Security Incidents mailing list archives
RE: [ok] Simple Windows incident response methodology
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Thu, 10 Jun 2004 09:24:24 -0400
1) I'd also like to hear from people who have more extensive experience with NT rootkits - will the methodology I gave find most of them? What are exceptions? What tools *should* be used in that instance? 2) I'd also like to hear from people on expanding out the "analysis" phase - for example, comparing results from fport to netstat, how do you examine listdll output and know if there are kernel hooks that shouldn't be there, etc. I know how to do it informally but haven't written it down. 3) Maybe we need to set up a list of URLs so people can download this list of steps, as well as the tools. It would save a lot of scouring. That way when so-and-so says "help me help me" we say "download this junk and post the results" Thanks, Mark Lachniet
-----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Thursday, June 10, 2004 7:17 AM To: incidents () securityfocus com Cc: Curt Purdy; Lachniet, Mark Subject: RE: [ok] Simple Windows incident response methodology Curt,I believe your list is a good starting point Mark, but onlyapplies tosystems where the client does not care of the evidence stands up in court as much of what is done will alter disk contents. If that is required then you could do this with a dd image but you would lose live data.The argument for data collection for litigious purposes is a good one. Do you have any suggestions for retrieving volatile data from live Windows systems in a manner that could be argued in court?An option for live system analysis is sleuthkit that will not alter files or dates.I'm not familiar with all of the possible uses of sluethkit...however, since it runs on Linux, wouldn't one need to boot the CD, thereby loosing volatile data? I think that Mark's list is a great start, and perhaps we need to break things down into further subcategories, or at least identify methodologies that can be use for litigious purposes. Jesse Kornblum detailed the FRED disk for using a single diskette both for tools and their output. I think Mark took it a necessary step further (if you're considering litigious investigations) by putting the tools themselves on a CD. Perhaps another step is as I've indicated, by transporting the data off of the system all together to a waiting server (a la netcat/cryptcat, but with a wrapper for automation).
Current thread:
- RE: [ok] Simple Windows incident response methodology Lachniet, Mark (Jun 10)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology sunzi (Jun 14)
- Re: Simple Windows incident response methodology Matthew Pope (Jun 15)
- RE: Simple Windows incident response methodology sunzi (Jun 14)
- <Possible follow-ups>
- RE: [ok] Simple Windows incident response methodology Max (Jun 15)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 11)