Wednesday, October 22, 2008

If you could have any EnScript or filter, what would it be?

So I might be opening a can of worms with this post, but what the heck, I am bored. My question is if you could ask for any EnScript to improve your process, speed things up, or just give you a feature you don't natively have in EnCase, what would it be? It could be eDiscovery related or forensic related or just a general utility (tetris anyone?). It also does not need to be a stand-alone EnScript, it could be a filter/condition.

I am interested in hearing what the most popular request will be. Please post your "favorite request" in the comments of this post so others can see it, expand on it, tweak the idea or just echo your vote.

Let the wish-list begin....

Monday, October 20, 2008

SANS Forensic & Incident Response Summit in Las Vegas

SANS held a Forensic & Incident Response Summit last week (Oct 13-14) in Las Vegas. It was really nice to go and put so many names and people that I have communicated with in the past via email, with a face. It was a pretty interesting crowd that attended and some very informative presentations.

I did a presentation at the end of the first day to talk about some basic simple forensic & incident response tools and methods that seem to work well for me. I have posted the PDF of my presentation here.

For those of you that have not tried out the F-RESPONSE tool, you are really missing something quite useful. The founder of F-Response, Matthew Shannon, who was at the summit, announced on day one of the summit that version 2 of the F-RESPONSE tool was being released and it now supports access to physical memory on a remote machine. This means that using the F-RESPONSE tool you can image any and all physical disks on a remote machine, as well as the physical RAM on that machine, all while the machine is running!! You can read more about their latest verison here.

Aaron Walters also presented on how Volatility can utilize the F-Response tool with a new spin-off of Volatility that he created called "Voltage". A very cool tool to analyze the memory dump and show you what was going on at the time of the memory capture. The really cool thing is that Voltage can look at the memory live, in real time using the F-RESPONSE tool, meaning that you can look at it now and then refresh the page 2 minutes later and what you are seeing is the live reresentation of the memory contents 2 minutes later, not a captured image of it. As Aaron likes to say, he can actually watch the clock tick on the remote machine in memory!! VERY COOL!!! You can read about Volatility here.

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles