Introduction To The Incident Response

The incident response process is well known as well understood in the information security community. The forensics process consists of several important steps that follow a repeatable and common practice using a chain of custody that will stand up to legal study. These steps apply to both traditional forensics and network forensics, so it is important to understand them, the four primary steps in the forensic process are as follows:

  • PREPARATION

In this step, the evidence that is to be gathered makes sense, is available, and has value to the investigation or is part of the compromised system or suspected criminal activity.

  • ACQUIRING THE EVIDENCE

In this step, the investigator makes copies of logs, disk, reports, and access logs as needed to support or refute the supposed criminal activity, as well as to provide authenticated copes of full logs to the requesting attorneys or law enforcement as needed.

  • ANALYZING THE DATA FOR THE EVIDENCE

In this step, the data that was gathered is reviewed to determine if a crime was committed and wheather there is enough good viable evidence that will stand up in court in the event of legal proceeding.

  • DOCUMENTATION

In this step, the findings are documented so that the results can be presented to either management or a court of law without being thrown out of court because the data is suspect.

Its a good start with NIST Special Publication 800-86
[ http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf ]

Advertisements

About this entry