Incident investigation methodologies, update

• Previous message: Harlan Carvey: "Incident investigation methodologies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 2 Jun 2004 13:24:16 -0700 (PDT)
To: incidents@securityfocus.com

Just a quick update to clarify some thoughts on this
topic...

I guess what I'm recommending is actually two-fold,
but it can be incorporated into one overall
methodology.

We all have our own ways of approaching a suspected
incident...based on our knowledge/skills/experience,
etc. However, I think that if we really look at
things, we'll see that there are some commonalities in
our "procedures". Given a Windows systems, for
example, there are certain things we do...information
we collect, etc. For the most part, we can develop a
common methodology for this sort of thing, based on
constraints, of course (ie, operating system/platform,
corporate or organizational goals of the
investigation, etc.) This methodology should serve as
a starting point, and not be seen as restrictive (ie,
you can do *only* these steps).

After all...how many posts do we see in this list
which spawn many questions, rather than answers. What
I'm proposing is that we produce a methodologies that
anyone can use.

The other aspect is that we need to be able to
incorporate new information, found through either
testing or on-the-job discovery. We all know that
what we know of today will become "old hat" or passe
in 6 months (or less). New technologies and
techniques will be developed. This new information
will need to be incorporated into the methodology.

• Previous message: Harlan Carvey: "Incident investigation methodologies"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]