Re: Incident investigation methodologies

[FRCMSEC <FRCMSEC () terra es>]

1º What you suggest is a modified version of Bugtraq.
2º People dont have time or dont want to make the effort of making a 
documented report every time they post a message.

I dont know what rootkit is capable of doing what things. I only want 
to know if it was a rootkit, if it is in my system and what it has done 
in my system.

If you want to document your activities, it will be something similar 
to forensic.

----- Mensaje Original -----
De: Harlan Carvey <keydet89 () yahoo com>
Fecha: Jueves, Junio 3, 2004 2:00 am
Asunto: Re: Incident investigation methodologies

> Gadi,
>
> > > While it's entirely possible that a rootkit
> > *could* do
> > > something, why not base what we do in fact, rather
> > > than in speculation, rumor, and paranoia?
> >
> > What you are suggesting, basically, is an
> > information sharing network 
> > for different attack descriptions and information?
> >
> > A forensic dictionary? :)
>
> Admittedly, I may not have been as absolutely clear as
> I could have, but I really don't see where you were
> able to infer such a thing - particularly given the
> title of the post.
>
> To try again...what I'm suggesting is a documented,
> verifiable, repeatable methodology for incident
> response.  I'm aware that the implemented methodology
> will have to specific to the platform (ie, Windows,
> Linux, *nix, *BSD, etc).  I'm also aware that the
> framework will have to be flexible enough to allow new
> information to be incorporated.
>
> Hopefully, that's clear enough for a start...