Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [ok] Simple Windows incident response methodology

From: "Curt Purdy" <purdy () tecman com>
Date: Tue, 8 Jun 2004 18:02:55 -0500
Lachniet, Mark wrote:

Metaphorical discussion aside, maybe it would be more productive to
start with a basic incident response methodology and kick it around a
little bit.  I have one that I have used - it is for Windows only, and
its pretty basic, but maybe it's a starting point. 


I believe your list is a good starting point Mark, but only applies to
systems where the client does not care of the evidence stands up in court as
much of what is done will alter disk contents.  If that is required then you
could do this with a dd image but you would lose live data.  An option for
live system analysis is sleuthkit that will not alter files or dates.

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke

<<attachment: winmail.dat>>

Previous By Date Next
Previous By Thread Next

Current thread: