> + A generic report that can be used to document > virtually any > computer incident investigation. Good start. Let's start w/ the document/format, b/c we may decide along the way that we need to define "incident". For example, do several (many??) SYN packets dropped at the firewall constitute an "incident"? Since many folks post inquiring as to the intent of the scan, I would suggest that such things are not, in fact, incidents. > + Document a methodical approach to the incident > investigation. By way of a checklist, I would suggest the following as a start: 1. Have the following tools on-hand: - handle.exe, pslist.exe, listdlls.exe (SysInternals) - fport.exe (Foundstone...2.0 for Win2K, v 1.3 for NT) - netstat (native) 2. Run these five tools, redirecting their output to files. 3. If you don't want to walk through the files by hand, mapping everything out, use pd.exe (zipped archive at http://patriot.net/~carvdawg/perl.html) to automate it into an HTML file. > + Operating System specific sections. We could make > the form > operating system independant, but then we lose a > great opportunity for > providing newcomers a practicle how-to investigate > and incident. One of the biggest things missing when someone posts is the simple stuff...os, patches, applications, running processes/services, etc. This information could be provided on a host basis w/o having to divulge private info, like IP addresses. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 09:09:43 PDT