Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CYBF 675 - Quiz 3 > Module 6 - Incident Response Toolkit > Flashcards

Module 6 - Incident Response Toolkit Flashcards

Characterize the importance of Federal Rule of Evidence 702 / Daubert to toolkits. Compare and contrast the goals of various incident responders and the consequently the tools that will be used. Examine the list of underlying Dynamic Link Libraries associated with an application. Create an incident response CD, which can be used with a jump kit.

1
Q

Difference in way personnel handle incidents

A

Help Desk - may download tools to system

Consequences: have to separate what they did

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IR Toolkits

A
  • preparation phase
  • tested tools with small footprint
  • for different OS’s
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Toolkit requirements

A

must comply with FRE 702

Daubert

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Daubert

A

Daubert

  • Whether the expert’s technique or theory can be or has been tested—that is, whether the expert’s theory can be challenged in some objective sense, or whether it is instead simply a subjective, conclusory approach that cannot reasonably be assessed for reliability;
  • Whether the technique or theory has been subject to peer review and publication;
  • The known or potential rate of error of the technique or theory when applied;
  • The existence and maintenance of standards and controls; and
  • Whether the technique or theory has been generally accepted in the scientific community.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tool selection / implementation

A

stand-alone tools preferred
burn to CD (non-writable)
rename names of tools so tracked
Run as Administrator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Statically-linked vs Dynamically-linked executables

A

Statically - self-contained, contains all the code necessary to successfully run as a standalone program. (better - because limit the footprint on the suspicious computer, don’t rely on files that may be compromised).

dynamic - uses loaded libraries within the computer’s memory to run.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Tools for inclusion

A
  • tool to make forensic copy
  • memory capture
  • capture volatile data
  • netcat or another tool to pass data across the wire
  • Live CD
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Testing

A
  • preassemble tools
  • run in controlled environment
  • document results
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Updating Tools

A
  • keep historical library of old toolkits
  • requires new testing
  • maintain revision numbers or dates to toolkits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Tools for Incident Response CDs

A
  • Sysinternals
    • MIR-ROR (Motile Incident Response- Respond Objectively, Remediate)
  • Mandiant
    • Redline
    • Memoryze
    • IOC Finder
  • AccessData - FTK Imager
  • F-Response
  • EnCase Enterprise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Toolkits beyond CDs

A
  • network packet capture
  • laptops
  • USB flash drives with known s/n
  • network cables
  • cross-over cables
  • hubs
  • external media
  • IP - or server to receive data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CYBF 675 - Quiz 3 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions