David, As we've discussed, I've seen the same thing with RegRipper...I've received several requests for XML output, but no style sheet. In fact, like you,...
1631
David Kovar
dkovar
Feb 8, 2010 5:28 pm
Greetings, ... And there's the rub - I've been seeing discussion about an XML schema for ... years? ... and nothing has come of it. Someone recently asked if...
1630
keydet89
Feb 8, 2010 4:54 pm
Ryan, ... I don't see why not...of course, I also don't see how that would be affected by identified required and optional fields, and using that as a basis....
1629
Ryan Sommers
leadzero
Feb 8, 2010 4:39 pm
Is there any reason why just defining an XML schema wouldn't work? -- Ryan P Sommers ryans@......
1628
keydet89
Feb 8, 2010 4:09 pm
... Or, perhaps, having a standard format for storage, and an option to produce HTML output... ... For that, I've gone back to what Rob Lee did in the original...
1627
David Kovar
dkovar
Feb 8, 2010 3:40 pm
Greetings, A standard would be helpful, I believe. I've been pondering what I want the output of my tools to look like. Even if I produce HTML, I could include...
1626
keydet89
Feb 8, 2010 1:48 pm
Do we need a standard? I've re-presented my "definition" of the five fields I use for timeline analysis, and added a couple of optional fields. ...
1625
keydet89
Feb 8, 2010 1:46 pm
... Have you contacted Kristinn about this?...
1624
pinowudi@...
pinowudi
Feb 8, 2010 11:41 am
I'm using log2timeline for a case across several hosts. Watching the action get tossed around in this aggregate view is pretty cool and quite revealing. To...
1623
Ken Pryor
kdpryor
Feb 7, 2010 12:12 pm
While it's not the same thing Don is talking about, I'm actually doing some timeline analysis in support of a CP case I'm working. I've been inspired by yours...
1622
Gary Funck
garyfunck
Feb 7, 2010 1:28 am
Rob, I downloaded the SIFT image, but haven't had time to fire it up, so perhaps these items are arleady installed. That said, here are my suggestions: ...
1621
keydet89
Feb 6, 2010 12:27 pm
Hhhmmm...nothing more on this one. Don Weber posted recently...twice, actually...regarding how he'd used timeline analysis quite successfully and demonstrated...
1620
Rob Lee
rob_t_lee
Feb 4, 2010 5:11 pm
System\CCS\Enum\ USB\VID_xxxx&PID_YYYY\<SerialNumber> does provide the last time connected for both VISTA and Win7. Not for XP though... only the mountpoints 2...
1619
Weg, Jimmy
jimmyweg
Feb 4, 2010 4:25 pm
Thanks, Colin. There's only one user. The Device Parameter key, which I had not studied before, bore the later date. Its MediaChangeNotification subkey bore...
1618
Julien TOUCHE
julientouche
Feb 4, 2010 5:21 am
Hello Rob, Thanks for asking. Here my suggestions about win forensics: - perl File::ReadEvt - perl Spreadsheet::WriteExcel (to use harlan's WFA2e scripts...
1617
Colin Cree
digicopmp
Feb 4, 2010 1:19 am
Hi Jimmy Is there a chance that there is more than one user profile on the computer? The testing I have done in the past has been consistent with the ...
1616
Weg, Jimmy
jimmyweg
Feb 3, 2010 11:15 pm
I've come across some conflicting information on a couple of Vista machines, so I thought that I'd post what I've seen. This is from a Vista (release version)...
1615
Ken Pryor
kdpryor
Feb 3, 2010 11:10 pm
Well, so much for this case. Just interviewed the complainant and got her to admit she made the whole thing up. No reason to continue the exam, but think I...
1614
Ken Pryor
kdpryor
Feb 3, 2010 10:05 pm
Ok, Harlan, thanks. I'm working on a different part of the same case right this moment, so when I finish what I'm doing I'll try it again. Thanks! Ken...
1613
keydet89
Feb 3, 2010 10:03 pm
Ken, I'm not sure why you aren't seeing all of the strings...but you should be seeing the type somewhere after "Lauren"...see Susan's post......
1612
Rob Lee
rob_t_lee
Feb 3, 2010 5:41 pm
Hi everyone... MANDIANT is hiring. We need new Forensicators and Responders to meet our customers. http://www.mandiant.com/about/careers It is a intense...
1611
Rob Lee
rob_t_lee
Feb 3, 2010 5:37 pm
Hi everyone... MANDIANT is hiring. We need new Forensicators and Responders to meet our customers. http://www.mandiant.com/about/careers It is a intense...
1610
Ken Pryor
kdpryor
Feb 3, 2010 2:35 am
Hi Harlan, I'll look at the newer tools. I didn't have my 2e edition of WFA here at work with me, but had the 1e so I used the tools from that. I used ...
1609
keydet89
Feb 3, 2010 2:20 am
Ken, Could you post what you're looking at? Also, you might consider using more up-to-date versions of the tools...WFA 1/e was published in 2007. Consider the...
1608
keydet89
Feb 3, 2010 2:16 am
http://windowsir.blogspot.com/2010/02/more-thoughts-on-timeline-analysis.html ...some thoughts I've had regarding confidence levels of the data, as well as...
1607
Susan Bradley
sbradcpa
Feb 3, 2010 1:21 am
EVENT LOG Security EVENT TYPE Audit Failure SOURCE Security CATEGORY Logon/Logoff EVENT ID 529 USERNAME NT AUTHORITY\SYSTEM COMPUTERNAME YODA DATE /...
1606
Greg Kelley
gwk1973
Feb 3, 2010 1:09 am
Thanks for the information, Ron. -Greg ... From: win4n6@yahoogroups.com on behalf of Ron McGill Sent: Tue 2/2/2010 10:05 AM To: win4n6@yahoogroups.com Cc: ...
1605
Ken Pryor
kdpryor
Feb 2, 2010 10:33 pm
I am looking at event logs and am trying to determine information regarding logons. I've found plenty of Event ID 528 entries, but am trying to find the Event...
1604
Ron McGill
zax_cgp
Feb 2, 2010 3:05 pm
Noreene DeKoning, AGPA Bureau of Security and Investigative Services Chief's Office, Policy Unit (916) 575-7054, FAX (916) 575-7287 Dear Mr. McGill: The State...
1603
Rob Lee
rob_t_lee
Feb 2, 2010 1:48 pm
All, I am in the final process of updating the SIFT Workstation with the latest tools from volatility, Sleuthkit, ophcrack, md5deep, ssdeep, PTK, log2timeline...
