FIR -Full

Containment and Incidence classification

Containment
Containment in Incident Response

Why Containment Matters

Containment is vital before an incident causes too much harm or strains resources.

Most incidents require containment, so it's crucial to consider it early on.

It buys time to plan a proper fix and minimizes damage.

Key Decisions in Containment

Decisions like shutting down systems or disconnecting from networks are easier if
you have pre-defined strategies.

Organizations should set acceptable risk levels and create strategies accordingly.

Different types of incidents require different containment approaches.

After Containment: Eradication

Sometimes, after containment, you need to remove the incident's components (e.g.,
malware, compromised accounts).

Identify affected parts of the organization for remediation.

Not always needed or done during recovery.

Recovery Phase

Restore systems to normal operation.

Confirm that systems work as they should.

Remediate vulnerabilities to prevent future incidents.

Actions include backups, system rebuilding, patching, password changes, and

network security adjustments.

FIR -Full 1
 Phased Approach

Eradication and recovery happen in phases.

Prioritize steps for remediation.

Quick changes to boost security early, followed by long-term improvements.

Criteria for Containment

Consider factors like potential damage, loss of critical services, time/resources

needed, and containment effectiveness.

Assess if delaying containment could be more harmful.

Some threats might be better eradicated or escalated immediately.

Optimizing Containment

To have effective incident response, understand how containment fits into the
overall process.

Learn best practices and considerations for containing security incidents.

Effective containment helps prevent incidents from becoming serious threats.

Incident Classification
What is Incident Classification?

It's a way to organize incidents into categories with established criteria.

Incidents can be anything disrupting normal operations, like code errors or hardware
failures.

Each incident is categorized based on its impact and the affected areas.

Why Classify Incidents?

Helps prioritize critical incidents for a faster response.

Determines who should be notified and their roles in resolving the incident.

Ensures consistent responses, saving time and reducing confusion.

Measures the expected impact of incidents for long-term planning.

Identifies patterns in incidents to fix issues before they happen.

FIR -Full 2
 Benefits of Classification

Prioritize the most critical incidents first.

Assign roles for quicker resolution.

Consistency in responses saves time and reduces confusion.

Plan for long-term impact.

Spot patterns and prevent future incidents.

Setting Up a Classification System

Create categories based on impact and affected areas.

Establish response procedures for each category.

Example: ITIL Incident Classification

ITIL (Information Technology Infrastructure Library) uses incident classification.

Helps IT professionals manage incidents effectively.

Formulating Incident Response Plans

1. Goal of Response Strategy Formulation Phase

Determine the appropriate response strategy considering political, technical,

legal, and business factors.

Depends on objectives of the responsible group or individual.

Response strategies vary based on incident circumstances.

2. Factors to Consider in Response Strategy

Criticality of affected systems.

Sensitivity of compromised/stolen information.

Potential perpetrators.

Public knowledge of the incident.

Level of unauthorized access.

Attacker's skill.

FIR -Full 3
 System and user downtime.

Overall financial loss.

3. Tailoring Response Strategy to Incident Type

Different incidents require different responses.

Response for a virus outbreak differs from a credit card data theft.

Initial response details are crucial.

4. Response Posture Impact

Your organization's capacity to respond is influenced by technical, political,

legal, and business factors.

Response strategy aligns with the organization's response posture.

5. Considering Appropriate Responses

Response strategy should align with business objectives.

Approval by upper-level management is essential.

Quantify strategy options with pros and cons.

Factors include estimated losses, network downtime, legal obligations, public

disclosure, and intellectual property theft.

6. Taking Legal Action

Legal action may be needed for disciplinary or malicious acts.

Options: criminal referral, civil complaint, administrative reprimand.

Deciding factors for law enforcement involvement: damage/cost, likelihood of

desired outcome, established cause, documentation.

7. Formulating Incident Response Plan

An incident response plan is a structured approach to handling incidents.

It involves identifying incidents, classifying them, and responding effectively.

Key components: detection, response, recovery, communication, and

improvement.

Follow established procedures and guidelines for each incident category.

FIR -Full 4
 Regularly update and test the plan to ensure effectiveness.

Incident Recording
Incident Reporting and Recording:

Incidents can be reported in various ways: victims, witnesses, third parties,

online reports, police discovery, or referrals from other agencies.

Must be recorded on an auditable system, like an incident log or a force

crime system.

Opening codes are assigned to indicate the nature of the incident, aiding
resource prioritization.

Deciding If a Crime Should Be Recorded:

A reported incident will be recorded as a crime if it's an offense against an

identified victim, and there's no credible evidence to the contrary.

Victim statements are generally accepted unless there's credible

contradictory evidence.

Closing Incident Records:

Once a decision is made to record a crime, the incident record is often

closed to avoid duplication.

Closing codes provide a summary of what happened and may differ from
opening codes.

Important for ensuring necessary actions are completed and for

categorizing incident types.

Recording a Crime:

Determine how many crimes to record and what offenses have been
committed.

For multiple offenses involving one victim and one offender, only one crime
is recorded.

FIR -Full 5
 If multiple victims in the same incident, a crime should be recorded for each
victim.

Closing Crime Records:

Crime records remain open during investigation, evidence collection, and

suspect identification.

Closed when the crime is detected (solved), such as through cautions,

charges, or summonses.

Checking Crime Records:

Each force has a crime registrar responsible for overseeing compliance with
the crime recording process.

The registrar conducts audits and ensures staff are trained.

Senior officers, typically the deputy chief constable, oversee the force's
approach to crime recording.

Data Collection and Forensic Analysis

Data Collection:

Data collection is crucial for forensic analysis as it forms the foundation for
drawing conclusions and resolving incidents.

Special skills are required for obtaining technical evidence.

Challenges in data collection include ensuring forensically sound collection,

handling vast electronic data, and protecting data integrity (evidence
handling).

Three fundamental areas of information: host-based, network-based, and

other information.

Host-based information includes logs, records, documents, and system

backups.

Data collection methods for host-based information involve live data

collection and forensic duplication.

FIR -Full 6
 Volatile data, collected in a live response, provides a snapshot of the
system at the time of the incident.

Volatile data includes system date and time, running applications, network
connections, open sockets, and more.

Three variations of live response: initial, in-depth, and full live response.

Forensic duplication creates a mirror image of the target system, often

preferred for severe incidents or legal actions.

Network-based evidence includes data from IDS logs, monitoring logs,

wiretaps, router and firewall logs, authentication servers, and more.

Network surveillance is used to confirm suspicions, accumulate evidence,

identify co-conspirators, and determine the timeline of events.

"Other evidence" involves testimony, personnel files, interviews with

employees and witnesses, and traditional investigative techniques.

Forensic Analysis:

Forensic analysis involves reviewing all collected data, including log files,
configuration files, trust relationships, web browser history, emails, installed
applications, and graphics files.

It encompasses software analysis, examining time/date stamps, keyword

searches, and other investigative steps.

Low-level tasks involve looking for logically deleted data, such as deleted
files, slack space, or free space containing useful data fragments.

Forensic analysis requires data assembly and preparation before actual

analysis begins.

This process is especially relevant for host-based media, such as hard

drives.

Forensic analysis is a critical step in understanding how an incident

occurred and is essential for incident resolution.

Password Cracking

FIR -Full 7
 Password cracking is a technique used to discover or guess passwords for
computer or network resources. It can have both legitimate and malicious
purposes, such as recovering forgotten passwords or gaining unauthorized
access to systems. Here are some key points about password cracking based
on the provided text:

1. Brute Force Attack: This method involves trying every possible

combination of characters until the correct password is found. It can be
time-consuming and resource-intensive, especially for complex passwords.

2. Dictionary Search: In a dictionary attack, the attacker uses a list of

common words or phrases to guess the password. These dictionaries can
be specialized, focusing on specific topics or combinations of words to
increase the chances of success.

3. Phishing: Phishing is a social engineering technique where attackers trick

users into revealing their passwords or other sensitive information. It often
involves deceptive emails or websites that appear legitimate but are
designed to steal login credentials.

4. Malware: Malware, such as keyloggers and screen scrapers, can capture

user keystrokes or screenshots without their knowledge. This information
can then be used to obtain passwords and other sensitive data.

5. Rainbow Attack: Rainbow table attacks use precomputed tables of

password hashes to quickly crack passwords. These tables contain a list of
previously cracked or leaked passwords, making the cracking process more
efficient.

6. Guessing: Attackers may attempt to guess a password based on available

information about the victim, such as personal details or common password
choices. This method is effective if the attacker has relevant information or if
the victim uses a weak or easily guessable password.

To create stronger passwords and enhance security:

1. Length Matters: Use passwords with a minimum of 12 characters; longer

passwords are harder to crack.

2. Diverse Characters: Combine letters, numbers, and special characters to

increase complexity.

FIR -Full 8
 3. No Reuse: Avoid using the same password for multiple accounts to prevent
unauthorized access if one is compromised.

4. Strength Indicators: Pay attention to password strength meters provided

by some systems to ensure your password is strong.

5. Avoid Predictable Choices: Steer clear of easily guessed information like

names, birthdays, or common passwords (e.g., "password" or "123456").

6. Encrypt Stored Passwords: Ensure that stored passwords in databases

are encrypted for added security.

Windows Forensics
Windows Forensics Overview:
Windows forensics is a branch of computer forensics that focuses on analyzing
Windows operating systems to identify traces or evidence of activities related to
criminal offenses. It plays a crucial role in modern criminal investigations as
many criminal activities have links to computing environments or involve the use
of computers. Windows forensics involves the systematic analysis of various
aspects of a Windows system to draw evidential conclusions in criminal cases.

Key Areas of Windows Forensics:

1. Volatile Information: This category includes data that can disappear or be

easily modified when the system is powered off. It includes information such
as system time, logged users, open files, network information, and mapped
shared folders. Tools like Doskey, Uptime2.exe, PsLoggedon, Netsessions,
and NetStat are used to gather this information.

2. Non-Volatile Information: Non-volatile data remains on secondary storage

devices and persists even after the power is turned off. This category
encompasses file systems, registry settings, logs, devices, slack space,
swap files, indexes, and partitions. Non-volatile information is collected after
seizing the system and includes data that is less perishable. Tools like 'dir
/o:d,' 'regedit,' and 'reg' are used to access and analyze non-volatile
information.

FIR -Full 9
 3. Windows Memory Analysis: Windows memory analysis involves
examining memory dumps and analyzing them for evidence. This can
provide insights into running processes, executable file paths, commands
used, timestamps, and loaded modules. Tools like Tlist, Tasklist, Pslist, and
ListDlls are employed for memory analysis.

4. Caches, Cookies, and History Analysis: Analyzing caches, cookies, and

browsing history in web browsers can reveal valuable information about a
user's online activities. These artifacts can be found in various web
browsers and may provide evidence relevant to an investigation.

5. Other Aspects: This category encompasses various other elements of a

Windows system that may contain evidence, including recycle bins,
documents, shortcut files, graphics files, and executable files.

6. 6.Registry Information: The Windows registry holds critical information

that can impact forensic analysis and investigations. Important registry keys
include 'RunMRU' (storing recently typed commands from the Run window),
'Startup objects' (apps that start automatically on Windows startup), 'Last
accessed key,' 'Addresses in Internet Explorer,' and 'Last saved directory in
Internet Explorer.'

Removable and Optical Storage Media

Removable Storage:

Removable storage refers to external media devices that computers use for data
storage and are often known as Removable Disk drives or External Drives. These
devices can be removed or ejected from a running computer, making it convenient to
transfer data between different systems.
Benefits of Removable Storage:

One key advantage of removable disks is their ability to provide fast data transfer rates,
similar to those found in storage area networks (SANs).

Types of Removable Storage:

FIR -Full 10
 1. Optical Discs (CDs, DVDs, Blu-ray Discs): Optical discs store data using a laser
beam to create a spiral pattern of pits and ridges, representing binary 0s and 1s.
They include:

Compact Disc (CD): Holds around 650 to 700 megabytes of data and requires
a CD drive for reading.

DVD (Digital Versatile Disc): Offers more than six times the capacity of a CD,
typically storing 4.7 GB to 17 GB of data.

Blu-ray Disc: A high-definition optical storage medium, capable of holding up to

27 GB on a single layer and up to 54 GB on a dual layer.

2. Memory Cards: These small, portable storage devices are commonly used in
cameras, smartphones, and other devices to store various types of data.

3. Floppy Disks: Once widely used but now outdated, floppy disks are flexible disks
with a magnetic coating that could store up to 1.44 MB of data.

4. Magnetic Tapes: Magnetic tape is coated with a magnetic layer and is used for
long-term data storage and backup purposes.

5. Disk Packs: Disk packs consist of multiple disks enclosed in a single unit, often
used in older computer systems.

6. Paper Storage (Punched Tapes, Punched Cards): Historically, data was stored
on paper in the form of punched tapes or punched cards, with holes representing
binary data.

Optical Storage Media:

Optical storage media use laser beams to read and write data, storing it as a spiral
pattern of pits and ridges denoting binary 0s and 1s. Examples include:

Compact Disc (CD): Holds around 650 to 700 MB of data and is commonly used
for audio and data storage.

DVD (Digital Versatile Disc): Offers higher capacity than CDs, typically holding 4.7
GB to 17 GB of data.

Blu-ray Disc: A high-definition optical medium that can store up to 27 GB on a

single layer and up to 54 GB on a dual layer, using a blue laser for reading and
writing.

FIR -Full 11
 Network Forensics
Network Forensics:

Network forensics is a specialized field within digital forensics that focuses on

investigating and analyzing network activities to uncover evidence related to
cybercrimes and security incidents. Here are some key points about network forensics:
Definition: Network forensics involves examining a network and its traffic to identify and
investigate suspicious or malicious activities. It enables the retrieval of various forms of
data such as messages, file transfers, emails, and web browsing history, reconstructing
the original transactions for analysis.

Processes in Network Forensics:

1. Identification: Investigators pinpoint and evaluate incidents by analyzing network

indicators.

2. Safeguarding: Data is preserved and secured to prevent tampering.

3. Accumulation: Detailed reports of the crime scene are documented, and digital
evidence is duplicated.

4. Observation: All visible data, along with metadata, is tracked.

5. Investigation: Investigators draw conclusions from collected evidence.

6. Documentation: All evidence, reports, and conclusions are documented and

presented in court if necessary.

Challenges in Network Forensics:

Data Management: Managing the vast amount of data generated during network
forensic analysis can be challenging.

IP Anonymity: The intrinsic anonymity of IP addresses can make it difficult to trace

malicious activities back to their source.

Address Spoofing: Attackers may use address spoofing techniques to hide their
identity and location.

Advantages of Network Forensics:

Security Threat Identification: Network forensics helps identify security threats

and vulnerabilities.

FIR -Full 12
 Performance Monitoring: It analyzes and monitors network performance
requirements.

Reduced Downtime: Network forensics can help reduce downtime by detecting

and addressing issues promptly.

Resource Optimization: It allows for better utilization of network resources through

reporting and planning.

Evidence Discovery: Network forensics conducts a detailed search for traces of

evidence left on the network.

Disadvantages of Network Forensics:

Complex Implementation: Implementing network forensics can be challenging due

to its technical complexity and the need for specialized tools and expertise.

Network Forensic Tools:

Several tools are used in network forensics to assist in the investigation and analysis of
network traffic. Some examples include:

Acunetix Web Vulnerability Scanner: A commercial web application security

testing solution that includes a web vulnerability scanner.

Aircrack-ng: An open-source suite of tools for assessing WiFi network security.

AirPcap/Riverbed AirPcap: A USB-based adapter for capturing 802.11 wireless

traffic, compatible with Windows.

Angry IP Scanner: A free and open-source network scanner used for scanning IP
addresses and ports, with results exportable in various formats.

Mobile Forensics
Mobile Forensics:

Mobile forensics is a specialized field within digital forensics that focuses on retrieving
and analyzing data from electronic sources, particularly mobile devices like
smartphones and tablets. It plays a crucial role in investigating a wide range of cases,
from corporate fraud to criminal activities, and has various processes and tools
associated with it. Here are some key points about mobile forensics:

FIR -Full 13
 Uses of Mobile Forensics:

Military: Mobile devices are used for gathering intelligence during military
operations or counterterrorism efforts.

Corporate Security: Businesses may employ mobile forensics to investigate cases

of intellectual property theft or employee fraud.

Employee Monitoring: Companies sometimes monitor employees' personal usage

of business devices to uncover evidence of illegal activities.

Law Enforcement: Law enforcement agencies utilize mobile forensics for electronic
discovery in cases ranging from identity theft to homicide.

Process of Mobile Device Forensics:

1. Seizure and Isolation: Mobile devices are seized and isolated to preserve the
evidence properly. Challenges include dealing with lock activation and
network/cellular connectivity.

2. Identification: This step involves unlocking the mobile device, often with a PIN,
password, pattern, or biometrics. Encryption may also be encountered, adding
complexity to accessing data.

3. Acquisition: Controlling data on mobile devices is challenging as data can move,

including synchronization across devices and cloud services like iCloud or
OneDrive.

4. Examination and Analysis: Mobile device data is examined and analyzed for
evidence, which can include call history, contacts, messages, multimedia content,
browsing history, documents, and more.

5. Reporting: Forensic reporting documents the entire process of evidence collection,

tracking, analysis, and safeguarding for legal purposes.

Information That Can Be Retrieved from Mobile Devices:

Mobile forensics can extract a wide range of data from mobile devices, including call
history, contacts, messages, multimedia content, browsing history, documents,
passwords, geolocation data, user dictionary content, data from various apps, system
files, and even deleted data.

Mobile Forensics - Tool Classification Pyramid:

FIR -Full 14
 Manual Extraction: Involves analyzing data on an unlocked device by opening
apps and examining content.

Logical Extraction: Copying files from the target mobile device to another for
examination, providing a structured view of data.

Hex Dumping / JTAG: A method using the debug interface of mobile devices to
extract raw data, which requires further processing.

Chip-Off: This involves attaching the memory chips of the target device to
specialized hardware to extract data directly from the chips.

Micro Read: A highly technical process that involves examining memory chips
using powerful microscopes. It's not commonly used due to its complexity.

2 Marks
1. Incident Documentation:

Incident documentation is the process of recording all relevant details and

information related to a security incident. It serves as a crucial step in incident
response and forensic investigations.

Documentation includes facts, actions taken, timelines, affected systems,

individuals involved, and any evidence collected.

Proper incident documentation aids in understanding the incident's scope,

assists in legal proceedings, and helps prevent future incidents.

2. Evidence Protection and Detection (Public vs. Private):

Evidence protection is the safeguarding of digital evidence to ensure its

integrity, authenticity, and admissibility in legal proceedings.

Public evidence refers to information or data that is publicly accessible and not
protected by privacy laws.

Private evidence pertains to data subject to privacy laws and regulations, such
as personal information, which requires special handling and protection.

FIR -Full 15
 3. Steganography:

Steganography is a technique of hiding information within other data in a way

that is not easily detectable. It conceals the existence of a message.

Common methods involve embedding data within image or audio files, making it
hard to discern without specific tools.

4. Incident Response Process and Handling:

Incident response involves detecting, mitigating, and recovering from security

incidents.

Key steps include preparation, identification, containment, eradication, recovery,

and lessons learned (post-incident analysis).

5. Collecting Network-Based Evidence:

Network-based evidence is collected from network traffic and devices. Methods

include:

Packet capture: Collecting data packets for analysis.

Network logs: Examining logs from routers, firewalls, and other network
devices.

Intrusion detection systems: Analyzing alerts and logs generated by

IDS/IPS systems.

6. Types of Incident Security Levels:

Incident security levels categorize incidents based on their severity. Common

levels include:

Low: Minor incidents with minimal impact.

Medium: Incidents with moderate consequences.

High: Serious incidents with significant impact on operations or security.

7. Types of Forensic Images:

Forensic images are copies of digital data for analysis. Types include:

Disk images: Complete copies of a storage device.

Memory images: Snapshots of RAM contents.

FIR -Full 16
 File system images: Copies of specific file systems or directories.

8. Requirements for Forensic Image:

Requirements include creating a bit-for-bit copy, verifying the image's integrity,

documenting the process, and ensuring proper chain of custody.

9. Examples of File Systems:

File systems organize and manage data on storage devices. Examples include
NTFS (Windows), ext4 (Linux), and HFS+ (macOS).

10. Importance of Network Packet Analysis:

Network packet analysis is crucial for monitoring, troubleshooting, and

identifying security incidents.

It helps in detecting anomalies, understanding network traffic patterns, and

investigating suspicious activities.

11. EnCase and FTK:

EnCase and FTK (Forensic Toolkit) are popular digital forensic software tools
used for acquiring, analyzing, and preserving digital evidence during
investigations.

12. Eradication:

Eradication is the process of completely removing or neutralizing a security

threat or vulnerability to prevent it from causing further harm.

13. Email Tracking:

Email tracking involves monitoring the delivery and interaction with email
messages, such as tracking when an email is opened or links are clicked.

14. Hard Disk:

A hard disk is a non-volatile storage device used for storing and retrieving digital
data on a magnetic platter.

15. Incident Damage:

Incident damage refers to the negative consequences and impact on an

organization resulting from a security incident, including financial, reputational,
and operational damage.

FIR -Full 17
FIR -Full 18