Difference between pages "Tools:Network Forensics" and "Incident Response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(New page: ; Burst : http://www.burstmedia.com/release/advertisers/geo_faq.htm : Expensive IP geo-location service. ; chkrootkit : http://www.chkrootkit.org ; cryptcat : http://farm9....)
 
 
Line 1: Line 1:
 +
{{Expand}}
  
 +
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.
  
; [[Burst]]
+
== Tools ==
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive IP geo-location service.
+
  
; [[chkrootkit]]
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather userful and/or volatile data. The [[SysInternals]] suite is frequently cited as a good example of incident response tools. They are self-contained, useful, discrete, and do not create a large footprint on the victim system.  
: http://www.chkrootkit.org
+
  
; [[cryptcat]]
+
Standalone tools have been combined to create '''Script Based Tools''' like [[First Responder's Evidence Disk|FRED]] or the [[Windows Forensic Toolchest|WFT]]. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools, such as [[Microsoft|Microsoft's]] [[COFEE]] allow the user to pick and choose which standalone tools will be used in a given examination.
: http://farm9.org/Cryptcat/
+
  
; [[Enterasys Dragon]]
+
The final category of tools are '''Agent Based Tools''' such as [[Mandiant|Mandiant's]] [[First Response]]. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
: http://www.enterasys.com/products/advanced-security-apps/index.aspx Instrusion Detection System includes session reconstruction.
+
  
; [[MaxMind]]
+
== See Also ==
: http://www.maxmind.com
+
* [[List of Standalone Incident Response Tools]]
: IP geolocation service and data provider for off-line geotagging.  Free GeoLite country database. Programmable APIs.
+
* [[List of Script Based Incident Response Tools]]
 +
* [[:Category:Incident response tools|Incident response tools category]]
  
; [[netcat]]
+
== External Links ==
: http://netcat.sourceforge.net/
+
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
 +
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
  
; [[netflow]]/[[flowtools]]
+
== Tools ==
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
: http://www.splintered.net/sw/flow-tools/
+
* [[GRR]]
: http://silktools.sourceforge.net/
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (vmWare)
+
  
; NetIntercept
+
== Books ==
: http://www.sandstorm.net/products/netintercept
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
; [[rkhunter]]
+
: http://rkhunter.sourceforge.net/
+
 
+
; [[ngrep]]
+
: http://ngrep.sourceforge.net/
+
 
+
; [[nslookup]]
+
: http://en.wikipedia.org/wiki/Nslookup Name Server Lookup command line tool used to find IP address from domain name
+
 
+
; [[Sguil]]
+
: http://sguil.sourceforge.net/
+
 
+
; [[Snort]]
+
: http://www.snort.org/
+
 
+
; [[ssldump]]
+
: http://ssldump.sourceforge.net/
+
 
+
; [[Tcpdump]]
+
: http://www.tcpdump.org
+
 
+
; [[tcpextract]]
+
: http://tcpxtract.sourceforge.net/
+
 
+
; [[tcpflow]]
+
: http://www.circlemud.org/~jelson/software/tcpflow/
+
 
+
; [[truewitness]]
+
: http://www.nature-soft.com/forensic.html
+
: Linux/open-source. Based in India.
+
 
+
; [[etherpeek]]
+
: http://www.wildpackets.com/products/etherpeek/overview
+
 
+
; [[Whois]]
+
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
 
+
; [[IP Regional Registries]]
+
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
 
+
 
+
; [[Wireshark/Ethereal]]
+
: http://www.wireshark.org/
+
: Open Source protocol analyzer previously known as ethereal.
+
 
+
 
+
 
+
== Securely deleting data ==
+
 
+
; [[BangDisk]]
+
: Offers several patterns for wiping data, wipe multiple types of media at one time USB, ATA, SCSI, CF and more.
+
: http://www.bangdisk.com
+
 
+
; [[BCWipe]]
+
: Secure data deletion tools for [[Windows]] and [[Unix]]-like [[operating systems]].
+
 
+
; [[CyberScrub cyberCide]]
+
: This program securely erases all data from drives or partitions.
+
: http://www.cyberscrub.com/products/cybercide/index.php
+
 
+
; [[CyberScrub Privacy Suite]]
+
: This program securely erases selected data, wipes free space, powerful scheduling capabilities.
+
: http://www.cyberscrub.com/products/privacysuite/index.php
+
 
+
; [[CyberScrub Compliance Suite]]
+
: Network-based program securely erases selected data, wipes free space, powerful scheduling and log file reporting capabilities. Ideal for enforcing document life-cycle and data retention policies. Ensures compliance with HIPAA, Sarbanes Oxley, FACTA, Gramm Leach Bliley and more
+
: http://www.cyberscrub.com/products/compliancesuite/index.php
+
 
+
; [[Darik's Boot and Nuke]] ([[DBAN]])
+
: This is a bootable disk that securely wipes any hard disk it can detect. 
+
: http://dban.sourceforge.net/
+
 
+
; [[Eraser]]
+
: Offers several patterns for wiping data including [[Peter Gutmann]]'s and the [[US DoD 5200.28-STD]] standard.
+
: http://www.heidi.ie/eraser
+
 
+
; [[Ontrack Data Eraser]]
+
: ...
+
 
+
; [[shred]]
+
: http://www.gnu.org/software/coreutils/ linux version of GNU shred
+
: http://gnuwin32.sourceforge.net/packages/coreutils.htm Win32 version of GNU shred
+
: Part of GNU coreutils.
+
 
+
; [[wipe]]
+
: http://abaababa.ouvaton.org/wipe/
+
 
+
; [[Lenovo SDD]]
+
: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-56394
+
 
+
== See also ==
+
 
+
* [[Anti-forensic techniques]]
+
* [[Database Encryption]].
+

Revision as of 05:14, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Tools

Incident response tools can be grouped into three categories. The first category is Individual Tools. These are programs designed to probe parts of the operating system and gather userful and/or volatile data. The SysInternals suite is frequently cited as a good example of incident response tools. They are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create Script Based Tools like FRED or the WFT. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools, such as Microsoft's COFEE allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are Agent Based Tools such as Mandiant's First Response. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

See Also

External Links

Tools

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.