Time
52 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hello, My name's David and welcome to pre incident Response.
00:07
We have been talking about instant response kids. And when we look at hardware in our last episode, we looked at a lot of different kits and configurations on the documentation For the course, you'll be able to go out to some different websites to look at some
00:25
pricing on some of these items
00:28
in forensics incident response. Some of the tools of free some little Zahra pay,
00:35
so you gotta balance it with your budget. Happier working for a company, of course, you need to be able to make business justification for purchasing your instant response kit. And so she 80 aid materials with it. If you're gonna try to start your own consultancy, then you're gonna have to invest your money very wisely
00:54
because these things can rapidly get very expensive as you move along.
00:59
Now, we looked at hardware, so I do want us to spend a little bit of time together looking at some software
01:04
because software again is a very important part of incident response and doing
01:11
a good job.
01:12
So you need to be prepared again in order to know what software unique it's based on a lot of different issues within the environment. Remember back to my story that I told you when I walk into a client site?
01:27
Yeah, sort of pre supposing that I was gonna be dealing with Windows Lennox about that. It was an apple shop entirely, so I wouldn't have needed to a purchase. Different kinds of forensic materials in order to burst Forensic software, not here. Knows something more specific in mind. Burbage there.
01:46
Ah, in order to image and analyze the apple
01:51
system files. So you have to take that into account. Is that the network based investigation? Then you may need Swire sharp insult. Or you may need network minor war. You may have to purchase access to a cloud based group. For example, packets let
02:08
eyes ah, network analyzers, last security.
02:13
But again, knowing your environment is vital, so you have to take those kinds of things into account. Now
02:19
again, if you're working for an employer for a company, then you should have a pretty good idea of what is in your environment.
02:28
If you're gonna work as a consultant
02:30
again, you're going to have to deal with the unknown
02:34
now and be able to deal with it, but quickly and also professionally, so keep that in mind as you belong. Now, some areas for you to consider in the incident response brown,
02:46
uh, are a wide variety of things. Memory forensics, for example. There's volatility and the Indians red line that are available to, uh, for free that you can have installed leader on your laptop thumb drive, eh? So that when you go in
03:06
Thio
03:07
a customer site, it's experienced on incident. You can do memory captures and then when forensics if need be digital forensics as a big part off
03:16
incident response, we haven't moved away from that yet, although there were rumblings that Quentin happened not so long ago. So you have in case an autopsy your examples of software
03:30
Ah, that you may need to consider purchasing or installing and utilizing. Now lies
03:35
separated those there because in case is a pay software, uh, it can be expensive.
03:43
Um, it comes in a variety of formats for network internal use. On also stand alone for excuse Autopsy, on the other hand, is a free where bad you can download so on your system free, very robust.
04:00
Surprisingly so when you hear
04:02
free, Sometimes the old maxim comes to mind. You get what you paid for on that can't be true when it comes to software. Uh, but what we're finding in the incident response last digital forensics world is a lot of times the free tools or just a robust and
04:20
filled with options as hate can be.
04:25
Now, if you're looking at happing to do network investigation or network forensics, of course, for software wire Shark Network Minor. Just just two examples of software that you need to both be familiar with and also have access to so that you could utilize them during its
04:45
again.
04:46
It pays to be prepared. So making these kinds of determinations prior to getting that call
04:54
that we've had an incident in the hit panic button and they're throwing lifelines out everywhere looking for help. It's important to have these things down in your NDE repertoire before you get that call. So, um,
05:11
on Zay Berry, we have courses on visual forensics and also on that work examinations of sharks specifically,
05:18
um, that you can take two.
05:21
Give yourself a bit of abuse there if you need it. So take Obama's on Siberia again. Hey, it's free train. Why not use it right now? One thing that is often times overlook is that last bullet up there on the screen. Later analysis of the data that you gather seeing
05:40
that's if you get the call to go out to a seed which I used to get so kind to share How that goes.
05:46
Third party provider. We would get a call usually 34 o'clock on a Friday afternoon. Hey, we think we got breach. We need help. What are we gonna do? Jump on a call with the client and do a triage
06:00
on basically
06:02
information gathering? Yeah. What are the symptoms? What have you identified? What tools? If we didn't know what tools air in your network, where are you located?
06:13
Because in that kind of scenario, we're probably going to do what? Stealing a military term. Air put boots on the ground? Um, one of our analysts would be heading to the nearest airport with their hardware hit kit. Your software, it get
06:30
jumping on an airplane and flying to the customer's sight.
06:34
Ah, in order to be on the scene. And that's where you would need your tools there for that memory. Forensics and digital forensics. Already pre loaded on a laptop. A robust laptop
06:47
that you can take to the scene. I had one incident. Similar role, actually. One where we would go on site. That way on every now and then you would get caught flat footed.
07:00
Ah, and have to purchase something either there or have it shipped to you. Hopefully avoid that. More than you actually engage in it.
07:10
Moving back down to that data. You're not there long term. You're there gathering information,
07:17
uh,
07:18
gathering evidence, and then you're flying home. And that's where your analysis occurs. So you need to be able to analyze the ones that you got dot meme files from memory captures that you gathered. You need the ability to analyze logs,
07:35
um,
07:38
and take that data, correlate it, build out timelines on, identify symptoms of the breach and help your customer about remediated and correct and recover from the breach. Remember back we talked about this steps. They're all covered all throughout this process.
07:57
So here's an example.
07:58
Um, this is back from my law enforcement days child *** case. We walked in. This was the guy's house.
08:05
Um, yeah, I know. Lovely, right? But look at those systems have been torn apart and put back together. There's hard drive sitting outside in case there's hard top sitting on top desk not use. Ah, and in this instance, when we went in, he had just left for work. We kind it to go. And after he had left and its system was running
08:26
and I had never done live forensic
08:30
captured at that point time in my career's brand new to me. Thankfully, I had Speed Dial Thio local lab where they actually did those kinds of things immediately or all the time. I called them on, and they walked me through the process of doing screen captures and capturing running processes and all that.
08:48
So
08:50
this is the kind of thing you may find yourself involved in unnecessarily, hopefully, child ***. But you may be dealing with live systems systems of the shutdown systems that have been quarantined, so
09:03
you have to have the ability and your kids to deal with that. Here's another one. Ah, customer contact you regarding a new vulnerability at is allowing Attackers to exploit a flow, and remember, that's not critical night Sound familiar? Gain access. The customer believes their network was breached and wants you to investigate. What do you do?
09:22
Pause it there and think about that. What kind of tools That you need. What kind of information would you need?
09:26
How would you prepare to go into that customers environment and basically go threat hunting? Looking for a problem?
09:33
Now there are a lot of portable software examples out there. Paladin Pro puts out a bootable USB drive that you carry with you in order to help you in these kinds of processes.
09:46
There are a lot of people like to build around. They'll do their own scripting and all that. I have included a list of different websites, uh, with this course that can help you determine what you need or want how to go out by them or get them for free.
10:01
Ah, in order to be able to conduct analysis. Ray Pierre by Google was one of those Justin example of it that you could download
10:09
installing a thumb drive and take out use
10:13
again. If you have any questions at Christmas
10:15
review of software and its function. Alan, reach out to me on cyber am a day be 13 pot. We happy to talk to you have a fantastic day

Up Next

Incident Response Planning

In Incident Response Planning, David Biser describes the different aspects to consider when creating and implementing an incident response plan. These different aspects act as tools that help an organization create a thorough incident response plan.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor