domstat.net

Website loading time

during the test: 2.23 s

cable connection (average): 2.69 s

DSL connection (average): 3.14 s

modem (average): 27.31 s

HTTP headers

HTTP/1.0 200 OK

Content-Type: text/html; charset=UTF-8

Expires: Sat, 15 Oct 2011 03:14:56 GMT

Date: Sat, 15 Oct 2011 03:14:56 GMT

Cache-Control: private, max-age=0

Last-Modified: Fri, 14 Oct 2011 19:38:36 GMT

ETag: "3bc41606-a92a-4c28-b192-1370c3f41d60"

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Server: GSE

Information about DNS servers

Received from the first DNS server

Request to the server "windowsir.blogspot.com"
Received 40 bytes from address 121.14.70.5#53 in 263 ms
Request to the server "windowsir.blogspot.com"
You used the following DNS server:
DNS Name: ns.xinnet.cn
DNS Server Address: 121.14.70.5#53
DNS server aliases:

Host windowsir.blogspot.com not found: 2(SERVFAIL)
Received 40 bytes from address 121.14.70.5#53 in 255 ms

Received from the second DNS server

Request to the server "windowsir.blogspot.com"
Received 40 bytes from address 121.14.70.6#53 in 250 ms
Request to the server "windowsir.blogspot.com"
You used the following DNS server:
DNS Name: ns.xinnetdns.com
DNS Server Address: 121.14.70.6#53
DNS server aliases:

Host windowsir.blogspot.com not found: 2(SERVFAIL)
Received 40 bytes from address 121.14.70.6#53 in 259 ms

Subdomains (the first 50)

Typos (misspells)

Location

IP: 209.85.175.132

continent: NA, country: United States (USA), city: Mountain View

Website value

rank in the traffic statistics:

There is not enough data to estimate website value.

Basic information

website build using CSS

code weight: 175.54 KB

text per all code ratio: 33 %

title: Windows Incident Response

description:

keywords:

encoding: UTF-8

language: en

Website code analysis

one word phrases repeated minimum three times

two word phrases repeated minimum three times

three word phrases repeated minimum three times

B tags

Carbon Black

need

Timeliner

Exploit Artifacts

DFF

Community

Tools

Endorsements

Why?

Purpose

Scanner Attributes

Plugins

Deploying the Scanner

What's coming?

will

competitive advantage

must

ADSs

F-Response

Live Forensics

Volatility

AutoRuns Update

iTunes Forensic Analysis

Volatility Updates

NetworkMiner

Registry

NOT

Timelines

U tags

I tags

need

Rootkit Paradox

must

THANKS

exactly

What's new in Windows 7: An analyst's perspective

ACMru

WordWheelQuery

if/then

Endorsements

Flexibility

convertfromraw

Force Multiplier

and

Preservation of Corporate Knowledge

Competitive Advantage

Knowledge Retention

Self-Documenting

Common Format

opendir()

readdir()

closedir()

just

If you didn't document it, it didn't happen.

how do I keep case notes

to what standard do I keep case notes

how

Exhibits

Hours

So, to what standard do you keep case notes?  Most often, I'll say, "...so that you can come back a year later and know what you did."  Too often, however, this provides a lazy analyst with an easy out, because from their perspective, what are the chances that in a year, someone's going to come back and ask them a question?  Well, you don't know until it happens...and it does happen.  The best standard to use when writing your case notes is to assume that at any point, you could "get hit by a bus" and another analyst will have to take your notes and finish the exam.  As such, are your case notes written to a level where another analyst could run the same commands, using the same versions of the tools you used, and replicate your results?  So, in your case notes, do you say, "Checked for ADSs", or do you say "Mounted image with FTK Imager v3.0 as G: volume, scanned for ADSs using LADS v4.0"?  This is important...remember MHL's post on stealth ADSs?  There are more things on heaven and earth than are dreamt of in your philosophy, Horatio

How

DOES

blkls

Start with a Process

The Value of Case Notes

you may have to testify a year later

what if you get hit by a bus

should have

competitive advantage

indicators of compromise

WFA 3/e

WFA

Windows Registry Forensics

WFA 2/e

don't

WRF

NOT

not

every

Sniper Forensics

images

headers

H1

H2

Friday, October 14, 2011

Thursday, October 06, 2011

Wednesday, October 05, 2011

Saturday, October 01, 2011

Wednesday, September 28, 2011

Friday, September 23, 2011

Monday, September 19, 2011

Pages

Subscribe To WindowsIR

WindowsIR Blog List

Blog Archive

H3

Friday, October 14, 2011

Thursday, October 06, 2011

Wednesday, October 05, 2011

Saturday, October 01, 2011

Wednesday, September 28, 2011

Friday, September 23, 2011

Monday, September 19, 2011

Pages

Subscribe To WindowsIR

WindowsIR Blog List

Blog Archive

H4

H5

H6

internal links

external links