Digital Forensic is..

Identify ( the Media)

Preserve ( the Data)

Major consideration
Analyze (The Information)

Present ( The Evidence)

Data Protection

Data Aquisition

Imaging

Extraction

Interviews

Ingestion/ Normalization

Accurately describe the details of an incident.

Be understandable to decision makers

Be able to withstand a barrage of legal scrutiny.

Be unambiguous and not open to misinterpretation.

Achive the following goals Forensics
Be easily referenced. Reporting

Contain all information required to explain conclusions reached.

Offer valid conclusions, opinions or recommendations when needed.

Be created in a timely manner.

Network Traffic Analysis

Event based on NIST is?
Audit reduction tools
Incident based on NIST is?
Trend/variance-detection tools Type of tools
Log Analysis Technical Incident
Type of Incident
Attack-signature-detection tools
Physical Incident
Computer
Event Vs. Incident
Memory
Categories
Mobile Device Digital Forensic Tools

Network Attack Vector Taxonomy ( Figure 5.1)

European CSIRT Network Taxonomy ( Figure 5.2)

Time Lines

Securely deleting data

Overwriting metadata
Preventing data creation
Encrypting data
Encrypting network protocols
Preparation
Detection and Analysis
What is incident response? Investigation Incident Response generally includes
Tactic, Techniques and Procedures (TTP) include
Anti-Forensic Mitigation and Recovery
Postincident Analysis

Section 5: Incident Response

Hiding data in slack space or other unallocated locations
Why do we need incident response?
Hiding data or a file within another file (steganography) Security Incident Response
Preparation

Identification
Disaster are?
Containment
Cause by? Element of an incident response plan (IRP)
Eradiction
Occur When?
Recovery
Critical operations necessary to the survival of the organization
Lessons Learned
The human/material resources supporting these critical operations

Predisaster readiness covering incident response management to

address all relevant incidents affecting business processes Investigatioins

Evacuation procedures Evidence Preservation

Evidence collection and storage

Procedures for declaring a disaster (escalation procedures)
Investigations Legal holds and preservation
Chain of custody of evidence
Circumstances under which a disaster should be declared (Note: All
interruptions are not disasters, but a small incident not addressed Searching or monitoring communications
in a timely or proper manner may lead to a disaster. For example, a Legal Requirements Legal issue
Consideration
virus attack not recognized and contained in time may bring down Business Continuity and Disaster Revovery Interviews or interrogations
the entire IT facility.)
Law enforcement involvement
The clear identification of the responsibilities in the plan
Labor, union and privacy regulation
The clear identification of the persons responsible for each function
in the plan

The clear identification of contract information

The step-by-step explanation of the recovery process

The clear identification of the various resources required for

recovery and continued operation of the organization
Disaster Recovery and business continuity plans
The human resources, data, infrastructure elements and other
resources (including those provided by third parties) that support
the key processes

A list of potential vulnerabilities—the dangers or threats to the

organization
BIA should identification the following
The estimated probability of the occurrence of these threats

The efficiency and effectiveness of existing risk mitigation controls (

risk countermeasures)

Business Impact Analysis

What are the different business processes?

What are the critical information resources related to an

organization’s critical business processes?
Should Answer this question
What is the critical recovery time period for information resources
in which business processing must be resumed
before significant or unacceptable losses are suffered?

Supply Chain Consideration

IS Business Continuity Planning

Recovery Convepts

Backup Procedures