Please enable JavaScript.

Coggle requires JavaScript to display documents.

Digital Forensics and Incident Analyst and Response, image, image, image,…

- - - - It is important that an organization develop well-documented processes and procedures for digital forensic analysis. Regulatory compliance may require this documentation, and this documentation may be inspected by authorities in the event of a public investigation.
    - - IETF RFC 3227 provides guidelines for the collection of digital evidence. It describes an order for the collection of digital evidence based on the volatility of the data. Data stored in RAM is the most volatile, and it will be lost when the device is turned off. In addition, important data in volatile memory could be overwritten by routine machine processes
      - Chain of Custody
        
        Although evidence may have been gathered from sources that support attribution to an accused individual, it can be argued that the evidence could have been altered or fabricated after it was collected. In order to counter this argument, a rigorous chain of custody must be defined and followed.
- - - - is when the threat actor performs research, gathers intelligence, and selects targets. This willinform the threat actor if the attack is worth performing. Any public information may help to determine the what, where, and how of the attack to be performed. There is a lot of publicly available information, especially for larger organizations including news articles, websitles, conference proceedings, and public-facing network devices.
      - Exploitation
        
        After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target The mast common
        
        exploit targets are applications, operating system vulnerabilities, and users. The attacker must use an exploit that gains the effect they
        
        desire. This is very important because if the wrong exploit is conducted, obviously the attack will not work, but unintended side effects
        
        such as a DoS or multiple system reboots will cause undue attention that could easily inform cybersecurity analysts of the attack and the
        
        threat actor's intentions.
  - - - This step is where the threat actor establishes a back door into the system to allow for continued access to the target. To preserve this
      - backdoor, it is important that remote access does not alert cybersecurity analysts or users. The access method must survive through
      - antimalware scans and re booting of the computer to be effective. This persistent access can also allow for automated communications,
      - especially effective when multiple channels of communication are necessary when commanding a botnet.
- - - - The preparation phase is when the CSIRT is created and trained. This phase is also when the tools and assets that will be needed by the team to investigate incidents are acquired and deployed. The following list has examples of actions that also take place during the preparation phase: