RE: Incident investigation methodologies

From: Harlan Carvey (
Date: 06/14/04

  • Next message: pfft: "RE: Incident investigation methodologies"
    Date: Mon, 14 Jun 2004 06:55:35 -0700 (PDT)

    > If a single template simplifies things, then I think
    > that is best. I just think administrators may shy
    > away
    > from a complex forensic procedure on non-critical
    > systems, so the parts that apply to all systems
    > should
    > be highlighted as such and things like memory dumps
    > can be left to those with the need, time and skill
    > required.

    Ok, then consider this...rather then "template", let's
    change the term to "methodology". This methodology
    could be implemented in a toolset or application,
    which is the approach I've taken with the Forensic
    Server Project (see the link at Various methods for
    getting volatile data off of systems has been
    discussed by the likes Kornblum, Mandia, etc.
    Articles have been written detailing commands to run,
    piping the output of the tools through netcat to a
    waiting server. My goal with the FSP is to take this
    one step further, by automating the collection of
    data, as well as the storage of the data and
    documentation of the activity. For example, when
    tools are run (from the CD) to collect information,
    the server component generates and documents hashes
    for the files. When files are copied, the client
    component creates hashes for the files before copying
    the files, and the server component automatically
    verifies the hashes.


  • Next message: pfft: "RE: Incident investigation methodologies"