Security Incidents mailing list archives
Incident investigation methodologies, update
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 2 Jun 2004 13:24:16 -0700 (PDT)
Just a quick update to clarify some thoughts on this topic... I guess what I'm recommending is actually two-fold, but it can be incorporated into one overall methodology. We all have our own ways of approaching a suspected incident...based on our knowledge/skills/experience, etc. However, I think that if we really look at things, we'll see that there are some commonalities in our "procedures". Given a Windows systems, for example, there are certain things we do...information we collect, etc. For the most part, we can develop a common methodology for this sort of thing, based on constraints, of course (ie, operating system/platform, corporate or organizational goals of the investigation, etc.) This methodology should serve as a starting point, and not be seen as restrictive (ie, you can do *only* these steps). After all...how many posts do we see in this list which spawn many questions, rather than answers. What I'm proposing is that we produce a methodologies that anyone can use. The other aspect is that we need to be able to incorporate new information, found through either testing or on-the-job discovery. We all know that what we know of today will become "old hat" or passe in 6 months (or less). New technologies and techniques will be developed. This new information will need to be incorporated into the methodology.
Current thread:
- Incident investigation methodologies, update Harlan Carvey (Jun 02)