RE: Incident investigation methodologies

[Harlan Carvey <keydet89 () yahoo com>]

Kevin,
 
> The keys to good incident response and effective
> forensics investigations are your process and your
> approach.  Technology comes second.

Agreed.  That's what I'm trying to get across. 
Perhaps I took it somewhat for granted that this was
already understood.  

My thoughts on this, reading the lists and working
with folks (sysadmins, etc) is that the technology is
there, but it's the process/methodology that is
lacking.  

> I
> cannot think of anything that would be of greater
> value to an incident handler or a computer crime
> investigator (especially one new to the field) than
> a basic approach that has been tested and tried. 

If the technology is understood, and the process is
then implemented in a live, incident response tool,
both the first responder and the investigator would
benefit greatly.  

What I see lacking in many cases is two-fold:  either
the process (and tools used to implement the process)
are lacking, or the information isn't communicated
effectively.  Take the post that started this thread
for example...the original poster (OP) had stated that
they hadn't seen anything suspicious in the output of
netstat.exe.  One respondant stated that "a hacker
could..." do something malicious to cause the output
of netstat to be untrustworthy.  Well, there are
several things to consider:

1.  The OP could have stated that the output of
netstat.exe corresponded directly with the results of
an nmap scan of the box.

2.  The OP could have stated that prior to running
netstat.exe, he'd verified the hash for the tool
(something passed via personal email and not
communicated with the list).

3.  The OP could have used several disparate tools,
all copied to a CD, to ensure the integrity of the
tools, as well as providing corroborating evidence
that the information seen in netstat.exe was indeed
accurate.

4.  When dealing with Win2K/XP/2K3, one has to take
WFP into account.  Yes, I know that many of the
readers of this post are going to send me links to
information showing how easy it is to disable WFP, but
consider this for a moment...what if the first
responder or investigator is able to demonstrate that
there is no evidence that WFP has been disabled? 
Wouldn't something like this then be added to a
methodology/process for examining Windows systems? 
What if the data collection portion of this were
automated to a degree that it can be done by anyone?

> Having a group of skilled and experienced
> professionals who work together to build and
> maintain them would ensure that they are both useful
> and accurate.  This, I believe, is one half of what
> Harlan is trying to create.  I, for one, applaud
> this effort.

Thanks.  You hit the nail on the head.
 
> The second half of what I believe Harlan is trying
> to do is to take discussion from the realm of theory
> into the realm of practical experience.

Very much so.

> We all know
> what rootkits should be able to do.  We all know
> that there are thousands of exploits in the wild. 
> It would seem to me that instead of saying that a
> rootkit could do something, it would be more
> beneficial to the community at large to:
>  - State the capabilities of specific rootkits
>  - Describe some of the indications that a rootkit
> may be present on a      system
>  - Describe how the rootkit presence could be
> verified
>  - Identify how the rootkit can be removed
>  - Identify the steps that may be taken to discover
> how the rootkit ended up on the system in the first
> place
>
> This information should be collected using real,
> controlled test scenarios or real-world experience
> rather that a bunch of theory that anyone who can
> read can get from the local book store.  Again, I
> think that this effort would be extremely valuable.

As do I.  And I also think that it would greatly
benefit the community, by moving us beyond the
stagnation faced by phrases like "...but a hacker
could...".  Some small degree of paranoia...perhaps
"caution" is a better term...is necessary in the
security profession, as no one person can know
everything there is to know.  However, many of us
working together can know quite a lot...