Security Incidents mailing list archives
RE: Simple Windows incident response methodology
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 10 Jun 2004 04:22:19 -0700 (PDT)
2) YES, this is not an assessment methodology that will be easy to defend in court.
I doesn't look as if it were intended to be. Not every investigation is litigious...in fact, from the folks I've spoken to, more and more investigations are become non-litigious, even in the face of laws such as SB 1386. The point is, if you require an IR methodology for litigious investigations, it doesn't help to point out that other methodologies *aren't*. That's the reason I started this thread in the first place...to try and come up with a concensus regarding methodologies that do meet the needs of those who are going to use them.
3) An incident response CD is just a bootable CD with boot disk images and all the tools you need.
I think I'd take another look at this definition. Any bootable CD is going to destroy volatile data. Therefore, if you're going to boot to some other operating system, there is no need for Windows-specific copies of netstat, etc., as you're already wiped out the volatile data that you're interested in.
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)