|
-
April 6th, 2003, 04:50 PM
#5
Forensics Checklist
Hey tonybradley,
It is actually very common for large companies to have incident response policies, most smaller businesses, smaller educational institutes, usually lack the resources to have or develop incident response policies. I can tell you that companies who are security minded usually have policies that breakdown events into categories and give a set of steps to follow:
For example, a broad policy that I have read breaks down incidents into three categories:
1.) Intrusion is currently taking place
2.) A Past Intrusion has been detected
3.) Attempt to gain information or intrude.
Each category is then broken down into smaller scenerios, for example: If scenerio #1 were occurring then the policy says there are two courses of action, (depending on the personnel availabled) either the intruder is disconnected and the computer sanitized or the intruder is allowed to continue while his actions are monitored, the intruder is then disconnected and the box is sanitized.
---
I have read that in some companies, they actually have like flow chart diagrams that broadly determine the steps needed to handle certain incidents.
---
As for your other question about the set of steps here are the checklists that I use:
For First Response:
1.) The first responder fills out a "First Responder's Form" - which is usually has some basic questions, the computer name, location, your name, anything that is blatantly obvious on the screen (windows, etc). The First Responder's Form also tells the person what not to do: such as turn off the computer, install software, or add/delete anything from the harddrive.
2.) Run the First Response Disk - Which is a disk that dumps the results of a set of tools (Fport, Handle, Listdlls, Pslist, all the Windows NET Commands, Dumps the Startup Registry keys, etc) to the floppy.
3.) Contact the appropiate network operations personnell listed on the First Responder's Form,
For Incident Response:
1.) Fill out the First Responders Form.
2.) Run the First Response Disk
3.) An image of the First Response Floppy is made, a checksum is taken and the original floppy is catalogued and stored in a secure storage area in the office.
4.) We then use the image to make a new copy of the floppy and analyze the results.
5.) If we noticed suspicous entries in the logs, we perform a more detailed investigation that is completely documented.
6.) After the appropiate actions have been taken, the box is sanitized and a follow up form is filled out (It documents the steps that we did to restore the computer.
---
 Anyways I hope that helped, I also suggest you go to SecurityFocus.com and check out their articles on Incident Response. They have alot of GREAT information.
Enjoy,
Simon Templer
Simon Templer
\"Your work is to discover your world and then with all your heart give yourself to it. \"
-The Buddha
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote