Anytime you interface with a live system, you're g...

2008-06-15T04:13:00.000-07:00

Anytime you interface with a live system, you're going to leave footprints or artifacts. There have been 'forensic' and incident response applications where the authors have espoused deleting these artifacts...however, the list is never complete. IMHO, if you must interact with a live system, leave the artifacts in order to assist in establishing a legit timeline.

I would be curious how winen compares to mdd. Not head-to-head, per se, but use winen to dump memory, then open that dump in EnCase and dump it out to HBGary's Responder, and compare that to a similar dump from mdd.

In a way, I find it surprising that GSI is segregating itself this way...one of the things one *should* try to avoid is methods of collection that channelize the analyst into a single application for analysis. Sure, .EOx files can be opened and 'dumped' to dd-style format with FTK Imager, but that requires additional steps. The ability to verify information by using different tools/procedures is important in this field.

Also, it's kind of interesting that winen collects physical memory in a format that even HBGary's Responder tool doesn't recognize.

Note: this isn't a comment to bash EnCase or anyone...just pointing out some issues that should be considered when deciding to use these tools.

WindowsIR

Comments on Computer Forensics, Malware Analysis & Digital Investigations: New version of EnCase includes stand-alone utility...

Anytime you interface with a live system, you're g...