Conducting Incident Post Mortems

Abstract We were scheduled to discuss back tracing this month but events since I wrote the last column have persuaded me to put that topic on hold briefly in favour of an important, but often overlooked, use of the digital investigative process: incident post mortems. Within the last couple of months we saw yet another massive worm infection on the Internet. Organizations that should have been prepared weren’t and the effects on some were, however temporarily, catastrophic. Many of those organizations had suffered under Code Red, Nimda, Love Letter and other global infections.