RE: [ok] Simple Windows incident response methodology

[Harlan Carvey <keydet89 () yahoo com>]

Curt,
 
> I believe your list is a good starting point Mark,
> but only applies to
> systems where the client does not care of the
> evidence stands up in court as
> much of what is done will alter disk contents.  If
> that is required then you
> could do this with a dd image but you would lose
> live data.  

The argument for data collection for litigious
purposes is a good one.  Do you have any suggestions
for retrieving volatile data from live Windows systems
in a manner that could be argued in court?

> An option for live system analysis is sleuthkit that
> will not alter files or dates.

I'm not familiar with all of the possible uses of
sluethkit...however, since it runs on Linux, wouldn't
one need to boot the CD, thereby loosing volatile
data?

I think that Mark's list is a great start, and perhaps
we need to break things down into further
subcategories, or at least identify methodologies that
can be use for litigious purposes.  Jesse Kornblum
detailed the FRED disk for using a single diskette
both for tools and their output.  I think Mark took it
a necessary step further (if you're considering
litigious investigations) by putting the tools
themselves on a CD.  Perhaps another step is as I've
indicated, by transporting the data off of the system
all together to a waiting server (a la
netcat/cryptcat, but with a wrapper for automation).