--- Mark Menz <markmenzat_private> wrote: --snip-- > > One of the best things about a live system is the > > volatile info > > Agreed. However, I think we need to address the > issue > of methodologies...like develop one. From my > perspective at this point, very few admins are > collecting this information. Now, I understand that > not every situation requires it, but some do...and I > think admins aren't doing it for a couple of > reasons. > > First, there isn't even a framework, let alone a > methodology, available. OK > Second, no one really wants to do all the repetitive > documenting of their actions...they'd rather just > get > on with it. BAD idea. I am no forensics expert, but I would say documenting the actions of the examiner should be key so it can be shown that the examiner did not alter the system. > Third...and I think this was brought out at > CanSecWest > to a degree...most don't know how to interpret the > data they do get. The issues seem to be as much a > lack of time as they are a lack of skill. Well, now that really is a problem. > What if there were some way to collect this > information in a "clean" manner that also performed > the necessary documentation? What if the collection > of volatile (and some non-volatile) information > could > be automated and thoroughly documented? How about keeping a ledger of all commands used and using a few tools from read-only media to gather state info and pipe the output to floppy. e.g. (for starters): d:\netstat -an >> a:\gather.txt # current connections d:\fport >> a:\gather.txt # applications bound to ports d:\set >> a:\gather.txt # env variables d:\pslist >> a:\gather.txt # processes ===== Jonathan Bloomquist, CISSP __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 18:04:20 PDT