RE: Simple Windows incident response methodology

[Harlan Carvey <keydet89 () yahoo com>]

> 2)  YES, this is not an assessment methodology that
> will be easy to defend in court.  

I doesn't look as if it were intended to be.  Not
every investigation is litigious...in fact, from the
folks I've spoken to, more and more investigations are
become non-litigious, even in the face of laws such as
SB 1386.  

The point is, if you require an IR methodology for
litigious investigations, it doesn't help to point out
that other methodologies *aren't*.  That's the reason
I started this thread in the first place...to try and
come up with a concensus regarding methodologies that
do meet the needs of those who are going to use them.

> 3)  An incident response CD is just a bootable CD
> with boot disk images and all the tools you need.

I think I'd take another look at this definition.  Any
bootable CD is going to destroy volatile data. 
Therefore, if you're going to boot to some other
operating system, there is no need for
Windows-specific copies of netstat, etc., as you're
already wiped out the volatile data that you're
interested in.