Incident Response Lifecycle and Digital Forensic Investigation

Verified

Added on 2020/03/16

AI Summary

This report provides a comprehensive overview of the incident response lifecycle and digital forensics, emphasizing the critical role of these disciplines in addressing computer cybercrime and data breaches. It details the incident response methodology, particularly the NIST 800-61r2 standard, outlining policy, plan, and procedure elements. The report explores the four phases of incident response: preparation, detection and analysis, containment, eradication, and recovery, and post-incident activity. It highlights the importance of coordination and information sharing, including techniques for granular information sharing and comparison with SANS PICERL. Additionally, the report discusses the impact of the FBI's digital forensics investigation approach and concludes with recommendations for effective incident handling. The executive summary highlights the challenges faced by organizations in preparing for unexpected incidents and the need for specialized incident response teams. The report covers various aspects of computer forensics, including data extraction, analysis, and the use of scientifically derived methods for evidence collection and interpretation.

COMPUTER FORENSIC
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

PM
Contents
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC................................5
INTRODUCTION...............................................................................................................7
COMPUTER FORENSICS.................................................................................................7
Digital Forensic Methodology.....................................................................................................8
Incident........................................................................................................................8
Event............................................................................................................................8
Incident Response........................................................................................................9
Benefits........................................................................................................................9
INCIDENT RESPONSE METHODOLOGY...................................................................10
NIST 800 -61r2..................................................................................................................10
Policy Elements.........................................................................................................................11
Plan Elements............................................................................................................................11
Procedure Elements...................................................................................................................12
Information Share with External Partners.................................................................................12
Structure of Incident Response Team........................................................................................13
PHASES....................................................................................................................................14
PREPARATION.........................................................................................................15
DETECTION AND ANALYSIS...............................................................................16
CONTAINMENT, ERADICATION AND RECOVERY..........................................21
POST-INCIDENT ACTIVITY..................................................................................23

PM
Checklist of Incident Handling..................................................................................26
Recommendations......................................................................................................27
COORDINATION AND SHARING OF INFORMATION.....................................................28
Coordination..............................................................................................................28
Techniques for Information Sharing..........................................................................29
Granular Information Sharing....................................................................................30
COMPARISON WITH SANS PICERL............................................................................30
Similarities.................................................................................................................................30
Differences.................................................................................................................................30
IMPACT OF FBI DIGITAL FORENSICS INVESTIGATION APPROACH..................31
CONCLUSION..................................................................................................................33
REFERENCES..................................................................................................................34

PM
INCIDENT RESPONSE LIFECYCLE AND DIGITAL FORENSIC

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

PM
EXECUTIVE SUMMARY
Computer cyber crime and data breach are some of the most important and greatest
challenges faced by almost every organizations that has major online presence. Hence the
information technology professionals in every medium to large organizations have been facing
the challenges in planning and preparing for unexpected incidents, occurred apart from setting
hardest security walls to the web servers of their businesses. Incidents, which are violation of
law, policy or unacceptable act, involving networks, computer, Smartphone, etc. are biggest
threats for every organization today, throughout the world. The threat is because, the incident to
be handled takes very long time and demands special incident response team to work full time
till the issue is completely resolved. And every minute of the incident response lifecycle, the
organization have to experience losses, as each and every task and activity of business would be
paused during this time.

PM
INTRODUCTION
Digital forensics is forensic science branch works related to computer crime. The branch
deals with investigation of digital and performs recovery or correction made, in the digital
devices. Digital forensics is a young forensic science, relatively. Digital forensic has been
advancing in multi-dimensions, technically, legally and in terms of complexity as the complexity
and size of the incidents or computer crimes have been drastically increasing throughout the
world. There are many approaches developed to conduct the investigation and recover the data,
followed by increasing the security levels of the individual systems and the systems networked in
large numbers. Each of the models and approaches has its own logical process and procedure to
conduct the investigation and recovery, though many of them follow common phases[1].
The commencement and advancement of the computer security digital forensic
approaches and models have been started from 1980s, where, the concept of computer crime was
started, with the initiation of the FBI.
COMPUTER FORENSICS
Computer forensic is younger than the other forensic sciences. Computer forensic process
involves data extraction, followed by data analysis. The process can be simplified by a flowchart
that can describe the methodology for digital forensic analysis [2]. Computer forensics can be
defined as the usage of the methods that are digital evidences derived from the digital sources
and are scientifically derived and proven, toward the digital evidence collection, preservation,

PM
validation, identification, interpretation, analysis, documentation and presentation. The objective
is facilitation or events reconstruction furthering that is found to be criminal.
Computer forensics makes use of the methods and tools that are scientifically verified
and it still involves various elements like interpretation, judgement and ability.
Digital Forensic Methodology
Computer forensics have teh following key elements, shown in the following flowchart
figure.
Figure: Computer forensic process
The process is the basic and primary for the forensic team and the forensic examiner and
prosecutor have to communicate and decide each other the extent of process completed by far
and how many times they should iterate the process.
Incident
An incident is an imminent or violation threat of computer security privacy violence and
standard security practices violation [3]. For example, an attacker may instruct a botnet for
connection requests to the web server, in higher volume that may result in crashing the server.
Event
An event is an occurrence that is observed in a network or system. For example, an event
can be a request received by the server for a web page, sending a mail by a user, etc. In context to
teh computer forensics, an event is usually an adverse event would have negative consequence,
like crash of a system or server or unauthorized access to the secured data, etc.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

PM
Incident Response
Attacks usually end up in personal or business data compromise and it demands
immediate and quick critical response, after the occurrence of the security breach. Hence, the
computer security incident response became implemented and accepted widely. Incident
response has the capability supporting systematically respond to the incidents, such as following
a methodology of consistent incident handling, towards responding with appropriate actions [4].
Benefits
Incident response support the organizations and individuals to minimize the information
theft or loss and services disruption, resulted from the incidents. It has the ability to utilize the
information extracted from the incident handling towards better preparation to handle any
possible future incidents and enable stronger system and data protection. The capability of the
incident response helps to deal with the legal issues that arise from the incidents, properly.
Incident response capability is also needed for the federal agencies and departments to
comply with the laws and regulations and policy to direct coordination and effective defense
against the threats to the information security.

PM
Figure: Communicating with External Parties
INCIDENT RESPONSE METHODOLOGY
Incident response methodology has been designed and developed by considering various
aspects of policy, plan and procedure creation.
NIST 800 -61r2
NIST SP 800 – 61 Revision 2 is a standard and potential incident response methodology.
It has been developed by NIST (National Institute of Standards and Technology), which develops
the guidelines and standards that include the basic and minimum requirements to provide enough
security for ifnoramtion, for all assets and operations of agency [15].

PM
NIST is developed for providing effective CSIRC (Computer Security Incident Response
Capability) to the medium to large scale industries and organizations. The methodology provides
clues to the organization to decide the provisions needed for the incident response team and
respective srtreucture and models of the etam to provide their services. It helps in reflecting the
plans, policies and procedures of the interactions among the teams.
Policy Elements
The NIST SP 800-61r2 methodology enables the individuals and organizations to include
the key policy elements, most commonly as the following.
- Policy purpose and objectives
- Management commitment statement
- Policy scope
- Computer security incidents definitions including related terms
- Various responsibilities, roles and levels for various authorities, according to
organizational structure, including incident response team authority to monitor, confiscate
or disconnect activity
- Types of incidents, guidelines and requirements for external information sharing and
communication and escalation and handoff points, in the process of incident management
- Incidents severity or prioritization ratings
- Contact and reporting forms
- Performance measures
Plan Elements
The methodology allows the organization to define the following plan elements.
- Approach for responding to various incidents, in a focused, formal and coordinated ways
and incident response plan
- Unique plans according to the organization’s missions and visions
- A detailed plan element for organizations involve
o Strategies and goals
o Mission
o Approach to incident response
o Approval of senior managmenet

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

PM
o Communication between incident response team and the remaining organization
and other organizations as well
o Necessary metrics for incident response capacity of incident response and its
effectiveness
o Incident response capability roadmap
Procedure Elements
The methodology allows the organizations to develop standard operating procedures, for
specific techniques, processes, forms and checklists used by the team, according to the
organization’s priorities, reflecting in the response operations [14]. They help minimizing the
errors, caused from the situations of stressful incident handling. The methodology helps testing
the SOPs, in terms of accuracy, usefulness of them, before distributing to the members of the
team.
Information Share with External Partners
The methodology helps in sharing the ifnoramtion, like contacting law enforcement,
seeking external enterprise and fielding media enquiries. Other important outside party is internet
service providers, other teams of incident response and vulnerable software vendor, etc.
1. Media
The methodology helps establishing the procdures for media communications, complying
with the policies of organization on information disclosure and media interaction, through
one backup contact and single point of contact.
2. Law Enforcement
The incident response team can use the methodology to maintain the data about the law
enforcement, locally and state and nation level and to enable contacting and
communicating with the respective agencies.
3. Incident Reporting Organizations

PM
The team would be able to share information with the incident reporting organizations,
such as US-CERT (United States Computer Emergency Readiness Team), as a part fo
incident handling efforts. The agency designates both primary and secondary point of
contact with US-CERT and all incidents reports, in consistant with their incident response
policy.
4. Other outside parties include attacking addresses’ owners, ISP of organization, software
vendors, affected external parties and other teams for incident response.
Structure of Incident Response Team
The methodology enables the incident handlers of the organizations to analyze the
incident data and incident impact determination and appropriately act, towards minimizing the
damage and regularize the services by restoring back.
The methodology allows the following possible structures.
1. Team models can be made the possible structures, like central incident response team,
distributed, coordinating teams, with three different staffing models, like employees,
partially and fully outsourced.
2. Team model selection can be made with the factors, such as,
a. 24/7 availability need
b. Full Vs. Part time team members
c. Employee morale
d. Staff expertise
e. Cost
Outsourcing organizations can also consider the factors, like responsibilities division,
quality of work in current and future, sensitive information shared with the contractor,
lack of knowledge that is specific to the organization, maintenance of in-house incident
response skills, incidents handling at multiple locations and lack of correlation.
3. Incident Response Personnel, such as managers, technical leads can make use of the
methodology and be part of the incident response team.