RE: [ok] Simple Windows incident response methodology

["Lachniet, Mark" <mlachniet () sequoianet com>]

1)  I'd also like to hear from people who have more extensive experience
with NT rootkits - will the methodology I gave find most of them?  What
are exceptions?   What tools *should* be used in that instance?

2)  I'd also like to hear from people on expanding out the "analysis"
phase - for example, comparing results from fport to netstat, how do you
examine listdll output and know if there are kernel hooks that shouldn't
be there, etc.  I know how to do it informally but haven't written it
down.

3)  Maybe we need to set up a list of URLs so people can download this
list of steps, as well as the tools.  It would save a lot of scouring.
That way when so-and-so says "help me help me" we say "download this
junk and post the results"

Thanks,

Mark Lachniet



> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 () yahoo com] 
> Sent: Thursday, June 10, 2004 7:17 AM
> To: incidents () securityfocus com
> Cc: Curt Purdy; Lachniet, Mark
> Subject: RE: [ok] Simple Windows incident response methodology
>
> Curt,
>  
> > I believe your list is a good starting point Mark, but only 
> applies to 
> > systems where the client does not care of the evidence stands up in 
> > court as much of what is done will alter disk contents.  If that is 
> > required then you could do this with a dd image but you would lose 
> > live data.
>
> The argument for data collection for litigious purposes is a 
> good one.  Do you have any suggestions for retrieving 
> volatile data from live Windows systems in a manner that 
> could be argued in court?
>
> > An option for live system analysis is sleuthkit that will not alter 
> > files or dates.
>
> I'm not familiar with all of the possible uses of 
> sluethkit...however, since it runs on Linux, wouldn't one 
> need to boot the CD, thereby loosing volatile data?
>
> I think that Mark's list is a great start, and perhaps we 
> need to break things down into further subcategories, or at 
> least identify methodologies that can be use for litigious 
> purposes.  Jesse Kornblum detailed the FRED disk for using a 
> single diskette both for tools and their output.  I think 
> Mark took it a necessary step further (if you're considering 
> litigious investigations) by putting the tools themselves on 
> a CD.  Perhaps another step is as I've indicated, by 
> transporting the data off of the system all together to a 
> waiting server (a la netcat/cryptcat, but with a wrapper for 
> automation).