I see that DISA has released a spreadsheet matching IAVMs to their corresponding CVE numbers. This will be handy when you are matching patch findings with their CVE number.
You can find the spreadsheet here.
Thursday, December 22, 2011
Thursday, December 8, 2011
SUPER Timeline creation (from SANS)
I'm making a push for more forensics at work. One avenue I'm trying to open up is the investigation of laptops/computers of former employees. And, to that end, one of the tools I'll be making heavy use of is the timeline. I'm pretty adept at creating timelines with SIFT, but Log2Timeline was not in existence when I took my GCIH.
This article is an excellent primer on using Log2Timeline to create a SUPER timeline in SIFT, using many inputs from an acquired image.
(Edit 1/20/12) Rob Lee has added another article on Log2Timeline to the SANS Forensics blog, this article talking about log2timeline and log2timeline-sift. Plus, there are some good examples at the end of the article.
(Edit 1/28/12) Rob has added yet another article...releasing a template that colorizes output from Log2Timeline. I haven't given this a whirl, but I will after I create my next timeline.
Older articles:
How to Create a Filesystem and Registry Timeline
I've created this post so I know where to reference the original article, as I'm sure I'll forget.
This article is an excellent primer on using Log2Timeline to create a SUPER timeline in SIFT, using many inputs from an acquired image.
(Edit 1/20/12) Rob Lee has added another article on Log2Timeline to the SANS Forensics blog, this article talking about log2timeline and log2timeline-sift. Plus, there are some good examples at the end of the article.
(Edit 1/28/12) Rob has added yet another article...releasing a template that colorizes output from Log2Timeline. I haven't given this a whirl, but I will after I create my next timeline.
Older articles:
How to Create a Filesystem and Registry Timeline
I've created this post so I know where to reference the original article, as I'm sure I'll forget.
Subscribe to:
Posts (Atom)