RE: Simple Windows incident response methodology

[Brad Webb <BWebb () ajb com au>]

On Tuesday, 8 June 2004 10:48 PM, Lachniet, Mark staggered into the Black
Sun and said:

> b. Capture the date and time of the system
> i. date /t > a:\datetime.txt
> ii. time /t >> a:\datetime.txt

IANAL. With that said however...

At all times we need to maintain the chain of evidence - especially if we
think it may be used in a legal action. Generally it's best to do everything
to maintain this chain regardless of what the client's intentions are, as
they may change their mind down the track.

Name, time, date and signatures on all media are a good start. Further to
this the media should have a custody record; you sign it as creator and once
you're done it's locked away. If anyone else want's it, they must name,
sign, time and date the evidence bag (to prove change of custody) before
they may take it.

File integrity is also something we need to consider. As such I would
suggest creating an MD5 hash of each new file (txt or otherwise) created on
your log media of choice (network/floppy/CDRW etc).

Probably the best way of going about this is to create a single script for
the entire data collection stage. This ensures no mistakes are made during
the initial response. It also allows you to say "Why yes your honour, this
is EXACTLY what I did once I sat down at the machine in question".



Regards,

Brad Webb
IT Administrator
AJB Publishing
t (direct): +61 02 8399 7659
t (switch): +61 02 8399 3611
f: +61 02 8399 3622
e: bwebb () ajb com au