RE: [ok] Simple Windows incident response methodology

From: Curt Purdy (purdy_at_tecman.com)
Date: 06/09/04

  • Next message: Lachniet, Mark: "RE: Simple Windows incident response methodology" 
    To: "'Lachniet, Mark'" <mlachniet@sequoianet.com>, <incidents@securityfocus.com>
Date: Tue, 8 Jun 2004 18:02:55 -0500

    Lachniet, Mark wrote:
    > Metaphorical discussion aside, maybe it would be more productive to
    > start with a basic incident response methodology and kick it around a
    > little bit. I have one that I have used - it is for Windows only, and
    > its pretty basic, but maybe it's a starting point.

    I believe your list is a good starting point Mark, but only applies to
    systems where the client does not care of the evidence stands up in court as
    much of what is done will alter disk contents. If that is required then you
    could do this with a dd image but you would lose live data. An option for
    live system analysis is sleuthkit that will not alter files or dates.

    Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
    Information Security Engineer
    DP Solutions

    ----------------------------------------

    If you spend more on coffee than on IT security, you will be hacked.
    What's more, you deserve to be hacked.
    -- White House cybersecurity adviser Richard Clarke

  • Next message: Lachniet, Mark: "RE: Simple Windows incident response methodology"