Security Incidents mailing list archives
Re: Incident investigation methodologies
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 4 Jun 2004 05:07:19 -0700 (PDT)
1º What you suggest is a modified version of Bugtraq.
Perhaps that's one interpretation, yes. However, I would envision references/hyperlinks to Bugtraq articles, rather than reinventing the wheel.
2º People dont have time or dont want to make the effort of making a documented report every time they post a message.
Perhaps some tiny piece of me is still holding onto the notion (regardless of experience) that people inherently want to do good. That part of me thinks that if the folks *knew* how to do even basic troubleshooting and investigating (ie, use tools such as pslist and tlist to retrieve process info from Windows machines, rather than simply glancing at Task Manager), and they had the tools, that they *would* do those things. Too many times, nothing more than a file name is provided when someone posts to this (and other) list. Folks such as Nick Fitzgerald over in the Focus-Virus list have been saying for years that file names are *not* the be-all-and-end-all of malware identification. So, let's say someone puts together a tool that automatically dumps process, network, process-to-port mapping info, Registry entries, services/device drivers, etc., all to a single file, and provides it for free. Then, when someone finds something unusual or "suspicious" on a system and can't identify it themselves (which usually only requires an update to their anti-virus software), they can post this collection of information, along with (perhaps) the binary in question, and completely avoid the deluge of questions that usually follow posts to this list. How easy would that be?
I dont know what rootkit is capable of doing what things. I only want to know if it was a rootkit, if it is in my system and what it has done in my system.
Ok, that's perfectly fine. You're one of the folks who simply wants a tool that they can click a button on and determine what's on the system. That's fine. There are others, such as myself, who will collect the information and hopefully provide those tools.
If you want to document your activities, it will be something similar to forensic.
Yes. Ok. You're right.
Current thread:
- Re: Incident investigation methodologies FRCMSEC (Jun 04)
- Re: Incident investigation methodologies Harlan Carvey (Jun 04)
- <Possible follow-ups>
- Re: Incident investigation methodologies Maarten Van Horenbeeck (Jun 04)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 04)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Barry Fitzgerald (Jun 09)
- RE: Incident investigation methodologies Tim Hollebeek (Jun 10)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)