Doing the data analysis job better

As I was talking to a collegue this week, there is something that makes me think that we can do stuff better. We agreed that there is a certain mentality to not be satisfied with the way things are and to try to build upon things and improve process, flow, efficiency. (Please don't confuse me as a humorless German because of that- I just like things to work better and I abhore the tedious tasks whenever possible.)

So on Friday I was looking at this matter I have been assigned to and itmhad a ton of Event logs to go through and examine for information that may lead me to understand how a group of servers may have been compromised in the first place. In this case there were about 25 different Event log files with many of them in different places in the directory structure that was sent to me. Going through each of these was going to be a challenge. I am always hesitant of moving files around when it involves a case I am working on, mainly because you making track into a situation. (Keep in mind that I always work on the backup of the data so if the rare occasion disaster strikes, I dont have to go back to the client asking for a do-over. Bad Ju Ju!) I also think when you move the data around you may have issues keeping one set event logs separated and distiguisable from another set. I put into use a tool that Harlan Carvey came up with in his book Windows Forensic Analysis, that takes event logs and can output them in .CSV format so they can be inported into Excel or any other spreadsheet. (I like to run them through a strings-searching tool myself, as sometimes the resultant .CSV files are too big for Excel to handle.) So you would think it is easy; just take each of the event logs and run them through LSEVT2.EXE and I would get my .CSV files to search through! Easy for one or two, but for 25, its a pain.

So I figured out the way to make a list of each of the files, in each of the directories they resided in; remove the white-space (I hate white-space; only in a few cases does anything good ever comes from it and you will see one of those today) from the listings; put a numerical designation beside each file listing so I could tell them apart when the .CSV files were made; and perform a For - Do batch file loop that would read my listfile and for each listing take the filename and run it through LSEVT2.EXE and then redirect the output to a .CSV file with the number as the file name. It worked and I was able to get off the keyboard and let this run by itself without me directly managing it. It took just under 2 hours to run so in my mind it saved me (and the client) 2 hours of tedious bordom just by spending 20 minutes of a little programming, researching, troubleshooting, and testing. Here is what it looks like in a 'more visual sense':

Suppose I have 6 event logs, all in separate directories and the only thing similar is their extention (.EVT):

F:\Big Case\Web Server\SystemEvent.evt
F:\Big Case\Web Server\ApplicationEvent.evt
F:\Big Case\Web Server\SecurityEvent.evt
F:\Big Case\BES Server\System.evt
F:\Big Case\BES Server\Application.evt
F:\Big Case\BES Server\Security.evt

A DIR /s *.evt >> filelist.txt would put the files in one file, filelist.txt. But it still has white-space (which broke it the first couple times I tried it.) I would put it through Notepad and replace all white space so it would look something like this:

F:\Big_Case\Web_Server\SystemEvent.evt
F:\Big_Case\Web_Server\ApplicationEvent.evt
F:\Big_Case\Web_Server\SecurityEvent.evt
F:\Big_Case\BES_Server\System.evt
F:\Big_Case\BES_Server\Application.evt
F:\Big_Case\BES_Server\Security.evt

Then I would put a number next to each (the only time I approve of white-spaces is with tokens) and it would look like this:

F:\Big_Case\Web_Server\SystemEvent.evt 1
F:\Big_Case\Web_Server\ApplicationEvent.evt 2
F:\Big_Case\Web_Server\SecurityEvent.evt 3
F:\Big_Case\BES_Server\System.evt 4
F:\Big_Case\BES_Server\Application.evt 5
F:\Big_Case\BES_Server\Security.evt 6

This file would be saved as filelist.txt and in my program code I would designate %%num as the number and %%fil as the path-and-filename.

The heart of the for-do command would look something like this:
for /f "tokens=1,2" %%fil in (filelist.txt) do echo %%num && LSEVT2.EXE -c -f %%fil > %%num.csv

That is the general gist of how it works and it became a complete time saver. I owe heaps of gratitude to my colleague, Harlan Carvey. If it wasn't for his expertise and talent, I would never have dreamed this up.

Time form me to stop blogging and get on back to the case.

Weight gain and growth development

Jason has put on some additional weight this week. We weighed him the other day and he was at 8 pounds and 8 ounces. He looks like he has gotten bigger and he also is doing more. This is a big delight to us. We have noticed him lifting his head more and even once or twice reaching out for things. He certainly eyeballs us and its taking notice of things around him like the TV and some of his playthings.

That's all for now until I have more to go in this posting

At home care of Jason

This week was pretty good with Jason. He is doing well at home and he is now up to 8 pounds and 3 oz. His oxygen needs have been reduced by his cardiologist and it makes thing better all though out the day.l He is only on supplemental oxygen in the night time while he sleeps. This makes it easy to move about the house with him during the day without having to have an oxygen delivery tube snaking behind us as we go.

Today was a really big day because we finally got up the courage to replace Jason's nasogastrc (NG) tube. I can say there is nothing funny about taking a tube and passing it down your your nose down into the stomach. Its been a month since Jason had his last one put in and we have been home since we left UCSF. We were trained very well on the proper insertion and placement techniques in case we would have to actually do it at home. I really admire the coaching and encouragement they gave us, and today we had to draw upon it. We took out his old NG tube and gave him about two hours without it which was right between feedings. Then when it came time for another feeding, we put in the replacement NG tube. It can be very nerve-wracking to do on anyone, let alone a small infant who you can't instruct to swallow on command or have to listen to the crys as it goes it. But Jason was very good about it and settled down very quickly after it was in and we veriefied (4 times) that it had gone into the proper place.


(Really, I am not without a sense of humor. If you wan to see a funny video on the subject, check out these guys who posted a video on YouTube. They appear to be servicemembers so Im sure they can handle the discompfort.)

This past week (busy)

This past week has been pretty busy with all that goes on. So that everyone knows, Jason is doing well and he has gotten bigger. As of the other night, he now weighs 8 pounds. He is making good progress and he appears to be developing well. We also have time to catch the cats making nice with Jason. The other day I took a picture of one of the cats, Max, with a bib around his neck. My wife and I could not stop laughing