Hello, Siberians and welcome back to Incident response and advanced forensics.
My name is Max Alexander,
and I'll be your subject matter expert for today's lesson, which is forensics and support of incident response.
what does forensics have to do with incident response
so beyond your traditional incident response. Charles Just doing a cursory investigation
UPS and basic incidents Forensics can help identify the total extent of an incident.
So by looking at maybe more of the operating system and machine
incident responders could get a better idea of exactly what happened during this incident.
Forensics can also identify a timeline of the death of events, so just merely knowing that malware infected system may not be enough going back and reconstructing that timeline of when the malware took place. What it did
or not even mount where. But maybe if you're looking at some type of insider threat investigation,
helping to establish a timeline puts a person behind the keyboard
during maybe an incident of theft occurring.
Forensics can also help identify actions taken by malware and malicious users. So what did the malware do when it was on the system? What did that militia shoots or do when he or she was using the system.
Forensics can also help with damage assessments,
so helping to determine what data was taken, what did the malware do when it was on the system? What files did it package up?
And lastly, forensics can help tell a story and answer the basic in Iraq motives. Who, what, when, where, why and how
so Forensics should build that picture. It should help tell that story that complete picture
of exactly what happened during unsteadiness.
before we go on any further and discuss how to do forensics there some basic golden rules that must be followed when doing any forensic investigation in support of an incident.
So the first rule is securing the scene and making it safe. So from a law enforcement perspective securing the scene that's making sure that there's no suspect there who could potentially cause injury or death to responders. But that could also be extended into the greater sense of
making sure that the scene is safe
from potential hazards of could be fire, electrical hazards, anything that could put the responders at risk. You essentially want to make sure that scene is safe, and if it is not. Try and make it say to the best of your ability.
Further, if you believe that the computer which is involved in the incident you're investigating is somehow destroying evidence or you found the computer that you think may be involved in the particular incident that you're investigating,
you should take immediate steps to preserve
that computer and preserve that evidence. Or if you find the thumb drive, you should take caution. And to preserve that thumb, direct any type of digital evidence that you find during your investigation. You should take steps to ensure that that device that that computer is going to be uncontaminated
during your investigation process.
The next thing that you should ask is that do you happen? Legal basis to seize this computer received this evidence
now in corporate environments. More than likely, you are the data owner. You own the computer system, so generally you do have that legal right to seize the computers and the data that is on. However, there are caveats to that, especially when we talk about B Y o D devices
on bringing those to work.
If you have company data on those devices, what authority do you have
to seize that data? Also, I look at this from US perspective, but if you're overseas, there are laws outside of the United States that many people may not be aware of. And then you have to abide and apply the laws to your forensic investigation process.
The next rule is Do not access any computer files. If the computer's off, leave it off. If it's on, don't start searching through the computer now. This is mainly geared toward your first responder, who is really unaware of basic forensic principles,
often times a train forensic investigator. Forensic ater may not be the person who is going to respond to this incident.
It may be someone who has minimal knowledge of computer systems, middle knowledge of forensics, and they think that they're trying to help on. They're going to start searching through the computer, which is something you don't want to do because you could essentially contaminate damage. Any evidence that you have.
If you hoped to take this case to court,
it would essentially put the kibosh on doing that.
The next Golden rule is that the computers on take appropriate steps, as we're gonna discuss later on how to shut down properly the computer and prepare for transportation evidence. And then I'll caveat that with if there are any type of volatile memory that you're going to take from that system,
we would want to collect that bottle to memory end or the Windows
Recovery encryption keys for bit locker. We may also want to take those as well, so I will go ahead and caveat that rule.
The golden rules continued.
If you reasonably believe that a computer strong evidence immediately shut down the computer but pulling the power forward from the back of the computer.
obviously, if it's a laptop from the Power Court's not gonna do any good, would more than likely want Thio shut the system down, either by pushing the power button, are clicking on the Windows icon and selecting power down? We didn't have a whole section that does cover that.
Living on the cameras available the computers on taking pictures of the screen at the computer's off, take pictures of the computer, its location and any electronic media attached, and or cables or other devices. Again, we have another section devoted entirely to taking photographs,
pictures worth 1000 words quite literally
saves time in an investigation. When you're doing this forensic investigation and you're doing this incident response, the last thing that you have time to do sit around and write extensively. Although you do have to take notes taking a picture,
simplify and speed up that process,
and then the last building rule is asking yourself, Do special legal considerations apply? Argue doing an incident response and in forensic investigation on someone who may have dr Attorney, clergy, psychiatrist, newspaper publisher privileges, et cetera.
So depending on where you work in the type of incidents that you're going to respond to,
some of those caveats may apply. And those individuals may be afforded different privacy rights than your standard users. Again. Consult your legal counsel when encountering any types of situations, such as those