Incident investigation methodologies, update

From: Harlan Carvey (
Date: 06/02/04

  • Next message: Gadi Evron: "Re: Incident investigation methodologies"
    Date: Wed, 2 Jun 2004 13:24:16 -0700 (PDT)

    Just a quick update to clarify some thoughts on this

    I guess what I'm recommending is actually two-fold,
    but it can be incorporated into one overall

    We all have our own ways of approaching a suspected
    incident...based on our knowledge/skills/experience,
    etc. However, I think that if we really look at
    things, we'll see that there are some commonalities in
    our "procedures". Given a Windows systems, for
    example, there are certain things we do...information
    we collect, etc. For the most part, we can develop a
    common methodology for this sort of thing, based on
    constraints, of course (ie, operating system/platform,
    corporate or organizational goals of the
    investigation, etc.) This methodology should serve as
    a starting point, and not be seen as restrictive (ie,
    you can do *only* these steps).

    After many posts do we see in this list
    which spawn many questions, rather than answers. What
    I'm proposing is that we produce a methodologies that
    anyone can use.

    The other aspect is that we need to be able to
    incorporate new information, found through either
    testing or on-the-job discovery. We all know that
    what we know of today will become "old hat" or passe
    in 6 months (or less). New technologies and
    techniques will be developed. This new information
    will need to be incorporated into the methodology.

  • Next message: Gadi Evron: "Re: Incident investigation methodologies"