://www.blogger.com/profile/18115841924764365005noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-64626820543163798972015-11-24T15:41:51.893-05:002015-11-24T15:41:51.893-05:00@Matt,
The $MFT is in there. On your system make ...@Matt,<br /><br />The $MFT is in there. On your system make sure you uncheck the default setting "Hide Protected Operating System Files) in the folder options. If this option is left then you won't see the $MFT when you unzip the archiveCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-18924648248812655192015-11-24T15:27:13.756-05:002015-11-24T15:27:13.756-05:00Hi Corey,
Looks like a fun challenge. Did you int...Hi Corey,<br /><br />Looks like a fun challenge. Did you intend to include the MFT in the zip file download? I only see the file hash list, tips PDF, PCAP, and prefetch file.Matthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.com