Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Forensic IT > Incident Response > Flashcards

Incident Response Flashcards

1
Q

Incident response

A
  • Digital forensics professionals may or may not be involved directly with incident response (IR), although should be familiar with processes and procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

depending on the work place you could have:

A
  • A team dedicated to IR
  • A team that deals with cyber security and IR
  • A team that deals with IR and the digital forensics that follows
  • An outsourced team that deal with cyber security, IR and digital forensics
  • Or work in the lab and have artefacts handed to you to work on
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what is IR in digital forensics

A

Incident response is as the name implies, about how an incident is responded to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what is an incident

A
  • Data breach
  • DDoS attack on a network
  • Malware infection
  • Unauthorised access
  • Murder, robbery, fraud…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

dealing with an incident

A
  • Varies depending on job role and incident
  • First digital forensics person there if you are asked to attend scene
  • Public sector- crime scene
  • Private sector- the organisation building, policy violations might not realise until investigating laws and policies are broken
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

6 stages of incident response

A
  1. Plan
  2. Respond
  3. Acquire
  4. Analyse
  5. Report
  6. Learn
    Cyber security may have different stages to digital forensics.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

stage 1- preparation

A
  • Always have a plan
  • Have some tools, what tools you have depend on some factors- what you can use, what you need to do and what you can afford
  • Set up your lab ‘go bag’ light and heavy (tools you’ll take to an incident) and work area
  • Have some procedures in places and a flow of what happens when
  • An organisation may have a set of policies that will feed into your plans and procedures, you should also follow ACPO and the law
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An IR plan

A
  • What does what and when
  • You’ll have a mission statement
  • Incident severity list
  • Communication tree
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A plan

A

A plan might list incidents in order of severity, prioritising dealing with certain aspects in particular ways depending on how severe the incident is. This may also depend on the size of your team! If you within an organisation that has some policies then these will direct your plan as well as preserving any evidence and the process of how you work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Mission statement

A

A mission statement could be:
“Mitigate as many vulnerabilities as possible, whilst keeping the organisations reputation intact, and then providing all the evidence to deal with the perpetrators of the incident(s) appropriately.“ This will be something specific to your team and organisation and as your plan develops over time, your mission statement will likely change too. If you are just doing the digital forensics and another team is working on the security aspect then they will be doing the mitigating part and whilst doing so looking after the reputation aspects, leaving your team to purely focus on the evidence collection, preservation and analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

communication tree

A

You might also have a communication tree, so everyone in the team and externally who will be part of the incident response plan knows who they need to communicate with and report to, along with the appropriate contact information so this communication can happen easily. This communication tree should show the team structure and where any higher up approval is needed, for example from stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

your field tool kit- think ACPO

A 
-	All the tools you might need that:
You can use
Are reliable 
Are verifiable
Help you do your job effectively
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

procedures

A

Think flow charts- need to think about the steps you take when running an investigation, might adopt pre-defined procedural chart. Or customise or create one yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

stage 2-respond - the call out

A
  • You get a call out receive the brief and have to get there quickly
  • Read the brief, make notes to decide how many team members you will need and a quick plan
  • Evidence bags will probably be needed, know your team in order to work together effectively to recover evidence efficiently and quickly whilst following documentation and ACPO
  • Need to check a warrant gives you the ability to collect enough devices at a crime scene- don’t be too specific but be specific enough for the warrant to be granted
  • IPA2016, communication devices and their data have set reasons you can collect them
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

stage 2- respond- at the crime scene

A
  • Sketch
  • Photograph
  • Contemporaneous notes
  • Evidence forms
  • Chain of custody
  • Bag & tag
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

stage 2- respond- dealing with devices

A
  • A computer powered on
  • A computer powered off
  • A laptop
  • A mobile phone
  • A digital camera
    All devices you might find at a crime scene. ACPO guidelines tell you how to deal with devices if they are on or off.
17
Q

stage 3- acquire

A
  • After numbering the artefacts, taking photographs and alongside all the paperwork, it is time to start acquisition process
  • If a device is powered off then it is fairly easy to deal with (don’t turn it off and take the hard drive out)
  • If a device is powered on then it is more complex but still fairly straight forward (look what’s on the screen and take a photo of what that is)
  • Might need to forensically image a device at the scene
18
Q

stage 4- analysis- back at the lab

A
  • Analyse each of the artefacts collected from the crime scene
  • Mobile phones: XRY & XAMN
  • Computer/ laptop hard drives: FTK imager, FTK, Registry Viewer
  • Digital pictures/Photographs: FTK, Griffeye
    Hardware and software need to analyse the evidence
19
Q

stage 5- reporting

2 main forms of reporting

A

technical report

expert witness report

20
Q

technical report

A

the technical details about what you found during the analysis of the artefacts, explained clearly so non technical readers can follow the report through.

21
Q

expert witness report

A

takes the key findings from the technical report and reports them to the Court. They contain the technical details in plain English as well as some legal terms.

22
Q

stage 6- learn -> plan

A
  • What happened
  • Improvements
  • CPD
  • Plan for next time
    Once the investigation is complete the last stage is to go over what happened what went well and what could have gone better. Think about any issues that could have been resolved by additional training or self-learning. Put these items into overall IR plans for the team, updating it as necessary.

Forensic IT (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions