Incident Response and Digital Forensics
Efciency is doing things right; effectiveness is doing the right things.
Peter F. Drucker
5.1 Introduction
Incident response (IR) and digital forensics (DF) need both efciency and
effectiveness because if they are not done correctly, your efforts will be
futile. In this chapter, the fundamental processes for incident response and
digital forensic analysis will be discussed. Just today, an incident occurred on
my laptop, no less. Similarly to every other day, I dock my laptop upon my
arrival and start checking my e-mail. Within a few minutes, the IT admin
is at my door and announces that we have a problem. He said he received
a message from the main IT ofce—over 300 miles away and monitoring
over 20 locations and thousands of computers—that my laptop has been
compromised. He was instructed to remove it from the network and begin
the analysis process by scanning it for any personal information that may
have been accessed by a hacker. This is a great example of an incident; as
small as it sounds, it is, in fact, an incident. The ofcial denition of an
incident is a situation that has compromised the integrity, condentiality,
or availability of an enterprise network, host, or data. Other incident exam-
ples include attempting to gain unauthorized access to a system, a DDOS
(distributed denial of service) attack, unauthorized use of a system, website
defacement, etc.
Generally, the IR process is to detect, contain, and eradicate the incident,
and the DF process is to collect, analyze, and report the evidence. In other
words, once the incident is contained and eradicated, the DF professional
begins the evidence collection process. The goal of the analysis is to deter-
mine (1) what happened so that reoccurrence of the incident can be avoided,
and (2) whether this is a criminal case.
The cases where electronic evidence is critical are not always action packed
with computer break-ins, SQL (structured query language) injections, DDOS,
malware, phishing attempts, or company web page defacement. Some cases
requiring electronic evidence are disloyal employees who are suspected of
92 What Every Engineer Should Know About Cyber Security
industrial espionage,
breached contracts, an employee dismissal dispute,
theft of company documents, inappropriate use of company resources (e.g.,
possession of pornography), copyright infringement (music illegally traded
over the Internet), harassment (e-mail-based stalking), and identity theft.
5.2 Incident Response
Be prepared. We have all heard that before—especially if you were a Boy
Scout or if you read the preceding chapter. This is true of life in general as
well. For example, nancial experts tell us to prepare for job loss by having
three to six months of savings available. In a poor economy, we should have
more, but the point is that we are taught to prepare for that rainy day. When
an incident occurs on your system, it may be more of a hurricane. If you are
prepared and monitor anything that could impede success, when something
unplanned occurs, you are prepared to deal with the issue in order to get
your system back up. It is like being the only house with a generator after the
hurricane caused a neighborhood power loss.
The National Institute of Standards and Technology (NIST) has provided
a baseline for incident response. Here is the simplied view of the priority1
recommendations. The rst control (creating documentation of the IR
policy and procedures) and the last control (creating an IR plan) are part of
preparing for incident response, which were addressed in Chapter 4. The
other controls listed will be addressed in this chapter.
Incident response is a life cycle of stages shown in Figure5.1. We covered
preparation in the last chapter (e.g., establishing the computer incident response
team [CIRT], training the users, and installing the necessary hardware and
software). The next stage, detection/identication, is more difcult to address
because incidents are not always apparent; hence, constant monitoring (using
tools acquired during the prep stage) of the assets is required to detect an
Industrial espionage is an attempt to gain access to trade secrets.
Control Name
Impact Level
Low Moderate High
Formal documentation of the IR policy and procedures
Incident handling capability to include preparation, detection
and analysis, containment, eradication, and recovery
Implement monitoring and documentation of incidents
Require incident reporting within a dened time period
IR plan that is a road map for response capability and also
describes the structure and organization of the IR capability

Get What Every Engineer Should Know About Cyber Security and Digital Forensics now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.