Starting out Low and Slow
So far my first real week with IBM ISS ERS has been uneventful. I am currently awaiting on my new gear and for the opportunity to shadow one of the team members. Sometimes you want to say “Somebody get hacked already.” But that would be irresponsible……right? 
Right now I am just spinning up on tools and methods by following some of Harlan’s directions:
So far his recommendation of getting to know ProDiscover has been worth it. Easy to use and get to know. I also got the chance to work with his RegRipper for the first time. It quickly gave me the information I needed from the registry, although I do wish it would have worked in Linux. I only say that because I started my analysis for the NIST Hacking Case images working with Autopsy. Autopsy worked fine until I had to review the registry and I could not find a Linux-based solution. My first instinct was to jump back onto Windows for RegRipper since I was fairly certain it would work. This doesn’t mean there are not Linux-based Registry analysis solutions out there, I just didn’t find them in under five minutes. Autopsy might also have a way to accomplish this as well, but all I could figure out was how to review the Registry in ASCII (virtually unreadable), HEX (readable but hard to search), and ASCII Strings (always seemed to be missing some critical information).
I have a feeling that in the future I am going to make many such decisions. There are so many tools developed by so many people the proper tool could potentially be on any OS and/or programming language. This is what, I believe, Harlan was hinting about in his post: Forensic Analysis Applications.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply