Please enable JavaScript.
Coggle requires JavaScript to display documents.
Digital Evidence & Incident Response (Digital Forensic (Process…
Digital Evidence & Incident Response
Digital Forensic
Practice of scientifically derived and proven technical methods and tools toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation.
Type of investigation
Internal Investigation
Criminal investigation
Branches
Conventional
Emerging
Importance
Protect from and solve cases
Financial fraud
Theft of intellectual property
Hacker system penetration
Worms and viruses
Challenges
Increase of PCs and internet access
Emerging of Cloud Computing
Rise of IoT
Process
Acquisition
Examination
Analysis
Report
Forensic Readiness
A method you use to undertake necessary steps to acquire examine and report on incidents in a manner that is admissible in court.
Forensics Readiness Plan (FRP)
A document that provides your incident management team with all the guidance.
Components
Clearly stated objectives
Designated roles and responsibilities.
A comprehensive contact list of all person required for the investigation
Processes for acquiring, handling and storing evidence.
An escalation matrix(who and when)
Incident Response
When an incident is detected and the incident manager is assigned.
An organized approach to address and manage the aftermath of a security breach or cyber attack (security incident)
Goal - Handle the situation in a way that limits damage and reduces recovery time and costs.
Importance
Any incident that is not properly handled usually will lead to bigger problem.
Minimize losses, mitigate exploited vulnerabilities, restore services and processes
Establish a series of best practices to stop intrusion
Incident Response Plan (IRP)
Procedures for detecting, responding to and
limiting the effects of a data security breach.
How to respond to potential attack scenarios
Methodology
Preparation
Detection & Analysis
Containment Eradication & Recovery
Post-incident activity
Attacker Methodology
Reconnaissance
Scanning
Exploitation
Keeping access
Covering tracks
Digital Investigation
Data needs to be captured and preserved as early as possible
Handling malware
Investigate the forensic copy
Run an anti-malware tools across the disk
Malware can be hidden within the system masquerading as legitimate files
Some malware will be written to specifically exploit known vulnerabilities
Some can randomly change its internal code
Sandboxes
Lab environment that simulate real network where no real harm is caused.
Investigate malware sample
Indicator-of-Compromise
Identify unique behaviour, create a special signature
Use common language that is understood by the software tool.
Reporting
Provides a management summary of what was discovered, along with all the steps that were taken throughout the investigation.