Security Incidents mailing list archives
RE: Incident investigation methodologies
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 14 Jun 2004 06:55:35 -0700 (PDT)
If a single template simplifies things, then I think that is best. I just think administrators may shy away from a complex forensic procedure on non-critical systems, so the parts that apply to all systems should be highlighted as such and things like memory dumps can be left to those with the need, time and skill required.
Ok, then consider this...rather then "template", let's change the term to "methodology". This methodology could be implemented in a toolset or application, which is the approach I've taken with the Forensic Server Project (see the link at http://www.windows-ir.com). Various methods for getting volatile data off of systems has been discussed by the likes Kornblum, Mandia, etc. Articles have been written detailing commands to run, piping the output of the tools through netcat to a waiting server. My goal with the FSP is to take this one step further, by automating the collection of data, as well as the storage of the data and documentation of the activity. For example, when tools are run (from the CD) to collect information, the server component generates and documents hashes for the files. When files are copied, the client component creates hashes for the files before copying the files, and the server component automatically verifies the hashes. Thoughts?
Current thread:
- Re: Incident investigation methodologies, (continued)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies pfft (Jun 13)
- Re: Incident investigation methodologies Valdis . Kletnieks (Jun 20)