Part 1 - Forensics in Support of an Incident Response

Video Activity

This lesson discusses forensics in support of an incident response. The role of forensics in incident response is to identify: · Extent · Timeline · Action · Damage · Tell a story and answer basic questions In addition, participants learn about the Golden Rules during incident response.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses forensics in support of an incident response. The role of forensics in incident response is to identify: · Extent · Timeline · Action · Damage · Tell a story and answer basic questions In addition, participants learn about the Golden Rules during incident response.

Video Transcription
00:03
>> Hello cyber audience, and welcome back
00:03
to incident response, and advanced forensics.
00:03
My name is Max Alexander,
00:03
and I'll be your subject matter expert
00:03
>> for today's lesson,
00:03
>> which is Forensics in Support of Incident Response.
00:03
What does forensics have to do with incident response?
00:03
Beyond your traditional incident response role,
00:03
so just doing a cursory investigation
00:03
of some basic incidents,
00:03
forensics can help identify
00:03
the total extent of an incident.
00:03
By looking at maybe more of
00:03
the operating system, and machine,
00:03
incident responders can get a better idea of
00:03
exactly what happened during this incident.
00:03
Forensics can also identify
00:03
a timeline of the depth of events.
00:03
Just merely knowing the malware
00:03
infected the system may not be enough.
00:03
Going back and reconstructing
00:03
that timeline of when the malware took place,
00:03
what it did or not even malware.
00:03
But maybe if you're looking at some type
00:03
of insider threat investigation,
00:03
hoping to establish a timeline,
00:03
puts a person behind
00:03
a keyboard during maybe an incident of theft occurring.
00:03
Forensics can also help identify
00:03
actions taken by malware and malicious users.
00:03
What did the malware do when it was on the system?
00:03
What did that malicious user do
00:03
when he or she was using the system?
00:03
Forensics can also help with damage assessments.
00:03
Helping to determine what data was taken;
00:03
what did the malware do when it was on the system?
00:03
What files did it package up?
00:03
Lastly, forensics can help tell a story,
00:03
and answer the basic interrogatives,
00:03
who, what, when, where, why, and how.
00:03
Forensics should build that picture.
00:03
It should help tell that story, that complete picture,
00:03
of exactly what happened during an incident.
00:03
Before we go on any further,
00:03
and discuss how to do forensics,
00:03
there's some basic golden rules that must be
00:03
followed when doing any forensic investigation
00:03
in support of an incident.
00:03
The first rule is
00:03
securing the scene, and making it safe.
00:03
From a law enforcement perspective,
00:03
>> securing the scene is making sure that
00:03
>> there's no suspect there who
00:03
>> can potentially cause injury or death to responders.
00:03
But that could also be extended into the greater sense
00:03
>> of making sure that the scene is
00:03
>> safe from potential hazards.
00:03
Could be fire, electrical hazards,
00:03
anything that could put the responder at risk,
00:03
you essentially want to make
00:03
sure that the scene is safe,
00:03
and if it is not, try and make it
00:03
safe to the best of your ability.
00:03
Further, if you believe that the computer
00:03
which is involved in the incident you're investigating,
00:03
is somehow destroying evidence,
00:03
or you've found the computer that you
00:03
think may be involved in the particular incident
00:03
>> that you're investigating,
00:03
>> you should take immediate steps to
00:03
preserve that computer,
00:03
and preserve that evidence.
00:03
Or if you find a thumb drive,
00:03
you should take caution
00:03
to preserve that thumb drive.
00:03
Any type of digital evidence that
00:03
you find during your investigation,
00:03
you should take the steps to ensure that that device,
00:03
that that computer is going to be
00:03
uncontaminated during your investigation process.
00:03
The next thing that you should ask is that,
00:03
do you have that legal basis to seize this computer,
00:03
to seize this evidence.
00:03
Now in corporate environments,
00:03
more than likely you are the data owner.
00:03
You own the computer system.
00:03
Generally you do have that legal right
00:03
to seize the computers,
00:03
and the data that is on it.
00:03
However, there are caveats to that,
00:03
especially when we talk about BYOD devices,
00:03
and bringing those to work.
00:03
If you have company data on those devices,
00:03
what authority do you have to seize that data?
00:03
Also, I look at this from a US perspective,
00:03
but if you're overseas,
00:03
there are laws outside of
00:03
the United States that many people may not be aware of,
00:03
and then you'd have to abide and apply those laws to
00:03
your forensic investigation process.
00:03
The next rule is do not access any computer files.
00:03
If the computer's off,
00:03
leave it off and if it's on,
00:03
don't start searching through the computer.
00:03
Now, this is mainly geared toward your first responder
00:03
who is really unaware of basic forensic principles.
00:03
Oftentimes, a trained forensic investigator or
00:03
forensic caterer may not be the person
00:03
who's going to respond to this incident.
00:03
It may be someone who
00:03
has minimal knowledge of computer systems,
00:03
minimal knowledge forensics and
00:03
they think that they're trying to
00:03
help and they're going to
00:03
start searching through the computer,
00:03
which is something you don't want to do
00:03
because you could essentially contaminate,
00:03
and damage any evidence that you have.
00:03
If you hope to take this case to court,
00:03
it would essentially put the kibosh on doing that.
00:03
The next golden rule is,
00:03
if the computer's on,
00:03
>> take appropriate steps as we're going to
00:03
>> discuss later on how to shut down
00:03
>> properly the computer,
00:03
>> and prepare it for transportation as evidence.
00:03
Then I'll caveat that with if there is any type of
00:03
volatile memory that you're going to
00:03
take from that system,
00:03
we would want to collect that volatile memory and/or
00:03
the Windows Recovery encryption keys for BitLocker;
00:03
we may also want to take those as well.
00:03
I will go ahead and caveat that rule.
00:03
The golden rules continue.
00:03
If you reasonably believe
00:03
that a computer is destroying evidence,
00:03
immediately shut down the computer
00:03
>> by pulling the power port
00:03
>> from the back of the computer.
00:03
>> Obviously, if it's a laptop,
00:03
pulling the power port is not going to do any good.
00:03
You would more than likely want to shut the system
00:03
down either by pushing
00:03
the power button or clicking on the Windows icon,
00:03
and selecting power down.
00:03
We do have a whole section that does cover that.
00:03
Moving on, the camera is available to computers
00:03
on taking pictures of the screen.
00:03
If the computer is off,
00:03
take pictures of the computer, it's location,
00:03
and any electronic media attached,
00:03
and/or cables or other devices.
00:03
Again, we have another section devoted
00:03
entirely to taking photographs.
00:03
A picture's worth a thousand words quite literally,
00:03
it saves time in an investigation.
00:03
>> When you're doing this forensic investigation,
00:03
>> and you're doing this incident response,
00:03
the last thing that you have time to do is sit around,
00:03
and write extensively,
00:03
although you do have to take notes.
00:03
Taking a picture can simplify and
00:03
>> speed up that process.
00:03
>> Then the last golden rule is asking yourself,
00:03
do special legal considerations apply?
00:03
Are you doing an incident response,
00:03
a forensic investigation
00:03
on someone who may have doctor,
00:03
attorney, clergy, psychiatrist, newspaper,
00:03
or publisher privileges, etc.?
00:03
Depending on where you work and the type of
00:03
incidents that you're going to respond to,
00:03
some of those caveats may apply,
00:03
and those individuals may be afforded
00:03
different privacy rights than your standard users.
00:03
Again, consult your legal counsel when encountering
00:03
>> any types of situations such as those.
Up Next