On Mon, 20 Feb 2006 09:15:12 EST, Babak Pasdar said: > 1. I had to get back to our office from the client site over an hour > away :) Laws of physics to New York City traffic apply no matter what.
Definite lack of resources there. You *really* want to be at least 2 or 3 deep at the "first responder" position. What if you had 5 minutes before gotten on a plane headed for Los Angeles, and thus basically unreachable for the next 6 hours? > 2. The client or a security company's network are not the best source > for scanning and investigation activities. Lest you have someone who > looks for these early signs of the investigation. Scans have to be > alternately sourced. Again, a security company that doesn't plan ahead for this and have a few AOL or NetZero accounts already set up indicates a security company that needs to get ahead of the learning curve. > 3. Running a few commands by no means is an indication of a fully > packaged and verified set of information. A forensics case has to be > started fully documenting all actions and times for possible future > reference in legal proceedings. Rushing through something like this and > not following procedure is the first step in being caught with your > pants down later. Again, this should not add "hours". If you have procedure in place, it shouldn't add much more than 30-45 *seconds* to each command. And if you're really smart, you have all the initial queries in a script, and only need to document that you ran the script....
pgp0mvcrK19wB.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
