Incident investigation methodologies, update

[Harlan Carvey <keydet89 () yahoo com>]

Just a quick update to clarify some thoughts on this
topic...

I guess what I'm recommending is actually two-fold,
but it can be incorporated into one overall
methodology.

We all have our own ways of approaching a suspected
incident...based on our knowledge/skills/experience,
etc.  However, I think that if we really look at
things, we'll see that there are some commonalities in
our "procedures".  Given a Windows systems, for
example, there are certain things we do...information
we collect, etc.  For the most part, we can develop a
common methodology for this sort of thing, based on
constraints, of course (ie, operating system/platform,
corporate or organizational goals of the
investigation, etc.)  This methodology should serve as
a starting point, and not be seen as restrictive (ie,
you can do *only* these steps).  

After all...how many posts do we see in this list
which spawn many questions, rather than answers.  What
I'm proposing is that we produce a methodologies that
anyone can use.

The other aspect is that we need to be able to
incorporate new information, found through either
testing or on-the-job discovery.  We all know that
what we know of today will become "old hat" or passe
in 6 months (or less).  New technologies and
techniques will be developed.  This new information
will need to be incorporated into the methodology.