Wed 4 Oct 2006
Windows Incident Response and Forensics
Posted by Dave under Administrative , Win32[3] Comments - Post Your Own
A buddy of mine runs the Windows Incident Response blog over at http://windowsir.blogspot.com/. He is always digging up something interesting and pertinent to all your Win32 system administrators; regardless of whether you use Perl or not.
And if this stuff interests (or scares the Hell out of) you then you should have a look at his books, Windows Forensics and Incident Recovery (http://www.windows-ir.com/); it received a great review on Slashdot (http://books.slashdot.org/article.pl?sid=04/11/09/202220).
3 Responses to “Windows Incident Response and Forensics”
Leave a Reply
You must be logged in to post a comment.
October 12th, 2006 at 12:45 pm
Dave,
I appreciate the shout-out.
Yes, I do all my stuff in Perl…thanks to you! I’m working on some WMI stuff for SysAdmin work, I have some cool WDM stuff that has to do with wireless on managed systems.
Some of the stuff I’ve been working on involves parsing binary file formats in a platform-independant manner…using “V” and “v” in my unpack() strings to force little-endianness…stuff has worked on Linux, as well as on MacOSX, both x86 and PPC platforms. This pertains to RAM dumps (using dd, or VMWare .vmem files), raw Registry files, etc.
I posted a couple modules on CPAN as well. One parses PE file headers in a binary format, bypassing the MS API. The same is true with pre-Vista Event Logs. There’s also a module for pulling metadata from Word docs, using both binary file formats, and OLE storage mechanisms.
I’m always looking for ways to make my job as a forensic analyst easier…
October 20th, 2006 at 5:46 am
Here’s a good use for Perl and WMI:
http://windowsir.blogspot.com/2006/10/restore-point-forensics.html
Drop me a line if you’d like to see the code…
Harlan
keydet89 at yahoo dot com
June 29th, 2007 at 4:40 am
Hi Mr Carvey
Your book is awesome. However, i cannot get to your site because the domain blogspot is blocked. Any other URL’s or if its ok with Mr Roth, can you post more here?
Thanks
JM