Incident Response and Handling Procedures Checklists

No Activity
1 Determine appropriate response

2 Collect and safeguard the

information

3 Contain the situation. At this

point, the threat (e.g., malicious
code) has occurred.

4 Assemble the incident

management team

5 Create evidence disk(s) and

printouts

6 Eradicate/clean up/recover
7 Prepare preliminary status report
for management and other
authorities

8 Document and report all activity

9 Lessons learned: make

appropriate process
improvements to prevent similar
incidents
nd Handling Procedures Checklists

Detail Status Notes

• Identify the problem
• Initially, assess the situation to determine current status (e.g., Did an
incident occur? Is it over? Is it still spreading?)
• Determine if criminal in nature; if so, contact law enforcement; else
dispatch the response handler to the scene to preserve evidence

• Determine if keystroke monitoring is required

• Ensure that audits are turned on (they should be already on) and that
they cover the entire period during which the file was accessible

• Obtain the most volatile evidence, including human testimony

• Record everything: annotate date/times, actions taken, interviews/
contacts, extent of problem, etc.
• Log the information in a medium that maintains the integrity of the
investigation (i.e., a bound legal notebook that would reveal missing
pages using ink rather than pencil)
• Determine if the system/network must be shut down or taken offline

• Estimate the impact to operations if the system/network is taken

offline
• Determine best course of action to minimize downtime
• Follow procedures for appropriate measured response for isolation
• Ensure that everyone recognizes only one team leader/coordinator

• Estimate the level of effort involved

• Determine if additional expertise outside of the team’s skills is
required
• Agree on a best course of action
• Ensure management approval and support
• Find the evidence; employ active and passive techniques to
determine full extent of problem; if e-mail is involved, ensure that all
envelope/ header information is included
• Determine what evidence is relevant to the case at hand
• Collect evidence in order of volatility, working from the most volatile to
the least volatile (i.e., registers, cache, operating system tables, kernel
statistics and modules, main memory, temporary files, router
configuration)
• Copy the evidence to two compact disks: one to be safeguarded as
part of the legal chain-of-custody and the second to be used in the
investigation (use CD-R versus CD-RW media to prevent the possibility
of modification to copies)
• Manage the evidence chain-of-custody
• Assess the damage
• Ensure that the latest virus signature files are installed and the system
is inoculated
• Search for all instances; check backup/archived files,
shadow/mirrored files, search engines, caching proxies, and meta-data
for instances of the offending file/information; don’t forget to check
wastebaskets
• Notify users prior to fully restoring system/network operations
• Restore system/network to a secure operational state
• Analyze the forensic evidence to reconstruct the events and
determine cause, time, place, etc.

• Estimate damage and costs

• Obtain information damage assessment from the data owner(s)
• Create memos recording daily status to keep interested parties “in the
loop”
• Report the incident to cognizant authorities (e.g., management, data
owners, accreditation authorities, law enforcement, Computer
Emergency Response Team)
• Analyze causes of the incident (remember that it is usually a
combination of factors)

• Determine whether policies and procedures need to be modified to

prevent reoccurrence
• Determine whether additional training is required
• Determine whether administrative actions are warranted
• Follow-up to ensure corrective actions are implemented