Saturday, February 11, 2012

New NIST draft document - Computer Security Incident Handling Guide

NIST released a new draft document on Computer Security Incident Handling. This is the second version of the original document that was released in 2008.
This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. 

It is a great reference document for folks trying to implement a new program and for folks to tweak their existing program.
Here is a list of major recommendations:
  • Organizations must create, provision, and operate a formal incident response capability. Federal law requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT) office within the Department of Homeland Security.
  • Organizations should reduce the frequency of incidents by effectively securing networks, systems, and applications.
  • Organizations should document their guidelines for interactions with other organizations regarding incidents.
  • Organizations should prepare generally to handle any type of incident and more specifically to handle common incident types.
  • Organizations should create written guidelines for prioritizing incidents.
  • Organizations should use the lessons learned process to gain value from incidents.
The document is available from the following link

NIST requests comments on this document by March 16th, 2012. If you would like to submit comments, submit it to "" with "Comments SP 800-61" in the subject line.

Sunday, January 29, 2012

Registry Decoder - A new registry analysis tool

Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

It is much similar to Harlan's RegRipper. It can perform the analysis on the live system as well as the saved hive files. To acquire the currently in-use registry files, Registry Decoder creates a System Restore Point on the target machine. This ‘freezes’ and generates a read-only backup of the current registry files.

In the current version, the offline component is able to process a number of evidence types including:

1. Individual registry files
2. Full disk images
3. Partition images
4. Databases created by the online acquisition component of Registry Decoder

The analysis tasks it performs include:

1. Hive Viewing
2. Hive Searching
3. Plugins. Currently has 30 plugins
4. Hive Differencing to find the differences between two registry hives
5. Reporting

The online acquisition component can be accessed at: and the offline analysis component accessed at:

Some of the screen shots from my system are below: