Difference between pages "Incident Response" and "Computer forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Kill Chain)
 
 
Line 1: Line 1:
{{Expand}}
+
Computer forensics is the practice of identifying, extracting and considering evidence from digital media such as computer hard drives. [[Digital evidence]] is both fragile and volatile and requires the attention of a certified specialist to ensure that materials of evidentiary value can be effectively isolated and extracted in a scientific manner that will bear the scrutiny of a court of law.  
 
+
Computer forensics is not to be confused with the more generic term of 'forensic computing', which refers to the analysis and study of all types of digital media and materials - whether they be of a computing or telecommunication nature. Computer forensics, in a strict sense, applies specifically to the evaluation of computers and data storage or data processing devices.
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.
+
 
+
== Tools ==
+
 
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.
+
 
+
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
+
 
+
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
+
  
 
== See Also ==
 
== See Also ==
* Obsolete: [[List of Script Based Incident Response Tools]]
+
* [[File Analysis]]
 +
* [[Malware analysis]]
 +
* [[Memory analysis]]
  
 
== External Links ==
 
== External Links ==
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
+
* [http://en.wikipedia.org/wiki/Computer_forensics Wikipedia: Computer forensics]
* [https://labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf Journey to the Centre of the Breach], by Ben Downton, June 2, 2010
+
* [http://www.wikicrimeline.co.uk/index.php?title=Digital_evidence WikiCrimeLine Digital evidence]
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
+
* [http://www.wikicrimeline.co.uk/index.php?title=Computer_forensics WikiCrimeLine Computer forensics]
 
+
=== Emergency Response ===
+
* [http://www.mdchhs.com/sites/default/files/JEM-9-5-02-CHHS.pdf Addressing emergency response provider fatigue in emergency response preparedness, management, policy making, and research], Clark J. Lee, JD, September 2011
+
 
+
=== Kill Chain ===
+
* [http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains], by Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, March 2011
+
* [http://www.emc.com/collateral/hardware/solution-overview/h11154-stalking-the-kill-chain-so.pdf Stalking the kill chain], by RSA
+
* [http://blog.cassidiancybersecurity.com/post/2014/04/APT-Kill-chain-Part-1-%3A-Definition-Reconnaissance-phase APT Kill chain - Part 1 : Definition], by Cedric Pernet, April 28, 2014
+
* [http://blog.cassidiancybersecurity.com/post/2014/04/APT-Kill-chain-Part-2-%3A-Global-view APT Kill chain - Part 2 : Global view], by Cedric Pernet, May 7, 2014
+
* [http://blog.cassidiancybersecurity.com/post/2014/05/APT-Kill-chain-Part-3-%3A-Reconnaissance APT Kill chain - Part 3: Reconnaissance], by Cedric Pernet, May 23, 2014
+
 
+
=== Incident Lifecycle ===
+
* [http://www.itsmsolutions.com/newsletters/DITYvol5iss7.htm Expanding the Expanded Incident Lifecycle], by Janet Kuhn, February 18, 2009
+
* [https://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/workflows/incident-lifecycle Incident lifecycle], by [[ENISA]]
+
 
+
=== Intrusion Analysis ===
+
* [http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis], by Sergio Caltagirone, Andrew Pendergast, Christopher Betz
+
 
+
=== Product related ===
+
* [http://middleware.internet2.edu/idtrust/2009/papers/05-khurana-palantir.pdf Palantir: A Framework for Collaborative Incident Response and Investigation], Himanshu Khurana, Jim Basney, Mehedi Bakht, Mike Freemon, Von Welch, Randy Butler, April 2009
+
 
+
== Tools ==
+
=== Individual Tools ===
+
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
+
 
+
=== Script Based Tools ===
+
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
+
* [[COFEE|Microsoft COFEE]]
+
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
+
* [[Regimented Potential Incident Examination Report|RAPIER]]
+
 
+
=== Agent Based Tools ===
+
* [[GRR]]
+
* [[First Response|Mandiant First Response]]
+
 
+
== Books ==
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
+
 
+
[[Category:Incident Response]]
+

Revision as of 03:34, 25 June 2014

Computer forensics is the practice of identifying, extracting and considering evidence from digital media such as computer hard drives. Digital evidence is both fragile and volatile and requires the attention of a certified specialist to ensure that materials of evidentiary value can be effectively isolated and extracted in a scientific manner that will bear the scrutiny of a court of law. Computer forensics is not to be confused with the more generic term of 'forensic computing', which refers to the analysis and study of all types of digital media and materials - whether they be of a computing or telecommunication nature. Computer forensics, in a strict sense, applies specifically to the evaluation of computers and data storage or data processing devices.

See Also

External Links