Computer
Forensic Investigation Computer
Forensics Training Information CyberTip 1: Computer Forensics:
Incident Response Detect and React
- Initial Detection: Suspicious Event, System
Alert
MSSP Reported (They only report, YOU Have to
respond!)
- Initial Assessment (Damage Assessment):
System Analyst check reports: ID intruder? ID
vulnerability?
ID level? - Upper and Lower Control Limits/Trends
- Can you isolate, image, clean, patch and
return to operation?
- Do you need to disconnect - possible pervasiveness
of attack?
- Communicate to leadership for possible intel/surveillance
value
- Respond: Determine level of effort and type
of response
- 1st Tier: Threat against safety/security
Disconnect/Isolate!
- 2nd Tier: Network Attack, Loss of Funds,
Loss of Service
Disconnect, Image, Clean, Rebuild, Reintroduce
to network, Investigate images using Forensic
Methods
- 3rd Tier: Policy Violations, Insider
Suspicions
Covertly do Forensic Preview, Image, Consider
Reintroduction to users to not “tip-off”
insider
- Isolation and Imaging: Company “1st
Responder” immediately isolates forensic
evidence
- Avoid evidence contamination at all costs!
- Act quickly as evidence has expiration
“characteristics” and be lost
as time progresses
- Reference Tier 1-3 response for help
in prioritization and actions
- Determine Source and Size: Is it Legitimate
activity, Virus activity, Network attack, Insider
Fraud, Account compromise, Trojan or Covert
Channels
- Look at other systems and cross correlate
- Ensure incident is isolated to known
systems
- Quantify: Initial assessment of loss and
Specialist assistance
- Start IR Cycle Over: Deter/Protect: Cleaned,
patched, and security upgrades considered
Always look for other forms of cyberevidence:
Electronic Organizers; Cellular phones, Pagers;
Facsimile Machines; Caller ID Devices; Smart Cards;
Storage medium: Floppies; Tapes; Compact Disks;
Hard Disks; Removable media.
|
