Security Incidents mailing list archives
Re: Incident investigation methodologies
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 9 Jun 2004 11:15:26 -0700 (PDT)
Computer science is just that: science, not mysticism.
Agreed. Computers are built on 1s and 0s. To someone who knows only how to run 'netstat' and open the Event Viewer and Task Manager, tracking down a simple Trojan may seem to be an art. Making "logical mappings" between the output of netstat and what you see in the Task Manager an "art"...no, wait, I take that back...it's foolish. The fact remains that in most cases (never say never, right?), one can find out what's going on with a system simply by collecting and analyzing data. The problem is that most folks either don't know what information to look for or how to look for it, or are simply too lazy. It's easier to say "forensics is an art, not a science" than it is to actually *do* or *learn* something new...
However, I think that the "paranoia" argument is largely dependant on the audience of the argument. If I say to you (or, vice versa) that a black hat COULD trojan a copy of netstat.exe, it doesn't have the same connotation than if I said that to an end user.
Agreed. If you'd said that to me, I'd want to know the path to the copy of netstat.exe what was "trojaned" as well as the contents of the PATH statement on the system. I'd then want to know if the system is Win2K or above, and if so, if there's any evidence that WFP was disabled. Some Winadmins, on the other hand, would simply run with the information that netstat.exe can be trojaned.
Current thread:
- Re: Incident investigation methodologies FRCMSEC (Jun 04)
- Re: Incident investigation methodologies Harlan Carvey (Jun 04)
- <Possible follow-ups>
- Re: Incident investigation methodologies Maarten Van Horenbeeck (Jun 04)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 04)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Barry Fitzgerald (Jun 09)
- RE: Incident investigation methodologies Tim Hollebeek (Jun 10)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 13)