tag:blogger.com,1999:blog-4080617372940068027.comments2024-03-13T01:32:25.097-04:00Journey Into Incident ResponseCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger550125tag:blogger.com,1999:blog-4080617372940068027.post-81238978428269979312017-01-04T03:58:53.923-05:002017-01-04T03:58:53.923-05:00Knowledge only gets you there partially. It depend...Knowledge only gets you there partially. It depends what you do with the knowledge and what insights you gain from them, and keep gaining from that.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-50961591295189944542017-01-03T22:26:31.101-05:002017-01-03T22:26:31.101-05:00@ITaudit
Thanks for the comment and the times you...@ITaudit<br /><br />Thanks for the comment and the times you linked back to my site. I apologize for the really late response. I dropped offline to get refocused and getting back online took longer than expected.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-78665123136862963642016-12-13T20:32:53.936-05:002016-12-13T20:32:53.936-05:00Corey,
Congrats. I haven't hit that milestone ...Corey,<br />Congrats. I haven't hit that milestone yet and my blog has been around longer. Nice job. You've done a great job of 'loving your neighbor as yourself" on your blog by sharing your heart and your skills. To God be the glory indeed. MackAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-65046605986027387832016-12-09T12:30:14.729-05:002016-12-09T12:30:14.729-05:00What's the RSS feed URL for Journey into IR? A...What's the RSS feed URL for Journey into IR? Anything new lately. This is my go to site for old and new. Anonymoushttps://www.blogger.com/profile/07248219198309647892noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-9548162093060520322016-10-26T11:33:34.984-04:002016-10-26T11:33:34.984-04:00Corey, awesome job man. Friend pointed me to your ...Corey, awesome job man. Friend pointed me to your website, started with iron man slides and now this. I appreciate you sharing this.Monoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-79522170589822558722016-10-06T15:01:35.169-04:002016-10-06T15:01:35.169-04:00Congrats dude! Thanks for all your hard work and k...Congrats dude! Thanks for all your hard work and knowledge sharing. Anonymoushttps://www.blogger.com/profile/05756080218050013735noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-16049246870349948022016-05-25T15:28:20.917-04:002016-05-25T15:28:20.917-04:00@Corey Thanks for mentioning the book, I am sorry ...@Corey Thanks for mentioning the book, I am sorry I didn't see this until now and that the book did not meet your expectations. I would love to hear your feedback (via email is fine, as I know this topic is old) on how to make the book better for the next edition. I have read through several entries on your blog and really like what you have to say. allanhttps://www.blogger.com/profile/02927513261592031981noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-16649593990361278202016-05-25T00:33:48.923-04:002016-05-25T00:33:48.923-04:00We are grateful and thank God for using you to sup...We are grateful and thank God for using you to support us in our journey into incident response. <br /><br />Thank you Corey for having the time out of your very busy schedule to respond to my emails.<br /><br />Your latest blog is a major inspiration. Stay committed to your faith and work. He will continue to direct you.Anonymoushttps://www.blogger.com/profile/15118742871957356159noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-35127805521460556812016-04-13T03:05:36.018-04:002016-04-13T03:05:36.018-04:00Very well written. Just shows the dedication and e...Very well written. Just shows the dedication and effort you put in for the Cyber Security Community. Cheers Corey!!idforensichttps://www.blogger.com/profile/03062579835189212550noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-83891966749557142592016-04-06T16:10:25.309-04:002016-04-06T16:10:25.309-04:00Thanks for the feedback Corey, much appreciated, I...Thanks for the feedback Corey, much appreciated, I am not able to do that directly myself as I am not in the right dept... but I can keep pushing them !Mitch Impeyhttps://www.blogger.com/profile/15321296469098994211noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-61309230852323447872016-04-06T09:13:46.988-04:002016-04-06T09:13:46.988-04:00"This information could then be used to scope..."This information could then be used to scope the incident to identify potentially other infected machines."<br /><br />Corey, do you have a process to perform this step? In my experience scoping is one of the harder steps to accomplish.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-60343274839030076792016-04-06T06:11:35.366-04:002016-04-06T06:11:35.366-04:00Thanks Cory you are "Awesome". Just lear...Thanks Cory you are "Awesome". Just learning this in my Malware Forensics course. This was exactly week 3 course material and you have crystallized it for me. <br />UG, MDAnonymoushttps://www.blogger.com/profile/17911947944634576400noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-29465506608858539272016-04-05T17:39:21.901-04:002016-04-05T17:39:21.901-04:00Mitch,
I used to live in your world then I create...Mitch,<br /><br />I used to live in your world then I created a new reality. I built out my organization's security monitoring. For the most part this analysis can be done in three to 10 minutes. If it is a remote user through a VPN then it will take longer (speed hit is on loading the system into Encase Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-17988576309033287392016-04-05T15:22:32.762-04:002016-04-05T15:22:32.762-04:00Thanks Corey for this excellent write up. In my wo...Thanks Corey for this excellent write up. In my world, asking for and receiving logs takes a significant chunk of time due to the way things "are". Typically, what would be the end to end time estimates for this triage process ? I appreciate it "depends" a lot on a considerable number of factors, but I thought I would ask as a reference. Icing on the cake as it were :)Mitch Impeyhttps://www.blogger.com/profile/15321296469098994211noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-46396716858410133872016-03-16T10:14:33.442-04:002016-03-16T10:14:33.442-04:00Hi! Great collection of Digital Forensics related ...Hi! Great collection of Digital Forensics related resources. I read a very informative article about Forensics and Bendfords law and i think should be included in the above list. <br />Check this http://eventlogxp.com/blog/forensics-and-benfords-law/<br /><br />Otherwise Great work. ThanksJose Hartnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-51894798918482874492016-03-08T06:18:02.000-05:002016-03-08T06:18:02.000-05:00I would definitely want to work with Anton and Cor...I would definitely want to work with Anton and Corey to write such a book!!!Vinod Shankarhttps://www.blogger.com/profile/15657058834981952663noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-14004402977190176972015-12-10T06:41:22.768-05:002015-12-10T06:41:22.768-05:00Corey,
Thanks for putting this together! I know ...Corey,<br /><br />Thanks for putting this together! I know it takes a lot of your time to commit to this, so I really appreciate your efforts in supporting the DFIR community.<br /><br />Cheers!s0ck3thttps://www.blogger.com/profile/09233579643548597350noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-31380684400640115862015-12-09T23:28:38.446-05:002015-12-09T23:28:38.446-05:00@anon,
It takes time to do the write-ups for the ...@anon,<br /><br />It takes time to do the write-ups for the approach I take to triage the malware event. There will be a time of two to three weeks before I post the solution. With this said, the solution was posted this evening.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-52139372356142979152015-12-09T23:26:58.918-05:002015-12-09T23:26:58.918-05:00@Nick,
In future practicals I'll include the ...@Nick,<br /><br />In future practicals I'll include the hashes for the files to make it easier to confirm the files downloaded correctly.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-44815088182858761162015-12-09T11:50:18.467-05:002015-12-09T11:50:18.467-05:00Nice job Corey, when can we expect the next additi...Nice job Corey, when can we expect the next addition?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-26092431938532598162015-12-03T02:25:47.206-05:002015-12-03T02:25:47.206-05:00Hi Mr.Harrell, I really enjoyed doing this challen...Hi Mr.Harrell, I really enjoyed doing this challenge. Hope you continue posting more as it would be very beneficial to beginners like me. I have posted my writeup here. http://anirudhrata.blogspot.in/2015/12/jiir-triage-practical-event-prefetch-writeup.htmlanirudhratahttps://www.blogger.com/profile/05590681410036364408noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-25767177422433103542015-12-02T11:40:52.954-05:002015-12-02T11:40:52.954-05:00@Corey,
As I'm writing up my analysis for thi...@Corey,<br /><br />As I'm writing up my analysis for this practical, I had a suggestion for further practicals.<br /><br />Would it be possible to include a hash listing of the provided evidence files? <br /><br />Maintaining and verifying the integrity of evidence should be included in any investigative process. This would also allow us to verify that the evidence is exactly as you saw it so we get the same results.Anonymoushttps://www.blogger.com/profile/18115841924764365005noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-64626820543163798972015-11-24T15:41:51.893-05:002015-11-24T15:41:51.893-05:00@Matt,
The $MFT is in there. On your system make ...@Matt,<br /><br />The $MFT is in there. On your system make sure you uncheck the default setting "Hide Protected Operating System Files) in the folder options. If this option is left then you won't see the $MFT when you unzip the archiveCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-18924648248812655192015-11-24T15:27:13.756-05:002015-11-24T15:27:13.756-05:00Hi Corey,
Looks like a fun challenge. Did you int...Hi Corey,<br /><br />Looks like a fun challenge. Did you intend to include the MFT in the zip file download? I only see the file hash list, tips PDF, PCAP, and prefetch file.Matthttps://www.blogger.com/profile/14862009107321138763noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-8747979495101689142015-11-24T11:45:27.006-05:002015-11-24T11:45:27.006-05:00This is a great idea Corey. I was actually just g...This is a great idea Corey. I was actually just going back through all of your older posts (wasn't around back then to read them), and this will be a great way to start putting the ideas you mentioned in to practice. (End-to-End Investigations, and Forensicator Readiness for example.)<br /><br />As a current student of this field, I've found that the course work just can't fit in everything, obviously, and so posts like these from you, @Harlan Carvey, and others working in the field already, really give me insight on some things to focus on.<br /><br />I'm looking forward to working on these practicals and implementing what I learn from them into my course work and my self-study down the road.Anonymoushttps://www.blogger.com/profile/18115841924764365005noreply@blogger.com