RE: Incident investigation methodologies

["Gaydosh, Adam" <GaydoshA () ctcgsc org>]

In response to:

> > To try again...what I'm suggesting is a documented,
> > verifiable, repeatable methodology for incident
> > response.  I'm aware that the implemented methodology
> > will have to specific to the platform (ie, Windows,
> > Linux, *nix, *BSD, etc).  I'm also aware that the
> > framework will have to be flexible enough to allow new
> > information to be incorporated.

I think that NIST SP 800-61 Computer Security Incident Handling Guide, January 2004 
[http://csrc.nist.gov/publications/nistpubs/index.html] should cover that quite conclusively.  As a side note, I think 
the folks at NIST put out lots of great pubs that are sorely under-utilized, not only by other agencies but the InfoSec 
community at large...no need to duplicate efforts.  

Anyways, this framework seems to be quite a bit more general than what I thought you were requesting in your original 
post, essentially detailed CERT bulletins analyzing real-world incidents, to provide more useful field response type 
notes?  Seems to me that this is already being done to varying degree by different communities and may just need 
correlated...from the various A/V and other security vendors advisories, to many of the papers in the www.rootkit.com 
vault that analyze specific Windows rootkits, for example.  And I'm sure there are tons more!  Also, what do you think 
various news portals that try to round this all up, a la http://www.infosyssec.com/?  Please let me know if I am way 
off-base...