RE: Incident investigation methodologies

[Harlan Carvey <keydet89 () yahoo com>]

> If a single template simplifies things, then I think
> that is best. I just think administrators may shy
> away
> from a complex forensic procedure on non-critical
> systems, so the parts that apply to all systems
> should
> be highlighted as such and things like memory dumps
> can be left to those with the need, time and skill
> required.

Ok, then consider this...rather then "template", let's
change the term to "methodology".  This methodology
could be implemented in a toolset or application,
which is the approach I've taken with the Forensic
Server Project (see the link at
http://www.windows-ir.com).  Various methods for
getting volatile data off of systems has been
discussed by the likes Kornblum, Mandia, etc. 
Articles have been written detailing commands to run,
piping the output of the tools through netcat to a
waiting server.  My goal with the FSP is to take this
one step further, by automating the collection of
data, as well as the storage of the data and
documentation of the activity.  For example, when
tools are run (from the CD) to collect information,
the  server component generates and documents hashes
for the files.  When files are copied, the client
component creates hashes for the files before copying
the files, and the server component automatically
verifies the hashes.

Thoughts?