... Well, as a big consumer of such data, I don't really care what schema or format a data is in, just that one is defined and followed. The reason I suggest...
1634
keydet89
Feb 8, 2010 8:10 pm
Ryan, Thanks for your input. There are a couple of us who've moved away from blog comments to begin exchanging thoughts on defining a structure...the nice...
1635
rmac
coming.storm
Feb 8, 2010 8:24 pm
I do think that you should include something that includes duration, perhaps a start time and an end time? File transfers come to mind, long data operations,...
1636
keydet89
Feb 8, 2010 9:34 pm
All, I wanted to take the opportunity to clear something up, specifically with respect to off-topic posts. While I do screen individual requests to join this...
1637
keydet89
Feb 8, 2010 9:36 pm
All, I wanted to take the opportunity to clear something up, specifically with respect to off-topic posts. While I do screen individual requests to join this...
1638
keydet89
Feb 8, 2010 9:58 pm
RMac, ... Interesting thought. When I started down the road of putting my original thoughts together, I did consider a "superevent" or grouping of events....
1639
rmac
coming.storm
Feb 8, 2010 10:35 pm
While thinking on this some more, I think being able to have some meaningful meta data in free form would be nice as well, such as cloud tags, ie delicious....
1640
keydet89
Feb 8, 2010 11:31 pm
RMAC, Interesting...I'd suggested to the others looking at this that we include a Notes field, which is much like your Tag field......
1641
Paul D. Bain
pauldbain
Feb 9, 2010 4:20 am
... Rob, By your use of the term "linux tools," I presume that you mean "open source software (OSS) tools." Is that correct? ... First, let me thank you for...
1642
Gary Funck
garyfunck
Feb 9, 2010 8:56 pm
This one turned up on slashdot, fyi. http://www.pcpro.co.uk/realworld/355420/the-hidden-treasures-of-sysinternals#dotcom ...
1643
Susan Bradley
sbradcpa
Feb 9, 2010 9:04 pm
Works woooonderfully. From a forensic standpoint though, you run it on a live machine so obviously not a real forensic image. I've literally used to to make a...
1644
jmlawler@...
jmlawler...
Feb 10, 2010 5:24 am
I'm new to win4n6. I've imaged drives in the 40 to 100 GB range using tableau write blocker many times. Now that 500 Gb to 1.5 TB drives are becoming the new...
1645
Brett Shavers
brett_shavers
Feb 10, 2010 5:44 am
I think the questions raised now in those situations is becoming, "Do we really need to image the whole drive/RAID?" and, "Can we just copy the data we need...
1646
Mike Stewart
stewart_mike
Feb 10, 2010 1:31 pm
We have gone to hardware, specifically the tableau TD-1, 4 hours for a 1TB drive, as for RAIDs, same thing and trying to rebuild with software tools. Sent...
1647
keydet89
Feb 10, 2010 1:51 pm
Brett, ... Good point...I think that this is really the only way to address the situation when dealing with massive acquisition times. For example, a malware...
1648
Greg Kelley
gwk1973
Feb 10, 2010 1:56 pm
Days for a 1TB drive? What kind of connectivity are you using? It may not be FTK but instead the connectivity to the source and destination data. For 1-1.5TB...
1649
Corey Harrell
corey_harrell
Feb 10, 2010 2:28 pm
I think Greg made a valid point about the procedure remaining the same while you just get smarter about the tools and methods to obtain evidence. I have had...
1650
jmlawler@...
jmlawler...
Feb 10, 2010 3:06 pm
I agree with focusing on just what you need for acquiring emails and documents for discovery. Let me be more specific and describe my scenario. We are in a...
1651
Rajewski, Jonathan
jtrajewski
Feb 10, 2010 3:40 pm
/disclaimer - Dayquil hasn't kicked in yet :o) I also agree with Greg. The fundamental imaging methodologies won't change, but you might choose a very specific...
1652
david nardoni
dnardonifrc
Feb 10, 2010 6:36 pm
When I image large drives like you describe I try and review how much data is on the drive. If the logical data is not massive I will typically use ...
1653
Corey Harrell
corey_harrell
Feb 10, 2010 11:11 pm
A few weeks ago I was testing a couple of vulnerability scanners so I could replace one that I was no longer satisfied with. Two of the vulnerability scanners...
1654
gregory.pendergast@...
gregory.pend...
Feb 10, 2010 11:24 pm
Corey, I haven't tried this myself, and it sounds like a great idea. But I would simply caution that both this and other uses of the scanner would require the...
1655
Corey Harrell
corey_harrell
Feb 11, 2010 12:47 am
Greg, Â That is a good point to bring up about this not working in environments where system owners won't allow the scanner to authenticate. I was aware that...
1656
Greg Kelley
gwk1973
Feb 11, 2010 2:28 am
Can't you image more than one computer at once? That may speed things up. We have moved to charging flat fees for imaging to remove any issues with someone...
1657
keydet89
Feb 11, 2010 12:25 pm
Corey, This is an excellent idea. What I've done in the past is have a domain admin run a 'net' command to obtain a list of systems on the network...
1658
James Haughom
jhaughom
Feb 11, 2010 2:21 pm
Logparser can perform the same functions. It can query the registry across the network as well, given the proper authentication. ...
1659
John Sawyer
mezzendo
Feb 11, 2010 2:44 pm
It is a cool idea. There's been some other similar ideas in the past year or so where pen testing tools have been modified for use in IR like metasponse and...
1660
Jean-Francois Gingras
ufmow
Feb 11, 2010 3:22 pm
Using the right environment helps a lot. If you use USB connectivity to image a disk it will take time. And if you use a compress format (defaut E01 settings...
1661
Ron McGill
zax_cgp
Feb 11, 2010 4:44 pm
A naive question, perhaps. But how would you know what information you want on the drive? If you only image a bit of it, you could be missing something...
1662
Robert Pearson
rjpear
Feb 11, 2010 5:10 pm
Experience..repetition.. Unallocated space, in a majority of my cases these days, has become less and less relevant.. Now that doesn't rule out Keyword...
