To all, Based on experience handling a variety of incidents, and after finding some patterns in several articles regarding incident response and 'live' forensics investigations on NT/2K, I've come up with an idea for a Forensics Server Project: http://patriot.net/~carvdawg/fsproj.html The purpose of the FSP is to provide an automated means of collecting, hashing and documenting volatile information from NT/2K systems, as part of a 'live' forensics investigation. Volatile information is lost when the system is shut down, in order for a bit-image copy of the drive(s) to be made. The FSP can also be used in cases in which a 'live' forensics investigation is all that is required; ie, no LE involvement. This may be due to cost considerations, or requirements that mission-critical production systems not be taken down. The web site is an attempt to explain the FSP. Comments and discussion are welcome. Carv __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 06:15:32 PDT