tag:blogger.com,1999:blog-6447283518071683105.post8675512118480818455..comments2023-04-02T10:17:04.631-04:00Comments on Forensic Incident Response: Impact analysishogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-6447283518071683105.post-80531138160268226282008-04-06T10:01:00.000-04:002008-04-06T10:01:00.000-04:00One thing to take into account is tools like WFT l...One thing to take into account is tools like WFT lowers the bar of entry. Normal admins, ones who have a hard time adding users, can put in the CD and collect important data using a nice GUI. Additionally, I have seen where some tools do fail when running wft , and when you have inexperienced admins running this tool I would rather have too much info then none at all. Far too often by the time Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-76355001837669292302008-02-26T18:19:00.000-05:002008-02-26T18:19:00.000-05:00Hogfly,...or use an API-agnostic tool... How do yo...Hogfly,<BR/><BR/><I>...or use an API-agnostic tool...</I> <BR/><BR/>How do you do that on a Windows system? Even most (not all) rootkit detection tools query data using both high- and low-level APIs, and then 'diff' the output. <BR/><BR/>I have seen folks in the past claim that certain tools didn't use any API function calls, but just the fact that those tools have populated import tables...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-62422249878190651502008-02-26T15:06:00.000-05:002008-02-26T15:06:00.000-05:00Anonymous. I used PE Explorer from heaventools.co...Anonymous. I used PE Explorer from heaventools.com to look at import/export tables, and traced down dll's used and dependencies.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-87731599655800930952008-02-26T12:18:00.000-05:002008-02-26T12:18:00.000-05:00> To do a comparison I used pe explorerCould you p...> To do a comparison I used pe explorer<BR/><BR/>Could you please elaborate a bit more what did you use?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-69080281700801421222008-02-26T08:00:00.000-05:002008-02-26T08:00:00.000-05:00Great comments guys.What I think people tend to fi...Great comments guys.<BR/><BR/>What I think people tend to find misleading is that they see Helix and they see WFT and the assumption is made that the tool is pre-configured to follow best practice since "some forensics guys put the cd together".<BR/><BR/>Harlan I think I actually deleted something I intended to put in the post which affirms what you're saying about rootkit detection. It was hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-53859726104807564692008-02-26T06:03:00.000-05:002008-02-26T06:03:00.000-05:00While I like to have options available when it com...While I like to have options available when it comes to tools, in most cases, I neither see the need nor recommend that folks use two (or more) tools that rely on the same API function calls to do the same thing. After all, one of the ways to detect things like rootkits is to use some sort of differential analysis, and the only real way to do that is to try to use two (or more) different H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-36826575784323020212008-02-25T16:09:00.000-05:002008-02-25T16:09:00.000-05:00Great points and excellent illustration. I think m...Great points and excellent illustration. I think many of the automated IR collection tools by default like to throw the kitchen sink at the problem and subscribe to "more is better". In addition, it seems to me that a lot of people just tend to use the "canned" versions of these tools rather than tweaking them and customizing what is collected because its easier and less work.<BR/><BR/>I agree Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.com