Incident response Flashcards
workplace
Team dedicated to IR
Team that deals with cyber security and IR
Team that deals with IR and the digital forensics that follows
An outsourced team that deal with cyber security, IR and digital forensics
Could work in lab and have artefacts handed to you to work on
give 5 examples of an incident
Data breach
DDoS attack on a network
Malware infection
Unauthorised access
Murder, robbery, fraud
what is IR in digital forensics
Digital forensic professional would deal with digital devices aspects or an incident not the blood splatter etc
Might be given artefacts
Might have to go and collect digital artefacts yourself
Might have to let another team have an artefact to analyse the blood on it etc
dealing with an incident
Varies depending on job role and incident
First digital forensics person there
Public sector – crime scene
Private sector – organisations building, policy violations
If you are called to perform an investigation within an organisation, you might have some policy violations, you might have some laws broken, you might not know until you start investigating and you might not know how serious an incident is initially
what are the 6 stages on incident response
plan respond acquire analyse report learn
what is stage 1 of the incident response
preparation
stage 1 of incident response - preparation
Always have a plan
Need to have tools
Set up your lab
Have procedures in place
Organisations may have a set of policies that will feed into your plans and procedures, you should also follow ACPO and the law
an IR plan
About how does what, when
Mission statement
Incident severity list
Communication tree
incident severity list
A plan might list incidents in order of severity, prioritising dealing with certain aspects in particular ways depending on how sever the incident is. May also depend on size of team
communication tree
so everyone in the team and externally who will be part knows who they need to communicate with and report to, along with the appropriate contact info
field tool kit
You can use
- If you can’t explain what you did and how it changed the original data you are not competent to use that tool to touch the original data
Reliable
Verifiable
Effective
procedures
flow chart
adopt pre-defined procedural chart
stage 2 of incident response - respond - the call out
Can get a call out to attend a crime scene
Read case brief
May need help from colleagues
- Still your responsibility to ensure ACPO is followed by everyone
Allows you to work out what you can seize as evidence at the crime scene, and what you might need to add to a warrant request
May need to check a warrant gives you the ability to collect enough devices at a crime scene and hasn’t just been written up as a specific device
stage 2 of incident response - respond - at the crime scene
Sketch
Photograph
Contemporaneous notes
Chain of custody
Bag and tag
stage 2 of incident response - respond - dealing with devices
A computer powered on
A computer powered off
A laptop
A mobile phone
A digital camera
