RE: Standardized Reporting

From: H C (
Date: 08/16/02

Date: Fri, 16 Aug 2002 07:00:59 -0700 (PDT)
From: H C <>
To: "Brooke, O'neil (EXP)" <o'>,

> + A generic report that can be used to document
> virtually any
> computer incident investigation.

Good start. Let's start w/ the document/format, b/c
we may decide along the way that we need to define
"incident". For example, do several (many??) SYN
packets dropped at the firewall constitute an
"incident"? Since many folks post inquiring as to the
intent of the scan, I would suggest that such things
are not, in fact, incidents.

> + Document a methodical approach to the incident
> investigation.

By way of a checklist, I would suggest the following
as a start:

1. Have the following tools on-hand:
- handle.exe, pslist.exe, listdlls.exe (SysInternals)
- fport.exe (Foundstone...2.0 for Win2K, v 1.3 for NT)
- netstat (native)

2. Run these five tools, redirecting their output to

3. If you don't want to walk through the files by
hand, mapping everything out, use pd.exe (zipped
archive at to
automate it into an HTML file.

> + Operating System specific sections. We could make
> the form
> operating system independant, but then we lose a
> great opportunity for
> providing newcomers a practicle how-to investigate
> and incident.

One of the biggest things missing when someone posts
is the simple stuff...os, patches, applications,
running processes/services, etc. This information
could be provided on a host basis w/o having to
divulge private info, like IP addresses.

Do You Yahoo!?
HotJobs - Search Thousands of New Jobs

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: