Sunday, March 15, 2009


With respect to incident management, and incident response and forensic analysis of Windows systems, what are your issues, concerns, and requirements?

What I mean by this is, what resources are out there that help you meet your needs and goals, and which ones simply are not available? What meets your needs, and what needs aren't being met?

These questions apply across the board, regardless of whether you're local, state, or federal LE, a consultant, FTE IT staff, college/university student, etc.

Is it a matter of the availability of information with respect to various or specific topics? If so, which ones? What about training? Is there information out that may be useful, but is out of reach for some reason (aside from being classified)? What are your limitations in these regards? Time? Funding? How could your requirements in these areas be better met?

Have you come through an incident or completed some forensic analysis and been left with questions or concerns, such as "did I miss something?" or "what could I have done better?"

Are you looking around and simply not finding your needs being met? Have you sat down and figured out what those needs are, even if they're moving targets? Do you keep coming back to some of them over and over again?


Anonymous said...

the paper is very good
I read it with google translate
I'm chinese,my english is poor

H. Carvey said...

Which paper?

Anonymous said...


This is a tough question. I have been in IT for 12 years but have only recently thought moving more in the direction of incident response/forensics which has been a hobby of mine for years. So I will answer your question from the point of view of an outsider trying to get into the field.

I think the major problem for myself is WHAT information to study and not the availability of the information. I find myself gravitating to blogs, books, white papers that contain real world cases and how they were handled. That seems to give me a guide as to what to study.

Also, what would you recommend as a resource for investigators that need to reach out to other security professionals? For example let's say you are conducting an investigation that quickly leads to a Sharepoint environment and you find yourself with minimal share point knowledge and a short period of time to get up to snuff. Obviously having an address book full of contacts would be ideal in this situation but for those with nobody to turn to what is out there?

Great blog by the way. I am enjoying it. As an ex Marine I got a nice laugh out of your brown star cluster comment. The security field can lead to some fairly informative but DRY and DULL writing so kudos on your informative and entertaining writing style.

H. Carvey said...


Thanks for the comments! It's always good to hear from a fellow former Marine. I guess I should also ask anyone who's willing to include their primary was 2502...that's back when they had such a thing!

Keeping up with info is difficult. As far as what to study, I just tend to look around me, or at my last engagement, and ask myself what I could've done better. As a consultant, that's pretty much a never-ending resource.

Keeping up with "experts" is another thing entirely, because you run into two phenomena...public forums with a low signal-to-noise ratio (because everyone wants the "experts" to tell them the answer and not do their own research), or forums that don't get a great deal of activity at all...such as the Win4N6 Yahoo Group.

I have thought for a long time that the real power in this type of work is the social and professional networking that people can do...but in a geographically dispersed environment, that can be difficult to do.

Fitz, again, thanks for the comments. It helps to see that I'm at least doing something right! ;-)

Fitz said...

Thanks for the reply and Semper Fi!

What is/was a 2502? I was an 0811 from 91-95. I went in open contract :( but I did love my time served.

H. Carvey said...

2502 was Communications Officer, back when that and Data Processing Officer were separate MOSs.