sequence of activit...
 
Notifications
Clear all

sequence of activities after incident is identified

3 Posts
3 Users
0 Reactions
852 Views
(@afsfr)
Eminent Member
Joined: 7 years ago
Posts: 37
Topic starter  

we identify one compromise incident event for a laptop. may i know the below steps are correct or not

1) keep the laptop running 2) take memory image 3) mount into forensic machine 4) take hash of the laptop disk 5) take disk image 5) take the hash of disk image in forensic machine 6) mount disk image in forensic machine 7) anti-virus scan for disk image in forensic machine 8) analyze the disk image file system 9) gather other evidence like event log files from the laptop 10) identify malware, priviledge escalation and lateral movement in forensic machine 11) finalize the investigation report.


   
Quote
Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
 

1)You should create the timeline and investigate all events near (before and after) the incident time.
2)You should analyze all startup items.

10) identify malware, priviledge escalation and lateral movement in forensic machine

If you found a piece of malware, you should reverse it and discover all persistent mechanisms of the malware.

You should create IOCs and Yara rules, add them to your report and scan the compromiced network by the IOCs and Yara rules.

For addition step, I use special hardware for checking a compromised network for any other malicious activities.


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

1) keep the laptop running 2) take memory image 3) mount into forensic machine 4) take hash of the laptop disk 5) take disk image 5) take the hash of disk image in forensic machine 6) mount disk image in forensic machine 7) anti-virus scan for disk image in forensic machine 8) analyze the disk image file system 9) gather other evidence like event log files from the laptop 10) identify malware, priviledge escalation and lateral movement in forensic machine 11) finalize the investigation report.

No, that's all wrong, until you can explain why it is right. The only thing I think is correct is step 11, but as you don't have a step that says when you begin the report, I wonder what else you have omitted. Surely there ought to be at least one more step between 10 and 11?

Please, read the guidelines for new topics briefly 1. provide as much information as possible. 2. Explain what you've already done to find the solution.

What are the goals of your incident investigation? Not theoretically – but as prompted by your initial assessment of the situation. Why is the investigation of this particular laptop your primary focus? Have you already established how the compromise was effected, and concluded that all you need to investigate deeper is the laptop? If so, what are the questions you need the investigations to answer?

Unless of course this is all an academical exercise those can occasionally have exaggerated ideas about correctness. But in that case, you've omitted important information from your question.


   
ReplyQuote
Share: