Security Incidents mailing list archives
RE: [ok] Simple Windows incident response methodology
From: "Curt Purdy" <purdy () tecman com>
Date: Tue, 8 Jun 2004 18:02:55 -0500
Lachniet, Mark wrote:
Metaphorical discussion aside, maybe it would be more productive to start with a basic incident response methodology and kick it around a little bit. I have one that I have used - it is for Windows only, and its pretty basic, but maybe it's a starting point.
I believe your list is a good starting point Mark, but only applies to systems where the client does not care of the evidence stands up in court as much of what is done will alter disk contents. If that is required then you could do this with a dd image but you would lose live data. An option for live system analysis is sleuthkit that will not alter files or dates. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
<<attachment: winmail.dat>>
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)