CH31 Incident Response and Forensics Flashcards
What is Incident Response Procedures?
a set of procedures that an investigator follows when examining a computer security incident
These incident response procedures are part of your organization’s overall Incident Management Program – program consisting of monitoring and detection of security events on a computer network and the execution of proper responses to those security events
What are the basic 6 steps procedures of Incident Response Procedures?
- Preparation – You need to be prepared before the incident occurs. Ensure that the organization has well-planned incident response procedure.
- Identification – Process of recognizing whether an event that occurs should be classified as an incident.
- Containment – focused on isolating the incident.
- Eradication – Remove the threat or attack
- Recovery – Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response.
- Lessons learned
For the exam : Know these six steps and know the right order. Ex: What is the third step of an incident response? You’ve just done X, Y, and Z action. Which step are you in? Rearrange the blocks to put them in order from one to six
What is CSIRT ?
CSIRT = Incident Response Team (aka, CSIRT – Computer Security Incident Response Team)
key people available to respond to any incident that meets the severity and priority threshold that are set out by your incident response plan
Your CSIRT should be the single point of contact for security incident and
may be a part of the SOC or and independent team
Who is Incident Response Manager ?
team lead.
oversees and prioritize actions during the detection, analysis, and containment of incident. Responsible for conveying info about the response and recovery efforts to the executives and management within your organization
Who is Security Analyst ?
assigned in order to work directly on the affected network and to play detective in order to determine what happened to this point
Who is Triage analyst?
a security analyst that’s assigned to work on the network during the incident response. He’s going to help filter out false positives by properly configuring intrusion detection and protection systems, perform ongoing monitor and analysis to detect any new or potential intrusions.
Who is Forensic analyst?
a security analyst who will be more focused on the detective work and trying to piece together what has already occurred on the network.
Who is Threat researcher?
provides threat intelligence and overall context during the incident response
Who is Cross functional support?
people from management or executive team, someone from human resources, or attorney or lawyer, technical exports
What is Out-of-band communication?
Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices
What are the sources of investigative data?
Security Information and Event Monitoring (SIEM)
Log File
Syslog / rsyslog / syslog-ng
journalctl
nxlog
netflow
sflow
Internet Protocol Flow Information Export (IPfix)
Metadata
For the exam : understand what sources are available to you and pick the right one based on a given scenario
What is Security Information and Event Monitoring (SIEM)?
Security Information and Event Monitoring (SIEM) – a combination of different data sources into one tool that provides real-time analysis of security alerts generated by applications and network hardware.
Great for incident response.
- Sensor – actual end point that’s being monitored. Sensor can feed the data up into the SIEM.
- Sensitivity – focused on how much or how little you are going to be logging.
- Trends – check the trends in our network to see any odd events happening.
- Alert – we can set up certain alerts that happen based on certain parameters.
- Correlation – provides us with good picture across all the devices.
What are the different log files available for investigative data?
Network,
System,
Application,
Security,
web,
DNS,
Authentication,
Dump Files,
VoIP log files.
What are Syslog / rsyslog / syslog-ng for investigative data?
those are three variations of syslog permit the logging of data from different types of systems in central repository.
What is journalctl for investigative data?
a Linux command-line utility used for querying and displaying logs from journald, the systemd logging service on Linux.
what is nxlog in regards to investigative data?
a multi-platform log management tool that helps to easily identify security risks, policy breaches, or analyze operational problems in server logs, operation system logs, and application logs.
nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng. rsyslog and syslog-ng only work on Linux and Unix systems, but nxlog is cross-platform.
what is netflow in regards to investigative data?
netflow – a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume, and paths on the network.
What is sflow in regards to investigative data?
“sampled flow”. It provides a means for exporting truncated packets together with interface counters for the purpose of network monitoring.
What is Internet Protocol Flow Information Export (IPfix) in regards to investigative data?
a universal standard of export for Internet Protocol flow information from routers, probes, and other devices that are used by mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector. It’s used for backend of service management.
what is Metadata in regards to investigative data?
Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier.
What are the 4 main areas of forensic procedures?
- Identification – Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected.
- Collection – Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected.
- Analysis – create a copy of evidence for analysis and use repeatable methods and tools during analysis.
- Reporting – create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis.
What is Legal Hold?
a process designed to preserve all relevant information when litigation is reasonably expected to occur. A computer or server could be seized as evidence
What are some things to do as part of data collection and evidence collection effort?
- Capture and hash system images – use a tool like FTK Imager to make exact copy of that server’s hard drive.
- Analyze data with forensic tools like FTK, the Forensic Toolkit, or EnCase.
- Capture Screenshots
- Review network traffic and logs
- Capture Video
- Consider Order of Volatility
- Take statements
- Review licensing and documentation
- Track man-hours and expenses
FTK and EnCase are popular forensic tools
What is Data Acquisition?
the method and tools used to create a forensically sound copy of data form a source device, such as system memory or a hard disk. Bring your own device (BYOD) policies complicate data acquisition since you may not be able to legally search or seize the device
What is the order of volatility when collecting evidence?
Analysts should always follow the order of volatility when collecting evidence. Short terms, highly volatile items first
1. CPU registers and cache memory
2. Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files
3. Data on persistent mass storage (HDD/SDD/flash drive)
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media (backup tapes, offsite storage)
what is tracert/traceroute used for?
a network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network
what is nslookup/dig used for?
utilities used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information
what is ipconfig / ifconfig used for?
utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings
what is nmap used for?
an open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses.
Be able to lookup at the output from nmap, be able to read it and then pick out what are the open ports or closed ports over some basic vulnerabilities based on those nmap scans
what is ping/pathping used for?
Utility used to determine if a host is reachable on an Internet Protocol network
what is hping used for?
an open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks
what is netstat used for?
Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics
what is netcat used for?
utility for reading from and writing to network connections using TCP and UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts.
You can use netcat for banner grabbing (a technique used to gain info about a computer system on a network and the services running on its open ports).
You can use netcat and connect to a web server, you’ll get a text-based response back, and you’ll be able to tread the code that the web server is sending back to you.
You can use netcat to have shell connection and remotely control a machine.
what is arp used for?
Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server. (going from MAC addresses to IP address)
what is route used for?
utility that is used to view and manipulate the IP routing table on a host or server
what is curl used for?
a command line tool to transfer data to or from a server using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)
what is the harvester used for?
a python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database
what is sn1per used for?
automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network.
what is scanless used for?
Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner.
what is dnsenum used for?
Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization
what is Nessus used for?
a proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities
what is Cuckoo used for?
open source software for automating analysis of suspicious files. It’s a sandbox environment.
what does File Manipulation tool called head do?
a command-line utility for outputting the first ten lines of a file provided to it.
what does File Manipulation tool called tail do?
a command-line utility for outputting the last ten lines of a file provided to it
what does File Manipulation tool called cat (concatenate) do?
a command-line utility for outputting the contents of a file to the screen
what does File Manipulation tool called grep do?
a command-line utility for searching plain-text data sets for lines that match a regular expression or pattern
what does File Manipulation tool called chmod do?
a command-line utility used to change the access permissions of file system objects.
what does File Manipulation tool called logger do?
Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or form other files
What is SSH?
utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections
What is PowerShell ?
a task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language
What is Python?
an interpreted, high-level and general-purpose programming language
What is OpenSSL?
a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
what is packet capture tool called, tcpdump?
a command line utility that allows you to capture and analyze network traffic going through your system
what is packet capture tool called, Wireshark?
a popular network analysis tool to capture network packets and display them at a granular level for real-time off line analysis
What is a forensic tool called dd?
command line utility used to copy disk images using a bit by bit copying process
What is a forensic tool called FTK Imager?
a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed
What is a forensic tool called Memdump ?
a command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps
What is a forensic tool called WinHex?
a commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics
What is a forensic tool called Autopsy ?
a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools
What are the 4 main areas of forensic procedures ?
- Identification – Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected.
- Collection – Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected.
- Analysis – create a copy of evidence for analysis and use repeatable methods and tools during analysis.
- Reporting – create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis
What is Legal Hold?
a process designed to preserve all relevant information when litigation is reasonably expected to occur. A computer or server could be seized as evidence
What is Data Acquisition?
the method and tools used to create a forensically sound copy of data form a source device, such as system memory or a hard disk.
Bring your own device (BYOD) policies complicate data acquisition since you may not be able to legally search or seize the device
What are some of the things we can do as part of data collection and evidence collection effort
- Capture and hash system images – use a tool like FTK Imager to make exact copy of that server’s hard drive.
- Analyze data with forensic tools like FTK, the Forensic Toolkit, or EnCase.
- Capture Screenshots
- Review network traffic and logs
- Capture Video
- Consider Order of Volatility
- Take statements
- Review licensing and documentation
- Track man-hours and expenses
FTK and EnCase are popular forensic tools
What is the order that Analysts should follow when collecting evidence?
Analysts should always follow the order of volatility when collecting evidence. Short terms, highly volatile items first
1. CPU registers and cache memory
2. Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files
3. Data on persistent mass storage (HDD/SDD/flash drive)
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media (backup tapes, offsite storage)
What is the following network tool used for?
tracert/traceroute
a network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network
What is the following network tool used for?
nslookup/dig
utilities used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information
What is the following network tool used for?
ipconfig / ifconfig
utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings
What is the following network tool used for?
nmap
an open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses.
For the exam : Be able to lookup at the output from nmap, be able to read it and then pick out what are the open ports or closed ports over some basic vulnerabilities based on those nmap scans
What is the following network tool used for?
ping/pathping
Utility used to determine if a host is reachable on an Internet Protocol network
What is the following network tool used for?
hping
an open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks
What is the following network tool used for?
netstat
Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics
What is the following network tool used for?
netcat
utility for reading from and writing to network connections using TCP and UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts.
You can use netcat for banner grabbing (a technique used to gain info about a computer system on a network and the services running on its open ports).
You can use netcat and connect to a web server, you’ll get a text-based response back, and you’ll be able to tread the code that the web server is sending back to you.
You can use netcat to have shell connection and remotely control a machine
What is the following network tool used for?
arp
Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server. (going from MAC addresses to IP address)
What is the following network tool used for?
route
utility that is used to view and manipulate the IP routing table on a host or server
What is the following network tool used for?
curl
a command line tool to transfer data to or from a server using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)
What is the following network tool used for?
the harvester
a python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database
What is the following network tool used for?
sn1per
automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network
What is the following network tool used for?
scanless
Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner
What is the following network tool used for?
dnsenum
Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization
What is the following network tool used for?
Nessus
a proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities
What is the following network tool used for?
Cuckoo
open source software for automating analysis of suspicious files. It’s a sandbox environment
What is the following File Manipulation tool used for?
head
a command-line utility for outputting the first ten lines of a file provided to it.
What is the following File Manipulation tool used for?
tail
a command-line utility for outputting the last ten lines of a file provided to it
What is the following File Manipulation tool used for?
cat (concatenate)
a command-line utility for outputting the contents of a file to the screen
What is the following File Manipulation tool used for?
grep
a command-line utility for searching plain-text data sets for lines that match a regular expression or pattern
What is the following File Manipulation tool used for?
chmod
a command-line utility used to change the access permissions of file system objects
What is the following File Manipulation tool used for?
logger
Utility that provides an easy way to add messages to the /var/log/syslog file from the command line or form other files
What is the following Shell and Script tool used for?
SSH
utility that supports encrypted data transfer between two computers for secure logins, file transfers, or general purpose connections
What is the following Shell and Script tool used for?
PowerShell
a task automation and configuration management framework from Microsoft, consisting of a command-line shell and the associated scripting language
What is the following Shell and Script tool used for?
Python
an interpreted, high-level and general-purpose programming language
What is the following Shell and Script tool used for?
OpenSSL
a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
What is the following Packet Capture tool used for?
tcpdump
a command line utility that allows you to capture and analyze network traffic going through your system
What is the following Packet Capture tool used for?
WireShark
a popular network analysis tool to capture network packets and display them at a granular level for real-time off line analysis
What is the following Forensic tool used for?
dd
command line utility used to copy disk images using a bit by bit copying process
What is the following Forensic tool used for?
FTK Imager
a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool is needed
What is the following Forensic tool used for?
Memdump
a command line utility used to dump system memory to the standard output stream by skipping over holes in memory maps
What is the following Forensic tool used for?
WinHex
a commercial disk editor and universal hexadecimal editor used for data recovery and digital forensics
What is the following Forensic tool used for?
Autopsy
a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools
What is the following Exploitation tool used for?
Metasploit (MSF)
a computer security tool that offers information about software vulnerabilities, IDS signature development, and improves penetration testing
What is the following Exploitation tool used for?
Browser Exploitation Framework (BeEF)
a tool that can hook one or more browsers and can use them as a breachhead of launching various direct commands and further attacks against the system from within the browser context
What is the following Exploitation tool used for?
Cain and Abel
a password recovery tool that can be used through sniffing the network, cracking encrypted passwords using dictionary, brute=force, and cryptanalysis attacks, according to VoIP conversations, decoding scrambled passwords, revealing password boxes, and analyzing routing protocols
What is the following Exploitation tool used for?
Jack the Ripper
open source password security auditing and password recovery tool available for many operating systems
