Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes. I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)! I have just posted a revised and corrected copy/link below. Thank you again everyone for all your input, that's what makes community great, enjoy!
I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.
A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.
The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.
Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF: http://bit.ly/IR_A2Z_Updated
Wednesday, June 29, 2016
Subscribe to:
Post Comments (Atom)
6 comments:
In PHASE 1 (p.6), are points 1.1 through 1.3 supposed to be repeated ?
Great stuff,just started reading!
Wow, thank you so much!
Tonat,
Thank you so much, I've updated it a bit since yesterday, so you may want to grab the latest one: http://bit.ly/IR_A2Z_Updated. I so appreciate your comments!
The link doesnt seem to work anymore?
Hi BitBucket,
I'm sorry you're having trouble. Try the link: http://bit.ly/IR_A2Z and from there you can click to download the PDF. Let me know if you're still having trouble and I can just email you the PDF.
Post a Comment