Professional Documents
Culture Documents
Containment is vital before an incident causes too much harm or strains resources.
Decisions like shutting down systems or disconnecting from networks are easier if
you have pre-defined strategies.
Organizations should set acceptable risk levels and create strategies accordingly.
Sometimes, after containment, you need to remove the incident's components (e.g.,
malware, compromised accounts).
Recovery Phase
FIR -Full 1
Phased Approach
Optimizing Containment
To have effective incident response, understand how containment fits into the
overall process.
Incident Classification
What is Incident Classification?
Incidents can be anything disrupting normal operations, like code errors or hardware
failures.
Each incident is categorized based on its impact and the affected areas.
Determines who should be notified and their roles in resolving the incident.
FIR -Full 2
Benefits of Classification
Potential perpetrators.
Attacker's skill.
FIR -Full 3
System and user downtime.
Response for a virus outbreak differs from a credit card data theft.
FIR -Full 4
Regularly update and test the plan to ensure effectiveness.
Incident Recording
Incident Reporting and Recording:
Opening codes are assigned to indicate the nature of the incident, aiding
resource prioritization.
Closing codes provide a summary of what happened and may differ from
opening codes.
Recording a Crime:
Determine how many crimes to record and what offenses have been
committed.
For multiple offenses involving one victim and one offender, only one crime
is recorded.
FIR -Full 5
If multiple victims in the same incident, a crime should be recorded for each
victim.
Each force has a crime registrar responsible for overseeing compliance with
the crime recording process.
Senior officers, typically the deputy chief constable, oversee the force's
approach to crime recording.
Data collection is crucial for forensic analysis as it forms the foundation for
drawing conclusions and resolving incidents.
FIR -Full 6
Volatile data, collected in a live response, provides a snapshot of the
system at the time of the incident.
Volatile data includes system date and time, running applications, network
connections, open sockets, and more.
Three variations of live response: initial, in-depth, and full live response.
Forensic Analysis:
Forensic analysis involves reviewing all collected data, including log files,
configuration files, trust relationships, web browser history, emails, installed
applications, and graphics files.
Low-level tasks involve looking for logically deleted data, such as deleted
files, slack space, or free space containing useful data fragments.
Password Cracking
FIR -Full 7
Password cracking is a technique used to discover or guess passwords for
computer or network resources. It can have both legitimate and malicious
purposes, such as recovering forgotten passwords or gaining unauthorized
access to systems. Here are some key points about password cracking based
on the provided text:
FIR -Full 8
3. No Reuse: Avoid using the same password for multiple accounts to prevent
unauthorized access if one is compromised.
Windows Forensics
Windows Forensics Overview:
Windows forensics is a branch of computer forensics that focuses on analyzing
Windows operating systems to identify traces or evidence of activities related to
criminal offenses. It plays a crucial role in modern criminal investigations as
many criminal activities have links to computing environments or involve the use
of computers. Windows forensics involves the systematic analysis of various
aspects of a Windows system to draw evidential conclusions in criminal cases.
FIR -Full 9
3. Windows Memory Analysis: Windows memory analysis involves
examining memory dumps and analyzing them for evidence. This can
provide insights into running processes, executable file paths, commands
used, timestamps, and loaded modules. Tools like Tlist, Tasklist, Pslist, and
ListDlls are employed for memory analysis.
Removable storage refers to external media devices that computers use for data
storage and are often known as Removable Disk drives or External Drives. These
devices can be removed or ejected from a running computer, making it convenient to
transfer data between different systems.
Benefits of Removable Storage:
One key advantage of removable disks is their ability to provide fast data transfer rates,
similar to those found in storage area networks (SANs).
FIR -Full 10
1. Optical Discs (CDs, DVDs, Blu-ray Discs): Optical discs store data using a laser
beam to create a spiral pattern of pits and ridges, representing binary 0s and 1s.
They include:
Compact Disc (CD): Holds around 650 to 700 megabytes of data and requires
a CD drive for reading.
DVD (Digital Versatile Disc): Offers more than six times the capacity of a CD,
typically storing 4.7 GB to 17 GB of data.
2. Memory Cards: These small, portable storage devices are commonly used in
cameras, smartphones, and other devices to store various types of data.
3. Floppy Disks: Once widely used but now outdated, floppy disks are flexible disks
with a magnetic coating that could store up to 1.44 MB of data.
4. Magnetic Tapes: Magnetic tape is coated with a magnetic layer and is used for
long-term data storage and backup purposes.
5. Disk Packs: Disk packs consist of multiple disks enclosed in a single unit, often
used in older computer systems.
6. Paper Storage (Punched Tapes, Punched Cards): Historically, data was stored
on paper in the form of punched tapes or punched cards, with holes representing
binary data.
Compact Disc (CD): Holds around 650 to 700 MB of data and is commonly used
for audio and data storage.
DVD (Digital Versatile Disc): Offers higher capacity than CDs, typically holding 4.7
GB to 17 GB of data.
FIR -Full 11
Network Forensics
Network Forensics:
3. Accumulation: Detailed reports of the crime scene are documented, and digital
evidence is duplicated.
Data Management: Managing the vast amount of data generated during network
forensic analysis can be challenging.
Address Spoofing: Attackers may use address spoofing techniques to hide their
identity and location.
FIR -Full 12
Performance Monitoring: It analyzes and monitors network performance
requirements.
Angry IP Scanner: A free and open-source network scanner used for scanning IP
addresses and ports, with results exportable in various formats.
Mobile Forensics
Mobile Forensics:
Mobile forensics is a specialized field within digital forensics that focuses on retrieving
and analyzing data from electronic sources, particularly mobile devices like
smartphones and tablets. It plays a crucial role in investigating a wide range of cases,
from corporate fraud to criminal activities, and has various processes and tools
associated with it. Here are some key points about mobile forensics:
FIR -Full 13
Uses of Mobile Forensics:
Military: Mobile devices are used for gathering intelligence during military
operations or counterterrorism efforts.
Law Enforcement: Law enforcement agencies utilize mobile forensics for electronic
discovery in cases ranging from identity theft to homicide.
1. Seizure and Isolation: Mobile devices are seized and isolated to preserve the
evidence properly. Challenges include dealing with lock activation and
network/cellular connectivity.
2. Identification: This step involves unlocking the mobile device, often with a PIN,
password, pattern, or biometrics. Encryption may also be encountered, adding
complexity to accessing data.
4. Examination and Analysis: Mobile device data is examined and analyzed for
evidence, which can include call history, contacts, messages, multimedia content,
browsing history, documents, and more.
Mobile forensics can extract a wide range of data from mobile devices, including call
history, contacts, messages, multimedia content, browsing history, documents,
passwords, geolocation data, user dictionary content, data from various apps, system
files, and even deleted data.
FIR -Full 14
Manual Extraction: Involves analyzing data on an unlocked device by opening
apps and examining content.
Logical Extraction: Copying files from the target mobile device to another for
examination, providing a structured view of data.
Hex Dumping / JTAG: A method using the debug interface of mobile devices to
extract raw data, which requires further processing.
Chip-Off: This involves attaching the memory chips of the target device to
specialized hardware to extract data directly from the chips.
Micro Read: A highly technical process that involves examining memory chips
using powerful microscopes. It's not commonly used due to its complexity.
2 Marks
1. Incident Documentation:
Public evidence refers to information or data that is publicly accessible and not
protected by privacy laws.
Private evidence pertains to data subject to privacy laws and regulations, such
as personal information, which requires special handling and protection.
FIR -Full 15
3. Steganography:
Common methods involve embedding data within image or audio files, making it
hard to discern without specific tools.
Network logs: Examining logs from routers, firewalls, and other network
devices.
Forensic images are copies of digital data for analysis. Types include:
FIR -Full 16
File system images: Copies of specific file systems or directories.
File systems organize and manage data on storage devices. Examples include
NTFS (Windows), ext4 (Linux), and HFS+ (macOS).
EnCase and FTK (Forensic Toolkit) are popular digital forensic software tools
used for acquiring, analyzing, and preserving digital evidence during
investigations.
12. Eradication:
Email tracking involves monitoring the delivery and interaction with email
messages, such as tracking when an email is opened or links are clicked.
A hard disk is a non-volatile storage device used for storing and retrieving digital
data on a magnetic platter.
FIR -Full 17
FIR -Full 18