RE: [ok] Simple Windows incident response methodology
From: Curt Purdy (purdy_at_tecman.com)
To: "'Lachniet, Mark'" <firstname.lastname@example.org>, <email@example.com> Date: Tue, 8 Jun 2004 18:02:55 -0500
Lachniet, Mark wrote:
> Metaphorical discussion aside, maybe it would be more productive to
> start with a basic incident response methodology and kick it around a
> little bit. I have one that I have used - it is for Windows only, and
> its pretty basic, but maybe it's a starting point.
I believe your list is a good starting point Mark, but only applies to
systems where the client does not care of the evidence stands up in court as
much of what is done will alter disk contents. If that is required then you
could do this with a dd image but you would lose live data. An option for
live system analysis is sleuthkit that will not alter files or dates.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
- application/ms-tnef attachment: winmail.dat