Digital Forensics and Cyber Security

Verified

Added on  2020/03/16

|37
|8250
|57
AI Summary
This assignment provides a list of academic resources related to digital forensics and cybersecurity. The list includes books, conference papers, and journal articles covering various aspects of the field such as data acquisition, evidence analysis, cyber threats, and medical device security. These resources can be helpful for students and professionals interested in learning more about digital forensics and cybersecurity practices.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
COMPUTER FORENSIC
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
Contents
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC................................5
INTRODUCTION...............................................................................................................7
COMPUTER FORENSICS.................................................................................................7
Digital Forensic Methodology.....................................................................................................8
Incident........................................................................................................................8
Event............................................................................................................................8
Incident Response........................................................................................................9
Benefits........................................................................................................................9
INCIDENT RESPONSE METHODOLOGY...................................................................10
NIST 800 -61r2..................................................................................................................10
Policy Elements.........................................................................................................................11
Plan Elements............................................................................................................................11
Procedure Elements...................................................................................................................12
Information Share with External Partners.................................................................................12
Structure of Incident Response Team........................................................................................13
PHASES....................................................................................................................................14
PREPARATION.........................................................................................................15
DETECTION AND ANALYSIS...............................................................................16
CONTAINMENT, ERADICATION AND RECOVERY..........................................21
POST-INCIDENT ACTIVITY..................................................................................23
Document Page
PM
Checklist of Incident Handling..................................................................................26
Recommendations......................................................................................................27
COORDINATION AND SHARING OF INFORMATION.....................................................28
Coordination..............................................................................................................28
Techniques for Information Sharing..........................................................................29
Granular Information Sharing....................................................................................30
COMPARISON WITH SANS PICERL............................................................................30
Similarities.................................................................................................................................30
Differences.................................................................................................................................30
IMPACT OF FBI DIGITAL FORENSICS INVESTIGATION APPROACH..................31
CONCLUSION..................................................................................................................33
REFERENCES..................................................................................................................34
Document Page
PM
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
EXECUTIVE SUMMARY
Computer cyber crime and data breach are some of the most important and greatest
challenges faced by almost every organizations that has major online presence. Hence the
information technology professionals in every medium to large organizations have been facing
the challenges in planning and preparing for unexpected incidents, occurred apart from setting
hardest security walls to the web servers of their businesses. Incidents, which are violation of
law, policy or unacceptable act, involving networks, computer, Smartphone, etc. are biggest
threats for every organization today, throughout the world. The threat is because, the incident to
be handled takes very long time and demands special incident response team to work full time
till the issue is completely resolved. And every minute of the incident response lifecycle, the
organization have to experience losses, as each and every task and activity of business would be
paused during this time.
Document Page
PM
INTRODUCTION
Digital forensics is forensic science branch works related to computer crime. The branch
deals with investigation of digital and performs recovery or correction made, in the digital
devices. Digital forensics is a young forensic science, relatively. Digital forensic has been
advancing in multi-dimensions, technically, legally and in terms of complexity as the complexity
and size of the incidents or computer crimes have been drastically increasing throughout the
world. There are many approaches developed to conduct the investigation and recover the data,
followed by increasing the security levels of the individual systems and the systems networked in
large numbers. Each of the models and approaches has its own logical process and procedure to
conduct the investigation and recovery, though many of them follow common phases[1].
The commencement and advancement of the computer security digital forensic
approaches and models have been started from 1980s, where, the concept of computer crime was
started, with the initiation of the FBI.
COMPUTER FORENSICS
Computer forensic is younger than the other forensic sciences. Computer forensic process
involves data extraction, followed by data analysis. The process can be simplified by a flowchart
that can describe the methodology for digital forensic analysis [2]. Computer forensics can be
defined as the usage of the methods that are digital evidences derived from the digital sources
and are scientifically derived and proven, toward the digital evidence collection, preservation,
Document Page
PM
validation, identification, interpretation, analysis, documentation and presentation. The objective
is facilitation or events reconstruction furthering that is found to be criminal.
Computer forensics makes use of the methods and tools that are scientifically verified
and it still involves various elements like interpretation, judgement and ability.
Digital Forensic Methodology
Computer forensics have teh following key elements, shown in the following flowchart
figure.
Figure: Computer forensic process
The process is the basic and primary for the forensic team and the forensic examiner and
prosecutor have to communicate and decide each other the extent of process completed by far
and how many times they should iterate the process.
Incident
An incident is an imminent or violation threat of computer security privacy violence and
standard security practices violation [3]. For example, an attacker may instruct a botnet for
connection requests to the web server, in higher volume that may result in crashing the server.
Event
An event is an occurrence that is observed in a network or system. For example, an event
can be a request received by the server for a web page, sending a mail by a user, etc. In context to
teh computer forensics, an event is usually an adverse event would have negative consequence,
like crash of a system or server or unauthorized access to the secured data, etc.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
PM
Incident Response
Attacks usually end up in personal or business data compromise and it demands
immediate and quick critical response, after the occurrence of the security breach. Hence, the
computer security incident response became implemented and accepted widely. Incident
response has the capability supporting systematically respond to the incidents, such as following
a methodology of consistent incident handling, towards responding with appropriate actions [4].
Benefits
Incident response support the organizations and individuals to minimize the information
theft or loss and services disruption, resulted from the incidents. It has the ability to utilize the
information extracted from the incident handling towards better preparation to handle any
possible future incidents and enable stronger system and data protection. The capability of the
incident response helps to deal with the legal issues that arise from the incidents, properly.
Incident response capability is also needed for the federal agencies and departments to
comply with the laws and regulations and policy to direct coordination and effective defense
against the threats to the information security.
Document Page
PM
Figure: Communicating with External Parties
INCIDENT RESPONSE METHODOLOGY
Incident response methodology has been designed and developed by considering various
aspects of policy, plan and procedure creation.
NIST 800 -61r2
NIST SP 800 – 61 Revision 2 is a standard and potential incident response methodology.
It has been developed by NIST (National Institute of Standards and Technology), which develops
the guidelines and standards that include the basic and minimum requirements to provide enough
security for ifnoramtion, for all assets and operations of agency [15].
Document Page
PM
NIST is developed for providing effective CSIRC (Computer Security Incident Response
Capability) to the medium to large scale industries and organizations. The methodology provides
clues to the organization to decide the provisions needed for the incident response team and
respective srtreucture and models of the etam to provide their services. It helps in reflecting the
plans, policies and procedures of the interactions among the teams.
Policy Elements
The NIST SP 800-61r2 methodology enables the individuals and organizations to include
the key policy elements, most commonly as the following.
- Policy purpose and objectives
- Management commitment statement
- Policy scope
- Computer security incidents definitions including related terms
- Various responsibilities, roles and levels for various authorities, according to
organizational structure, including incident response team authority to monitor, confiscate
or disconnect activity
- Types of incidents, guidelines and requirements for external information sharing and
communication and escalation and handoff points, in the process of incident management
- Incidents severity or prioritization ratings
- Contact and reporting forms
- Performance measures
Plan Elements
The methodology allows the organization to define the following plan elements.
- Approach for responding to various incidents, in a focused, formal and coordinated ways
and incident response plan
- Unique plans according to the organization’s missions and visions
- A detailed plan element for organizations involve
o Strategies and goals
o Mission
o Approach to incident response
o Approval of senior managmenet

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
o Communication between incident response team and the remaining organization
and other organizations as well
o Necessary metrics for incident response capacity of incident response and its
effectiveness
o Incident response capability roadmap
Procedure Elements
The methodology allows the organizations to develop standard operating procedures, for
specific techniques, processes, forms and checklists used by the team, according to the
organization’s priorities, reflecting in the response operations [14]. They help minimizing the
errors, caused from the situations of stressful incident handling. The methodology helps testing
the SOPs, in terms of accuracy, usefulness of them, before distributing to the members of the
team.
Information Share with External Partners
The methodology helps in sharing the ifnoramtion, like contacting law enforcement,
seeking external enterprise and fielding media enquiries. Other important outside party is internet
service providers, other teams of incident response and vulnerable software vendor, etc.
1. Media
The methodology helps establishing the procdures for media communications, complying
with the policies of organization on information disclosure and media interaction, through
one backup contact and single point of contact.
2. Law Enforcement
The incident response team can use the methodology to maintain the data about the law
enforcement, locally and state and nation level and to enable contacting and
communicating with the respective agencies.
3. Incident Reporting Organizations
Document Page
PM
The team would be able to share information with the incident reporting organizations,
such as US-CERT (United States Computer Emergency Readiness Team), as a part fo
incident handling efforts. The agency designates both primary and secondary point of
contact with US-CERT and all incidents reports, in consistant with their incident response
policy.
4. Other outside parties include attacking addresses’ owners, ISP of organization, software
vendors, affected external parties and other teams for incident response.
Structure of Incident Response Team
The methodology enables the incident handlers of the organizations to analyze the
incident data and incident impact determination and appropriately act, towards minimizing the
damage and regularize the services by restoring back.
The methodology allows the following possible structures.
1. Team models can be made the possible structures, like central incident response team,
distributed, coordinating teams, with three different staffing models, like employees,
partially and fully outsourced.
2. Team model selection can be made with the factors, such as,
a. 24/7 availability need
b. Full Vs. Part time team members
c. Employee morale
d. Staff expertise
e. Cost
Outsourcing organizations can also consider the factors, like responsibilities division,
quality of work in current and future, sensitive information shared with the contractor,
lack of knowledge that is specific to the organization, maintenance of in-house incident
response skills, incidents handling at multiple locations and lack of correlation.
3. Incident Response Personnel, such as managers, technical leads can make use of the
methodology and be part of the incident response team.
Document Page
PM
4. Dependencies within organizations, like management, IT support, information assurance,
human resources, media relations, public affairs, business continuity planning, legal
department, management of physical security and facilities
Services of Incident Response Team
The methodology allows the team to perform not only incident response, but also various
related tasks, such as,
1. Advisory distribution
2. Intrusion detection
3. Education and awareness
4. Information sharing
Overall Functions
The methodology performs the following technical functions.
1. Creation of policy for incident response
2. Establishing a formal capability for incident response
3. Developing a plan of incident response, according to incident response policy
4. Developing procedures for incident response
5. Providing pertinent information on the incidents
6. Factors consideration, during the model selection for incident response team
7. Selection of people with apt skills for the team
8. Identifying the other groups for participating in the incident handling
9. Determination of the services to be offered by the team
PHASES
The NIST SP 800-61, Release 2 performs the entire computer security incident response
in four phases [14].

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
PM
Figure: The Methodology’s Incident Response Life Cycle
PREPARATION
Preparation for Incidents Handling
The methodology makes use fo the tools and resources, for making them to use
during handling of the incidents, as starting points of discussions.
The methodology deals with the incident handler communications and facilities,
such as contact information, incident reporting mechanisms, on-call information,
Smartphone, issue tracking system, war rooms, encryption software and secure
storage facility.
The methodology makes use of the incident analysis hardware and software such
as digital forensic workstations, along with the devices for backup, blank
removable media, laptops, spare servers, workstation and networking equipment,
Document Page
PM
evidence gathering accessories, digital forensic software, protocol analyzers,
packet sniffers, removable media with additional and optional visualized
equivalents.
The methodology makes use of the incident analysis resources, such as
documentation needed for the operating system, port lists, network diagrams and
critical assets list, cryptographic hashes and current baselines.
The methodology uses compatible incident migration software, like access to
images of the applications and operating system installations for the purpose of
recovery and restoration.
Prevention of Incidents
Though the incident response methodologies cannot provide the software and
protection system against the occurrence of the incidents, it is important to keep
the total incidents low, so that the incident response can be complete and faster.
The host has to be well equipped with the protection system, considering risk
assessment, network security, host security, malware prevention, user awareness
and training.
DETECTION AND ANALYSIS
The NIST SP 800-61r2 incident response methodology performs detection and analysis
of the incidents very effectively, by performing the following related tasks [15].
Document Page
PM
Attack vectors
The methodology deals directly with the common attack vendors, such as
attrition, removable or external media, email, web, improper usage, impersonation
and loss or theft of equipment and other common attack vectors. Apart from these
common attack vectors, the methodology also deals with the complex attack
vectors, and it needs the host or organization to develop unique and varied
strategies, for handling, varied and unique incidents occurring.
Signs of Incident
The methodology helps to identify the signs of the incidents, which is the most
difficult process of incident response, in effective ways. The methodology helps
to identify if any incident has occurred, and if any, the extent, type and magnitude
of the incident. It is challenging for any methodology, because usually the
potential signs volume is for high for the incidents, detection of them is done
through various ways and it detection demands specialized, profound and deeper
technical knowledge as well as extensive experience of the team.
The methodology identifies the signs of incidents as precursors and indictors.
Indicator acts as a sign of an incident that is occurred by far and precursor
indicates incident that could result in the future.
Indicators & Precursors Sources
The methodology identifies the sources of indicators and precursors, by
considering various sources. It identifies the suspicious events with the
i. Alerts
The alerts are IDPS products that can identify the events that are
suspicious record pertinent data, relevant to the same, Security

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
Information and Event Management products that can generate alerts,
accorign to the log data analysis, antivirus and antispam software, third
party monitoring services and file integrity checking software.
ii. Logs
The methodology identifies the incidents from the logs, such as network
device logs, operating system logs, application logs, service logs and
network flows.
iii. Other information available publicly
The source is information about new exploits and vulnerabilities, generally
occurring in the organizations and shared publicly through media, etc.
iv. People
The signs of incidents can also be explored and identified from various
staff and people, both within and from other organizations.
Incident Analysis
The methodology performs incident analysis in very effective way, however, it
needs the indicators and precursors to be accurate, though, it is common to get
carried away by the false indicators, by the team. Technical personnel and
information security personnel are to be contacted for accuracy of incident after
events are occurred. The methodology uses incident handling and detection by the
incident handlers for the analysis of the symptoms that are contradictory,
ambiguous and incomplete, for determining what exactly happened. Various
technical solutions can be adapted by the experienced and skilled team. The
methodology enables the team to consider each incident and analyse and validate.
The inital analysis and validation should include profile systems and networks,
understand regular and normal behaviour, performing event correlation, creating a
Document Page
PM
policy for log retection, keeping the host clocks to be synchronized, use and
maintain information knowledge base, research by using internet serach engines,
running packet sniffers and collecting the additional data, filtering the data and
when needed, seeking assistance from the others.
Incident Documentation
Upon suspecting an incident, all the facts are to be immediately recorded by the
tam, regarding the incident, in logbook, digital cameras, audio recorders and
laptops. The sucspected incident has to be recorded, documented from the event
to the final resolution and then timestamped. Each and every document idnciating
the details of the incident has to be properly signed and dated by the incident
handler. The documentation is used in court of law, if pursueing the legal
prosecution is occurred. The incident handlers team should have minimum two
members, one for recording the events in the logs and other to conduct the
technical tasks.
The team has to maintain the records and update with the incidents status and
pertinent information as well. The methodology involves the database or any
application for issue tracking system.
The issue tracking system should contain hte following information.
1. Overall incident summary
2. The incident current status
3. Incident related to incident
4. Other related incidents
5. Custody chain, if needed
6. Actions performed from the incident handlers
7. Evidence gathered during investigation
8. Assessment of impact
9. Incident handlers comments
Document Page
PM
10. Following steps to take
Incident Prioritization
This is the point of most critical decision, in the process of incident handling.
Prioritization of the inciddnets should be according to certain relevant factors,
like,
1. Incident functional impact
2. Recovery from the incidents
3. Incident information impact
Prioritization of the incidents are done according to the categorization.
Waiting response has to be set for each task and if it is crossed, escalation process
has ot be established and ensured that response is obtained from the team
members.
Incident Notification
Incidents are to be notified to the respective and appropriate individuals, to play
their respective roles. Policies have to be defined for provisions for reporting of
the incidents, like minimum whom to and what to respond and what time.
Notification to be done to the people,
1. CIO
2. Information security head
3. Officer of local information security
4. Other teams in the organization
5. System owner
6. External teams, if needed
7. Human resources
8. Legal departments
9. Law enforcement
10. US-CERT
11. Public affairs

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
PM
Notifying should be done through different communication methods, like
website, email, telephone calls, voice mailbox greeting, in person, paper, etc.
CONTAINMENT, ERADICATION AND RECOVERY
Containment, eradication and recovery is another important phase, where the actual
computer digital forensic task is done and further protection measures are taken [15].
Containment
Containment is an important aspect and performed early course of incident
handling and provides enough time for tailored remediation strategy development,
like decision making. These decisions are made easily and instantly, when the
procedures and strategies are predetermined, to contain the incident. Possible and
acceptable risks are to be defined, during strategy development.
Containment strategies are unique and according to kind of incident. Criteria for
strategy determination would be,
1. Need for preservation of evidence
2. Potential damage to and resources theft
3. Availability of service
4. Resources and time, necessary for strategy implementation
5. Strategy effectiveness
6. Solution duration
The strategies are discussed with the legal department for feasibility.
Containment strategy should not be delayed, as it can be dangerous, as attacker
may compromise another system or gets the rights to escalate for access
unauthorized. Delay may also impose additional damage for containing the
incidents.
Document Page
PM
Gathering and Handling the Evidence
Gathering information is for resolving the incident and also for legal proceedings
and done according to certain procedures.
Evidence should be gathered with detailed law, as the following.
1. Identifying the information
2. Each individual’s name, phone number and title
3. Date and time of evidence handling occurring
4. Location of evidence
Attacking Host Identification
It consumes more time and is a futile process and sometimes may prevent to
primary goal achievement, by hte team.
The commonly activities performed during idetnticiaton of the attacking host, are
as the following.
1. Validation of the IP address of the attacking host
2. Researching through search engines
3. Monitoring the communication channels for possibility
4. Using database of incident
5.
Eradication and Recovery
After containment of information eradiation is focused, like disable of user
accounts that are breached, deletion of the malware, etc. All attacking hosts are
identified and then remediated. However, certain incidents do not need
eradication or sometimes needed for the purpose of recovery [14].
Systems are restored back to normal operation, in recovery and normal
functioning of the systems are confirmed. If needed, remediate vulnerabilities is
needed to be done, for similar incidents prevention. Sometimes recovery is done
as systems restore, from clean backups, from scratch, compromised files
Document Page
PM
replacement, patches installation, modifiying the passwords and security
tightening in the network. System higher levels logging or monitoring of network
are done duirgn the process of recovery. After successful attack of resource is
done, usually, attacking is repeated and sometimes other resources are also needed
to attack in the same ways, in the organization.
Both the eradication and recovery are performed in phased approach so that the
prioritization of the remediation steps is done. Early phases security is done for
improving the overall security with better and improved changes so that the future
incidents can be prevented. The focus of the later phases are on longer term
changes and to maintain the enterprise most possible secure.
POST-INCIDENT ACTIVITY
This is the last phase of the methodology and this phase has the objective of future
security of the organization, by learning and improving. However, it is easy for many
organizations to leave this phase, after the solution of the issue is obtained.
Lessons Learned
Each team of the incident response ahve to evolve towards reflection to the
improved technology, new threats and then the lessons learned. After the major
incident, a meeting is held on ‘lessons learned’, with all the parties involved.
Optionally, the meetings should be scheduled periodically, if the resources permit
that could improve teh measures of the security and the process of incident
handling. Such meetings can cover multiple incidents in one go. The lessons
learned meetings can provide opportinuity to obtain closure accorign to the

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
incident, by what occurred after the review, what attempt was made for intervene
and the ways of working the intervention.
The following questions should be addressed in the meetings [14].
1. What exactly was happened and how many times?
2. How well the incident was dealt by the staff and team? Were adequate
documenting procedures followed?
3. What kind of information is needed immediately?
4. Were there any actions or steps resulting recovery inhibition?
5. What could be ways followed, if the same incident will occur?
6. What actions of correction could be followed so that similar incidents can be
prevented in the future?
7. How the sharing of information is improved with other organizations?
8. What indicators or precursors are to consider, for similar incident detection, in
the future?
9. What are the additional resources or tools required for future incident
detection, analysis and mitigation?
When serious attacks are found, post-mortem meetings after resolving the
incident can be very helpful, crossing the boundaries of team and organization, so
that mechanism can be provided for sharing of information.
The other benefits of the lessons learned meetings are that the reports
made from them can be great resource material for new team members training.
Other benefit can be updating of the policies and procedures of incident response.
Analysis of post-mortem reveal inaccuracy or missing step in proecure that can
provide impetus for change in fugure. Finally, the activities of lessons learned
produce a set of subjective and objective data, related to each of the incident
occurred.
Collected Incident Data Usage
The data produced in the lessons learned activity is useful in different ways and
capacities. The data, such as cost, time spent can be the source of information for
Document Page
PM
justified funding to the incident response team. The data could be integrated to the
process of risk assessment for defining additional controls. The data can also be
used to measure the incident response team’s success, as it would also give
measures of success.
The focus of collection of data should be on actionable data, not limiting to the
activities.
Important incident related data metrics are as the following.
1. Total number of handled incidents
2. Time spent for each of the incident
3. Each incident’s objective assessment
4. Each incident’s subjective assessment
The data is also useful for periodical audit of the programs of the incident
response. Any problems and deficiencies can further be corrected during the
audits.
The audit of incident response have to evaluate at least the following listed
items, against the policies, regulations and practices that are applicable.
1. Plans, policies and procedures of incident response
2. Resources and tools
3. Training and education of the incident handler
4. Model and structure of the team
5. Documentation and report of the incident
Retention of Evidence
Policies are to be established by the organization, for determining the length of
evidence to hold and retain. Though many of the organizations tend to retain the
incident evidences for several months or few years, the following factors usually,
influene the retention duration.
1. Prosecution
Document Page
PM
2. Cost
3. Data retention
Checklist of Incident Handling
The methodology enables the team of the incident response to proceed with a formal and
scientific process and creating the checklist for incident handling is one of them.
The methodology recommends the team to ensure the following activities to be taken as
basic reference and to customize, based on the complexity of the incident.
Action Checklist
Detection
and analysis
Determination of occurrence of the incident
- Indicators and precursor analysis
- Looking for the information of correlation
- Conduct research
- Start documentation, investigation and evidence gatherigng,
after confirmation of the occurrence of the incident
Incident handling prioritization, according to the relevant factors
Reporting the incident within and if needed external
organizations
Containme
nt, eradication and
recovery
Document evidence acquiring, preserving and securing
Contain the incident
Incident eradication
- Exploited vulnerabilities identification and mitigation
- Removal of inappropriate materials, malware and other
threatening elements
- Repeat the steps of detection and analysis, if discovery of
affected hosts
Recover from the incident
- Returing the system affected to the ready state operations
- Confirmation of the systems affected back to normal operation
- Additional monitoring implementation if needed
Post-
incident activity
Creation of report for the follow-up
Holding a meeting for lessons learnt

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
PM
Recommendations
The methodology is developed for computer digital forensic issues, no matter the issue is
smaller or very complex. Based on the complexity of the issue the depth of the involvement into
the action would be needed. So, the following recommendations can be useful, for complex
incidents handling, for any organization.
1. Acquire the resources and tools that can be valuable during handling of the incidents
2. Preventing the occurrence of the incidents, through secure systems, networks and
applications
3. Identifying the indicators and precursors, through generation of the alerts, through
different kinds of security software.
4. Establishing an effective mechanism to report the incidents to the parties outside
5. Requirement of auditing and logging baseline levels for all the systems and also
improved higher baseline level on the systems that are critical
6. Profile systems and networks
7. Understanding of the regular and normal applciaitons, systems and networks behaviour
8. Creating a policy for log retention
9. Performing the correlation of event
10. Keeping all clocks of hosts to be synchronized
11. Use and maintain information knowledge base
12. Recording incident relevant information, as soon as the incident is suspected and
occurred
13. Safeguarding data of incidents
14. Prioritizing incidents handling, according to factors, relevant
15. Including provisions, related to the incident reporting the incident response policy of the
organization
16. Establishing the procedures and strategies for incidents of containment
17. Following the procedures established for handling and gathering of evidence
18. Capturing volatile data, as evidence from the systems
19. Obtaining snapshots of the system, not by backups of the file system, but with full
forensic images of the disk
20. Holding the meetings for the lessons learned, post incidents
Document Page
PM
COORDINATION AND SHARING OF INFORMATION
The methodology recommends that the organizations should coordinate effectively, the
portions of their activities of incident response, with appropriate partners. Sharing of information
related to the attacks, threats, vunerability of information can knowledge benefit each other.
Sharing of incident information can benefit the organizations mututally, as even the similar
attacks and threats sometimes would affect the organizations, even simultaneously.
Coordination
Sometimes the organizations have to consult other organizations for performing the
activities of incident response, such as for internet service provider, incident response
team, constituents, law enforcement agencies, customers, etc. through establishing
effective communication line.
Figure: Coordination of Incident Response
The above figure shows how the coordination is performed in each incident response
lifecycle phase with coordination activity highlighted.
a. Coordination Relationships
Document Page
PM
Usually, these relationships are based on the type of the organization to which it
wishes to coordinate. The kind of information shared would also be varied with the
kind of team it interacts and kind of coordination, like team to team coordination,
team to coordinating team and coordinating team to coordinating team.
b. Requirements of sharing reporting and agreements
Legal department has to be consulted before an organization consults another
organization and certain agreements or contracts are to be placed, such as non-
disclosure agreement, before initiation of the discussion. Existing requirements for
reporting has to be considered before sharing the information of incident with higher
CIRT or ISAC.
Techniques for Information Sharing
Share of information becomes a key element for organizations coordination and
information should be shared at the right time, without waiting till the incident is
completely resovled.
a. Ad-hoc
It is a traditional information sharing method for the incidents, like instant messaging
clients, email, phone, etc. the method usually is based on the connections and
participation needed for the incident, in the organization.
b. Partially Automated
Automated information sharing has to be balanced to be partial, so that the concerns
of trust and security are addressed.
c. Considerations of Security
Security and legal considerations are done, before attempting even a single piece of
information.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
Granular Information Sharing
Information sharing is done balancing the benefits and drawbacks. Usually, share of
information is two kinds.
a. Business Impact Information
b. Technical Information
COMPARISON WITH SANS PICERL
Similarities
Both the NIST incident response methodology and SANS PICERL methodology are
similar, in most of the cases, when compared. There are many similar concepts in the approach
of these both and a fewer differences or contrasting points.
The approach of the NIST incident response methodology is more like a guiding
framework that can enable the incident response team to get guided, right from the suspect of the
incident in the organization, till the last minute of retention of the incident response reports and
records in the organizations [15]. The approach is very detailed and is at micro level to follow by
the incident response team, including how to communicate and coordinate with the rest of the
world by the incident response team. When SANS PICERL approach is considered, it is more of
converting the theoretical concept into a practical implementation and it is effective equally with
that of the NIST approach and methodology.
Differences
An important aspect of NIST and SANS PICERL is the incident response lifecycle. The
lifecycle followed by the NIST is of four phases, majorly, called preparation, detection &
analysis, containment, eradication & recovery and post-incident activity. Through there are four
phases in the lifecycle of IR, each of the phases contain detailed sub-procedures.
Document Page
PM
When the SANS PICERL is considered, the lifecycle has total six phases, called
preparation, identification, containment, eradication, recovery and lessons learned. The phases of
SANS are majorly of single task with detailed process, where as the NIST lifecycle through
consists of total four phases, each of the phase is very long and extensive with sub-procedures.
The third, fourth and fifth phases of SANS are contained in a single third phase of NIST [17].
The last phase of the SANS is shorter and limited to lessons learned and the last phase of
the NIST, called post-incident activity is more detailed covering multiple activities and covers
lessons learnt as one of the activities, to be performed after the incident.
IMPACT OF FBI DIGITAL FORENSICS INVESTIGATION APPROACH
Federal Bureau of Investigation is an efficient and effective domestic services for
intelligence and security of the United States and stands as the principal agency for federal law
enforcement. With the advancement of the online presence and online platform for businesses, in
large scale has equally, increased the crimes in digital ways. Eventually, the intelligent and
security service has more emphasis and focus on the digital forensic to investigate and control
the digital and computer cyber crimes and breaches [6].
Initially, impact of FBI on computer security and digital forensic can be seen in three
areas.
1. Fourth amendment in the US constitution, to protection of the citizen from unreasonable
seizure and search, followed by protection against self-incrimination, in fifth
amdendment.
2. US Statutory laws, to be followed by everyone in the US, related to computer forensics,
a. Pen registers and trace devices statute
b. Wiretap Act
c. Stored wired and electronic communication act
Document Page
PM
3. Federal evidence rules for authentication, best evidence, reliability and hearsay, which are
to be understood by everyone. It includes two legal governance areas, related to network
data, as the following.
a. Authority for data monitoring and collection
b. Collection methods admissibility
The impact of the FBI on the digital forensics and cyber crimes is huge and the policies
of data share and data access among the online users and businesses with online presence
became strict and more tough. The policies have been defined and every citizen and business in
the US have to follow them. FBI has got impact in the incident response and handling and the
procedures, respectively, in terms of receipt of information and initial response legally, right after
the incident has happened [7].
The challenges in computer forensics have been crossed by strong and strict policies and
the industry has to come to stabilization with best practices, through the standardization is
limited with the existing and discovered threats, yet challenging the new breaches of data and
cyber crimes. Hence, many incidents are well known and procedures and approaches are
developed clearly, based on the experiences of breaching of data.
As the computer crime has been initiated and started growing in 1980s and the same had
resulted the specialized groups establishment at nationwide so that the investigations’ technical
aspects could be covered. Eventually, Computer Analysis and Response Team has been launched
by the FBI, in 1984. And in the year 1985, British Metropolitan Police fraud squad has been
established.
The laboratory of FBI and law enforcement agencies as well have initiated developing
the computer forensic evidence examination, in early 1984. These procedures and processes have
direct impact on advancement of the computer forensic investigation performance, influencing in
the way of scientific approach to the computer cyber crimes and the incident response approach,

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
PM
through this word was not coined by then. The evidences were then prevented to be collected in
unstructured manner, in ad hoc conditions.
Various studies of incident response have extracted the common phases from various
models and approaches and then proposed new and general purpose, as per the requirements and
suggestions of the FBI. Computer or digital forensic investigation have been modelled with the
names of Computer forensic investigative process in 1984, Digital Forensics Research Workshop
(DFRW), in 2001, ADFM (Abstract Digital Forensics Model), in 2002, IDIP (Integrated Digital
Investigation Process), in 2003, EDIP (Enhanced Digital Investigation Process) model, in 2004,
CFFTPM (Computer Forensics Field Triage Process) model, in 2006, DFMMIP (Digital Forensic
Model based on Malaysian Investigation Process), in 2009, Scientific Crime Scene Investigation
model in 2001, End to End Digital Investigation in 2003, Extended Model of Cybercrime
Investigation, in 2004, A Heirarchical, Objective-based Framework for Digital Investigations
process, in 2004, Framework for Digital Forensic Investigation, in 2006, Network Forensic
Generic Process Model, in 2010 and many more, with most common phases of investigation (P.
Sundresan, (2009) “Digital Forensic Model based on Malaysian Investigation Process”,
International Journal of Computer Science and Network Security, Vol. 9, No. 8.) [12].
FBI lured Gorshkov and Aleskey Ivanov, computer hackers, by conducting fake interview
for jobs, in 2000. Many such attempts have huge impact and now strict policies are defined and
must be followed by larger organizations to individuals.
CONCLUSION
Application of NIST incident response methodology can be more suitable for the middle
to large scale organizations, and less for the small businesses and it is because of the
extensiveness it follows, in guiding the incident response team in each and every procedure and
Document Page
PM
sub-procedure. This longer guide with lengthy procedures can be time consuming to consider
and follow for the smaller incidents possible to happen for the smaller organizations. So, NIST
approach can be best suitable for both the middle to larger businesses, compared to the smaller
businesses. Whereas, SANS PICERL is considered, the approach is more suitable for the smaller
to medium businesses.
When the viability is considered, both of the approaches can be considered as viable
approaches, for the interpretation and understanding that the nature and complexity of the
computer data breach and cyber crime are unique, though can be varied in their sizes and
impacts. So, having more number of viable models and approaches for the computer forensics
and investigation, there can be better application and suitability for unique size and complex
crimes and breaches. For smaller and less complex incidents the best approach to follow is
SANS PICERL and for larger and more complex incidents, NIST SP 800-61r2 can be the best
approaches to suit.
REFERENCES
1. M. K. Rogers, J. Goldman, R. Mislan, T. Wedge & S. Debrota, “Computer Forensic Field
Triage Process Model”, presented at the Conference on Digital Forensics, Security and
Law, pp. 27-40, 2006.
2. E. S. Pilli, R. C. Joshi, & R. Niyogi, “Network Forensic frameworks: Survey and research
challenges,” Digital Investigation, Vol. 7, pp. 14-27, 2010.
3. F. C. Freiling & B. Schwittay, “Common Process Model for Incident and Computer
Forensics”, in Proceedings of Conference on IT Incident Management and IT Forensics,
Stuttgard, Germany, pp. 19-40, 2007.
4. D. Bem & E. Huebner, “Computer Forensic Analysis in a Virtual Environment”,
International Journal of Digital Evidence, vol. 6, no. 2, pp. 1-13, 2007.
Document Page
PM
5. M. G. Noblett, M. M. Pollitt & L. A. Presley, “Recovering and Examining Computer
Forensic Evidence”, Forensic Science Communications, Vol. 2, No. 4, 2000.
6. FBI Cyber Division, “(u) health care systems and medical devices at risk for increased
cyber intrusions for financial gain,” 2014.
7. FBI, “FBI Handbook of Forensic Science, Collection, Identification and Shipping Index
(with modifications)”. Washington, D.C.: Federal Bureau of Investigation, 1992.
8. P. Kral, “Incident Handler’s Handbook”, SANS Institute InforSec Reading Room, 2011.
9. P. Cichonski, T. Millar, , T. Grance, K. Scarfone, “Computer security incident handling
guide”, Recommendations of the National Institute of Standards and Technology, US : US
Department of Commerce, , 2012.
10. Computer Forensics”, United States Attorney’s Bulletin, 2008
11. B. Endicott-Popovsky, D. Frincke, “Adding the R: A Systems Approach to Solving the
Hackers Arms Race”, Proceedings of the 2006 Symposium 39, Hawai International
Conference on System Sciences, 2006.
12. Gordon La, M. Loeb, R. Richardson, W. Lucyshyn, “CSI/FBI Computer Crime and
Security Survey”, Computer Security Institute, 2006.
13. S. H. Solms, “Information Security: The Fourth Wave”, Computers and Security, Volume
25, Issue3, Elsevier, 2006.
14. O. Kerr, “Computer Records and the Federal Rules of Evidence”. National Institute for
Standards and Technology, Computer Security Incident, 2004.
15. M. Poor, “Handling Guide” NIST Special Publication 800-61. 2006.
16. SANS. “Security 504.1 Hacker Techniques, Exploits and Incident Handling”. Book 1
17. SANS Institute, “Computer Security Incident Handling Guide“, Publication, 800-61, , US
NIST Incident Handling Step by Step ver. 2., 2001.
18. M. M. Pollitt, “An Ad Hoc Review of Digital Forensic Models”, in Proceeding of the
Second International Workshop on Systematic Approaches to Digital Forensic
Engineering US: Washington, , 2007.
19. M. K. Rogers, J. Goldman, R. Mislan, T. Wedge & S. Debrota, “Computer Forensic Field
Triage Process Model”, presented at the Conference on Digital Forensics, Security and
Law, pp. 27-40, 2006.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
PM
20. M Reith; C Carr; G Gunsch "An examination of digital forensic models". International
Journal of Digital Evidence. 2002.
21. Various, E. Casey, ed. Handbook of Digital Forensics and Investigation. Academic
Press. p. 567. 2009.
22. Casey, Eoghan “Digital Evidence and Computer Crime”, Second Edition. Elsevier, 2004.
23. A. Phillip, D. Cowen, Ch. Davis,. Hacking Exposed: Computer Forensics”. McGraw
Hill Professional. p. 544, 2009.
24. S. L. Garfinkel, "Digital forensics research: The next 10 years". Digital Investigation. 7:,
2010.
25. L. Volonino, R. Anzaldua,. “Computer forensics for dummies”. For Dummies, 2008.
26. S. G. Punja,. "Mobile device analysis", Small Scale Digital Device Forensics Journal,
2008.
27. Seper, Jerry. "Osama access to state secrets helped 9/11". Computer Crime Research
Center.
28. W. G. Kruse, J. G. Heiser,. “Computer forensics: incident response essentials”. Addison-
Wesley. p. 392, 2002.
29. J. Meyer, “Forensische Datenanalyse”. Erich Schmidt Verlag, First Edition. Berlin, 2012.
30. C. Hlavica, U. Klapproth, F. Hülsberg et al: “Tax Fraud & Forensic Accounting”. Gabler
Verlag, Wiesbaden, 2011.
31. M. S. Olivier, "On metadata context in Database Forensics". Digital Investigation.
Science Direct, 2009.
32. N. Andrienko, & G. Andrienko, “Exploratory Analysis of Spatial and Temporal Data. A
Systematic Approach”. Springer, 2005.
33. M.Theus, S. Urbanek, “Interactive Graphics for Data Analysis: Principles and
Examples”, CRC Press, Boca Raton, FL, 2008.
34. C. Eoghan, S. J. Gerasimos, "The impact of full disk encryption on digital
forensics". Operating Systems Review. 42 (3): 93–982008.
35. Y. Huang, Y. Long. "Demosaicking recognition with applications in digital photo
authentication based on a quadratic pixel correlation model" Proc. IEEE Conference on
Computer Vision and Pattern Recognition, 2008.
Document Page
PM
36. C. Easttom, System Forensics, Investigation, and Response”. Jones & Bartlett.
p. 318. 2013.
37. R. Adams, "'The Advanced Data Acquisition Model (ADAM): A process model for
digital forensic practice".2012.
38. A. Phillip, D. Cowen, Ch. Davis,”Hacking Exposed: Computer Forensics”. McGraw Hill
Professional. p. 544. 2009
39. B.Nelson, A. Phillips, F. Enfinger, & C. Steuart, “Guide to Computer Forensics and
Investigations”. (3rd ed.). Boston, MA; Course Technology, Cengage Learning, 2008.
40. F. Dan, Venema, Wietse. “Forensic Discovery”. Addison-Wesley Professional, 2005.
41. Nelson, Bill. “Guide to Computer Forensics and Investigations”. Boston, MA: Thomson
Course Technology, 2004
42. A. L. King, L. Feng, O. Sokolsky, and I. Lee, “Assuring the safety of on-demand medical
cyber-physical systems,” in 1st International Conference on Cyber-Physical Systems,
Networks and Applications. IEEE, 2013.
43. I. Lee and O. Sokolsky, “Medical cyber physical systems,” in 47th ACM/IEEE Design
Automation Conference. IEEE, 2010.
44. P. Luckett, J. McDonald, and W. Glisson, “Attack-graph threat modeling assessment of
ambulatory medical devices,” in Proceedings of the 50th Hawaii International
Conference on System Sciences, 2017
45. M. Van Devender, W. Glisson, M. Campbell, and M. Finan, “Identifying opportunities to
compromise medical devices,” in 22nd Americas Conference on Information Systems,
San Diego, USA, 2016
46. W. B. Glisson, T. Andel, T. McDonald, M. Jacobs, M. Campbell, and J. Mayr,
“Compromising a medical mannequin,” in 21st Americas Conference on Information
Systems, Puerto Rico, USA, 2015
47. J. E. R. McMillan, W. B. Glisson, and M. Bromby, “Investigating the increase in mobile
phone evidence in criminal activities,” in 46th Hawaii International Conference on
System Sciences, 2013.
48. D. Barske, A. Stander, and J. Jordaan, “A digital forensic readiness framework for south
african sme’s,” in Information Security for South Africa (ISSA), IEEE, 2010
Document Page
PM
49. E. Casey, “Digital evidence and computer crime: Forensic science, computers, and the
internet”. Academic press, 2011.
50. G. Grispos, W. B. Glisson, D. Bourie, and T. Storer, “Security Incident Recognition and
Reporting (SIRR): An Industrial Perspective,” in 23rd Americas Conference on Info.
Systems, Boston, USA, 2017.
1 out of 37
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]