Comments for IR and forensic talk

Comment on Timeline Analysis 201 – review the timeline by Ettore Diodati

Ettore Diodati — Thu, 03 Mar 2011 21:02:31 +0000

I want just to say that some days ago I’ve solved a case of malware infection, not properly recognize by the most of antivirus and where the sysadmin approach wasn’t leading to any way. How? Thanks to your magic tool and to your useful explanation.
I too think that csv format could be more flexible than “classic” timeline method but I also think that Excel, supported by a pretty good hardware, can be easily manages large timeline whitout slow down performance.

Comment on Office 2007 metadata by pqlaz

pqlaz — Thu, 06 Jan 2011 16:11:30 +0000

Thanks!

Comment on Updating log2timeline on the SIFT workstation by kiddi

kiddi — Wed, 08 Dec 2010 22:20:07 +0000

Hi
Thank you for this comment, I hadn’t checked the availability of autopsy after running the script…. so I appreciate this comment.

Comment on Updating log2timeline on the SIFT workstation by Tom H

Tom H — Thu, 02 Dec 2010 20:39:50 +0000

Kristinn – awesome script. Thanks so much for doing this, it saves a lot of time. One thing that users may need to be aware of re: SIFT workstation. The update and install of log2timeline using this script appears to break Autopsy in SIFT, but the fix isn’t too hard:

- at the command line:

# cd /usr/local/src/autopsy
# ./configure

- overwrite the existing config and accept all default answers
- set the “evidence locker” to “/forensics” (this is the currently set evidence locker in SIFT) ***NOTE – this will overwrite that directory and all its contents. If you have cases from the old install of autopsy in this dir, they will be overwritten.***
- once the configuration script is done, copy the resulting autopsy script file to “/usr/local/bin” like so:

# sudo cp autopsy /usr/local/bin/. (say “y” when it asks if you want to overwrite)

That’s it. Autopsy should work again now.

regards and thanks again for such a great tool!

Tom H

Comment on Updating log2timeline on the SIFT workstation by Tweets that mention IR and forensic talk » Updating log2timeline on the SIFT workstation -- Topsy.com

Wed, 17 Nov 2010 17:00:24 +0000

[...] This post was mentioned on Twitter by Nobutaka Mantani, yk. yk said: log2timeline update ref : http://blog.kiddaland.net/2010/11/updating_sift_to_use_apt/ [...]

Comment on Network Forensics Puzzle by Ubaid

Ubaid — Sat, 06 Nov 2010 09:47:01 +0000

Hello sir, Your work is Really a tremendousness job. i just wanted to know that What Language would be used to run the Script Code You Wrote and Published.

Thanks in Advance

Regards
Ubaid Ali Jaffery

Comment on SANS summit and gold paper by Tweets that mention IR and forensic talk » SANS summit and gold paper -- Topsy.com

Mon, 30 Aug 2010 00:38:37 +0000

[...] This post was mentioned on Twitter by yk, A Fistful of Dongles. A Fistful of Dongles said: http://bit.ly/bLYPX8 Kristinn Gudjonsson's GCFA Gold Paper is out now http://bit.ly/drh1XH [...]

Comment on SANS summit and gold paper by Chad Tilbury

Chad Tilbury — Sat, 28 Aug 2010 16:53:10 +0000

Congratulations, Kristinn! You have really pushed the field forward with your excellent work.

Comment on log2timeline Version 0.50 Released by Digital Forensics Case Leads: Ann’s Aurora Edition | Portable Digital Video Recorder

Thu, 15 Jul 2010 14:48:53 +0000

[...] Gudjonsson released log2timeline v0.50 on June 30. This release contains a number of improvements. One of the most exciting is the [...]

Comment on log2timeline Version 0.50 Released by Tweets that mention IR and forensic talk » log2timeline Version 0.50 Released -- Topsy.com

Thu, 01 Jul 2010 18:42:57 +0000

[...] This post was mentioned on Twitter by douglas brush, Masafumi Negishi. Masafumi Negishi said: RT log2timeline Version 0.50 Released – http://j.mp/ckVXMx [...]