Thursday, April 24, 2008

my workstation...the porcupine

I was working on a case the other day and took a quick break and when I looked down at my workstation I thought to myself "my how my workstation looks like a porcupine". I had 5 USB dongles sticking out of the thing - one for each vendor who forces us to use dongles. In the old days of dongles we used to have the leaning tower of pisa because the parallel port dongles were so large. Is there no end to the dongle insanity? Why must each vendor require their own dongle - instead of forming a consortium, sitting down at a table and figuring out a few things. I know my life would be a little bit easier if I didn't have to keep track of all those porcupine quills.

Wednesday, April 23, 2008

Ripping the Registry Live

So I have been quiet lately and there's been quite a bit happening. First off, Harlan Carvey released RegRipper. This tool is impressive and awfully useful, not to mention NEEDED. If you haven't checked it out, do so. Harlan has said this tool is not designed for live response but I've been dying to get it in to a live response methodology. Well with F-Response I can do it now. Here goes ripping the registry live...sorry for my camtasia-fu or lack of.

A few things if you haven't registered with F-response.

The field kit requires that you put the dongle in the target system - This video starts after I've done that.
The connection is not encrypted - yet.

In addition, there's a new version of regripper out. This is just one of the many tools that F-response can facilitate the use of. See why it's so cool?

EDIT: I put the video up on youtube..blogger's video was just too small.
EDIT: Harlan corrected this statement for me: "Harlan has said this tool is not designed for live response." This should read "RegRipper is NOT intended to be run on live Registry hive files".
EDIT: I realized an error in the previous video. The new one is correct.

Friday, April 18, 2008

I'm excited

For the first time in quite a while I'm pretty excited. Just last week Matt Shannon released F-Response. F-response looks like it may shape up to be the best tool in my arsenal. Not because it makes analysis easier but because it facilitates analysis where it wasn't possible before and it does so in such a brilliant way that I'm just amazed. It also allows responders or examiners the opportunity to use the bulk of their toolkit safely and without the immense impact that many of our tools have on systems. When I've taught classes I specifically instruct people NOT to run AV, backups, and the other things that people like to execute to "investigate". This tool re-opens that door and can allow a first responder to actually respond to the incident, analyze with their typical toolset, and escalate when needed.

I'll be writing quite a bit about this tool and what can be done with it because I am just that excited about it.