Or, the tool would collect the audit policy from the system, check the Registry entries for the Event Logs, and then collect statistics from the Event Log files themselves, or automatically parse the Event Log files to. So what if we had a script or a tool that would run through an image, pulling things out for us each time.all automated so that we wouldn't have to remember all of the different places could look, but at the same time, its all documented? Say, the tool would check to see if the Recycle Bin had been disabled, and then move on to parsing the INFO2 file for one user, or all users. Sometimes you may be in a rush or under pressure, and may forget something that you would normally look for. However, even though these packages ship with scripts to do some initial data collection and parsing for us, sometimes, they aren't as complete as they could be, or we'd like them to be, and it takes forever to get scripts updated because the few folks that actually write their own scripts are busy with other things. Most often we do this through our forensic analysis software package, such as ProDiscover or EnCase. Also, this is something you may want to do when you may be faced with the " Trojan Defense".Īnother thought/useful option is this - we all have things that we look for everytime we open an acquired image of a Windows system, and there are other things that we look for on a case-by-case basis. This may save you a great deal of time trying to locate hacker tools by hand. For example, during an intrusion case, one thing you may want to do is scan the image with AV software.
I specifically mentioned the use of Mount Image Pro for mounting a dd image as a read-only file structure, which opens up some areas of analysis that many may benefit from using. One of the things I mentioned in my new book was an alternative analysis method for performing computer forensic analysis.