pretty dull - I made a web display of recent centrally-collected syslog so you could tell who logged in where and when and from where. The idea is if you thought one host was compromised you'd have an idea which other hosts to look at next.
never done this except for odd debugging (you might look at snort etc)
Quote:
examination of computers after suspected wrongdoing to collect evidence
|
This tends to fall into using encase etc for catching staff viewing porn on windows boxes (not my area) and using TCT to study actions taken on Unix hosts to know what the bad guy was up to (find what exploit tool he installed). Hopefully these are infrequent actions.
Then there's looking for bugs in s/w - definitely fun. You get to report stuff to the vendors and see if they are willing to fix it. The worst behaviour I found was BMC unwilling to even receive a bug report until I could show I had a support contract.