This is a sample Incident Response report that I recently completed. I thought people might be interested in seeing what a report *might* look like. I've cleaned it quite a bit so that I could post it here, so there are some details missing.
October 1st, 2004, 07:21 AM
Very Nice Hog..
I find it kinda humerous that it was on that because that's the extact virus that we're having issues with at the college I work at ... I've identified about 40 variants of the virus so far and have created a custom cleaner for all of them.... I'm still discovering more every day and none of the virus companies are doing anything... Some of them are detecting it but none of them we'll clean it.. They all recognize it (depending on the vendor) as SpyBot/SDBot/Forbot...
I'm going to be working on ClamWin Defs for them all weekend.
October 1st, 2004, 07:24 AM
HT: Yeah I actually thought it was funny because I have seen you talking a bit about it elsewhere on the forums..I have to rely on others to submit these things to me since my environment is pretty controlled and we don't see a lot of malware (unless I bring it in purposely).
October 1st, 2004, 07:30 AM
So how did you get the kids picture? I know it's probably a minor detail but I'm just curious. And he just left you an easy trail to follow?
October 1st, 2004, 08:15 AM
It was a fairly simple trail to follow in this case, and fun.
October 1st, 2004, 08:16 AM
Here's a link for those of you using IE.. hog's posted text file isn't IE/Notepad friendly
HogFly, a couple of tools such as Retina and SSS create really nice reports after the scan is completed. Take a look at those. They're not exactly forensics tools, but they are pretty good vulnerability checkers. I put em here for the sake of the reporting, not their intended usage.
October 1st, 2004, 08:43 AM
Are there any standards for writing an incident report, or is it just made per incident?
October 1st, 2004, 08:49 AM
Soda: Various agencies and governments have standards for reporting. We have a SOP(standard operating procedure) for reporting of security incidents, in fact it's a policy. This was a little different than what's defined by our policy though. It all depends on where you work, and how developed a policy/program they have.
October 4th, 2004, 06:30 PM
is this something you would just keep on file or is it submitted somewhere?