Litigious investigation methodology
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/10/04
- Previous message: Lachniet, Mark: "RE: [ok] Simple Windows incident response methodology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Jun 2004 04:45:40 -0700 (PDT) To: incidents@securityfocus.com
All,
I posted a cursory methodology for Windows systems
last night, and based on some posts I saw this
morning, wanted to pose a question or two...
Mark's simple data collection methodology is a good
one (albiet some of the references to "analysis"
should read "collection"), and someone pointed out to
him that it's not useful for litigious investigations
(ie, investigations that lead to law enforcement
involvement).
After reviewing other sources, I have to ask...why?
What is it specifically about his methodology that
prevents it from being used in pursuit of a litigious
investigation? Is it b/c some of the tools are run
from the victim system rather than the CD? Is it b/c
the output of the tools is written to a diskette, and
those diskettes can be "infected" with malware, just
b/c they are writable?
What I'm getting at here is that rather than simply
pointing out the flaws in something, let's try making
suggestions for improvement.
Take the methodology I developed for my book, the
Forensic Server Project (code and instructions
available at http://www.windows-ir.com), for example.
Tools are run from a CD, and the output of the tools
is transported off of the system via the network to a
waiting server system. The server component handles
documentation/logging, generation of hashes
(verification of hashes if files are copies off of the
system, etc.).
Is such a methodology sufficient? If you've got
questions about the FSP, feel free to ask. The goal
here is to produce something that can be used.
- Previous message: Lachniet, Mark: "RE: [ok] Simple Windows incident response methodology"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
