tag:blogger.com,1999:blog-4080617372940068027.post8182279809426721022..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Cleaning Out the Linkz HopperCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4080617372940068027.post-44518000836005459352012-05-01T12:47:55.314-04:002012-05-01T12:47:55.314-04:00Corey,
I agree that branching out into non-commer...Corey,<br /><br />I agree that branching out into non-commercial tools will benefit any examiner. Having an understanding of exactly what the commercial tool is doing when you click the "Find Evidence" button is IMO equally important. <br /><br />When an examiner understands how their commercial tool found the data that's being presented to them, it's much easier to translate that operation to another tool. So instead of looking for an open source tool with a "Find Evidence" button, they can look for an open source tool that performs the specific operation they're interested in (carving, parsing specific file types, etc.). This is also of course a great way to validate the findings of the commercial tool.Jason Halehttps://www.blogger.com/profile/14747969951680452908noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-30556662453891667232012-04-28T14:32:08.100-04:002012-04-28T14:32:08.100-04:00Correy,
There is a way you can run almost any scr...Correy,<br /><br />There is a way you can run almost any script against a remote host. Email me and I will discuss it with you, and then you can decide if it merits use or is worthy of discussion. I have a fairly long capture script that captures memory dumps, virtual memroy dumps, suspended kernal dumps, and pretty much anything else you want. <br /><br />Thanks for your work.troyhttp://www.microsoft.comnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-79944470973984425712012-04-26T07:50:53.534-04:002012-04-26T07:50:53.534-04:00What a fantastic challenge that is for our fellow ...What a fantastic challenge that is for our fellow forensicators. It is so easy to just fall into using the same software we are used to without any other considerations and even without realising it. I am certainly inspired and I hope this can be a call for many others in the community to keep thinking, researching and sharing.<br /><br />Great Comments<br /><br />Steve CSteve Cnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-30049723144792782032012-04-26T07:26:38.684-04:002012-04-26T07:26:38.684-04:00Corey,
I've seen it over and over, over the c...Corey,<br /><br />I've seen it over and over, over the course of the last 12 years, what kind of "analysts" are out there. During interviews, I've asked, "Ok, but how would you do that without ?" <br /><br />I once worked with a guy who was an EnCase-o-phile, and we told him that he needed to provide case notes. Apparently, EnCase doesn't have a button for that, and after three exams...still no case notes.<br /><br />Sure, not everyone who owns a car can build a combustion engine from spare parts. But in our community, we need to know more about where the data comes from than just, "...I clicked the button...".H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com