Security Incidents mailing list archives
RE: Simple Windows incident response methodology
From: Brad Webb <BWebb () ajb com au>
Date: Wed, 9 Jun 2004 11:52:59 +1000
On Tuesday, 8 June 2004 10:48 PM, Lachniet, Mark staggered into the Black Sun and said:
b. Capture the date and time of the system i. date /t > a:\datetime.txt ii. time /t >> a:\datetime.txt
IANAL. With that said however... At all times we need to maintain the chain of evidence - especially if we think it may be used in a legal action. Generally it's best to do everything to maintain this chain regardless of what the client's intentions are, as they may change their mind down the track. Name, time, date and signatures on all media are a good start. Further to this the media should have a custody record; you sign it as creator and once you're done it's locked away. If anyone else want's it, they must name, sign, time and date the evidence bag (to prove change of custody) before they may take it. File integrity is also something we need to consider. As such I would suggest creating an MD5 hash of each new file (txt or otherwise) created on your log media of choice (network/floppy/CDRW etc). Probably the best way of going about this is to create a single script for the entire data collection stage. This ensures no mistakes are made during the initial response. It also allows you to say "Why yes your honour, this is EXACTLY what I did once I sat down at the machine in question". Regards, Brad Webb IT Administrator AJB Publishing t (direct): +61 02 8399 7659 t (switch): +61 02 8399 3611 f: +61 02 8399 3622 e: bwebb () ajb com au
Current thread:
- Spammers bypassing Cisco ACL's??, (continued)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)