RE: Incident investigation methodologies

[pfft <col_panic2 () yahoo com>]

--- Harlan Carvey <keydet89 () yahoo com> wrote:
>

> > Agreed. So if we assign response scenarios based
> > upon
> > criticality of data, we can provide administrators
> > with a template for each type of situation.
>
> Agreed.  However, consider this...rather than
> assigning response scenarios based on criticality of
> data, the response activities should be passed on
> policy...and the policy should identify critical
> systems.  A matter of semantics, perhaps, but
> policies
> and procedures are a critical part of incident
> response, particularly in a corporate environment. 
> They also play a critical role in the LEO
> environment.

I'll buy that.
 
> I think the question then becomes, do we need to
> have
> separate templates based on the activities, or can
> we
> create a single template for, say, the most critical
> systems, and that same template can be used for all
> less-critical systems?

If a single template simplifies things, then I think
that is best. I just think administrators may shy away
from a complex forensic procedure on non-critical
systems, so the parts that apply to all systems should
be highlighted as such and things like memory dumps
can be left to those with the need, time and skill
required.
   

> What I've been trying to develop is a usable,
> verifiable, document procedure for collecting
> volatile
> data from live systems, to perform incident
> verification and identification.
 
Excellent idea.

=====



        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/