Security Incidents mailing list archives
RE: [ok] Simple Windows incident response methodology
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 10 Jun 2004 04:17:07 -0700 (PDT)
Curt,
I believe your list is a good starting point Mark, but only applies to systems where the client does not care of the evidence stands up in court as much of what is done will alter disk contents. If that is required then you could do this with a dd image but you would lose live data.
The argument for data collection for litigious purposes is a good one. Do you have any suggestions for retrieving volatile data from live Windows systems in a manner that could be argued in court?
An option for live system analysis is sleuthkit that will not alter files or dates.
I'm not familiar with all of the possible uses of sluethkit...however, since it runs on Linux, wouldn't one need to boot the CD, thereby loosing volatile data? I think that Mark's list is a great start, and perhaps we need to break things down into further subcategories, or at least identify methodologies that can be use for litigious purposes. Jesse Kornblum detailed the FRED disk for using a single diskette both for tools and their output. I think Mark took it a necessary step further (if you're considering litigious investigations) by putting the tools themselves on a CD. Perhaps another step is as I've indicated, by transporting the data off of the system all together to a waiting server (a la netcat/cryptcat, but with a wrapper for automation).
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)