From: William Woodhams (William.Woodhams@wegmans.com)
Date: Tue Oct 03 2006 - 08:04:37 EDT
Also with this type of documentation make sure that the client has given
you specific permission to log all of this to CD etc. If the
documentation is highly classified then you must make sure anything like
this is allowed by your client and in writing.
Bill Woodhams
Systems Technician
Development Group-Technical Systems
(585)429-3183
William.Woodhams@wegmans.com
Newcastle United signs Michael Owen...Enough Said!
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of krymson@gmail.com
Sent: Monday, October 02, 2006 3:32 PM
To: pen-test@securityfocus.com
Subject: Re: Re: pentest documentation
For Windows, Camtasia is an excellent screen-recorder if you want to go
that route. If you're doing some hands-on things like taps or images or
something that can't be put into a virtual machine (and screen-capped by
the host machine) you could use a digital video recorder if your
engagement either requires this level of documentation or allows you to
do so. I guess physical security tests may be better documented with
digital cameras, although I dunno if I've ever seen that myself
(physical pen-tests I don't see very often or hear much about other than
theoretical reviews of a site).
Other means that go beyond just providing a report:
- putting any confiscated material ("look what I found on this
developer's machine, source code and client data databases!") on a cd or
USB device and then hash it and label appropriately.
- capture the packet output of any scans or actual attacks that you do
and hash them. Try your best to get times as close as possible, in case
they want to correlate IDS entries with your scans/attacks, or a system
went down during the scan and they need to determine that you were the
cause.
- capture the output of any scanning tools you use. Things like Nessus
and nmap will have output files and reports. Even though you likely
recreate the reports in a more meaningful format for the client, turning
over the raw data itself is also good practice.
Be aware that you may be capturing sensitive information this way, so
protect any captures you take with you for your own review and be
sensitive to what the client is going to be wanting you to provide to
them.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:05 EDT