When it comes to handling computer security incidents, proper first response handling of computer security incidents is second in importance only to incident prevention. Improper handling or collection of available information can do irreparable harm to an investigation. Investigators need to have a thorough understanding of what information they intend to collect, as well as the tools they can use and the effects those tools have on the system itself.
Investigators know that not every event reported will require a full investigation or lead to prosecution. Obviously, each incident will make different demands on investigators; however, incident handling personnel should not deviate from best practices and assume that different procedures should be used to handle an event. There are specific items of information that can be collected and analyzed quickly in order to determine what follow-up steps need to be taken. This article will offer a brief overview of some of the steps security administrators and incident handlers should take as part of the first response to security incidents. This article will focus on incidents in Microsoft Windows 2000, due to its popularity in both the corporate and server environments. Many of the general topics discussed in this article are applicable across other platforms, and many of the specific techniques and tools discussed can also be employed on NT and XP.