TRAINING MENU

Incident Response & E-Discovery

Verizon RISK Team

06/02/2016

© 2012 Verizon Business, Inc. All Rights Reserved. The Verizon and Verizon Business names and logos and all other names,
logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks
and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other
trademarks and service marks are the property of their respective owners.

2014-09-22 1 of 7
 Table of Contents

1. Current State of Security ....................................................................................................................................3

2. Incident Response Process .................................................................................................................................3

3. Evidence Handling Procedures ...........................................................................................................................3

4. Volatile Data Collection & Tactical Analysis Techniques ....................................................................................4

5. Forensic Imaging Techniques .............................................................................................................................4

6. Basic Forensic Analysis Techniques – System Analysis.......................................................................................5

7. Mock Incident Table-Top Exercise ......................................................................................................................5

8. Information Technology and eDiscovery Concepts ............................................................................................6

9. Discovery Response Fundamentals ....................................................................................................................6

10. E-Discovery Tool Scoping & System POC Testing ...............................................................................................7

2015-04-11 2 of 7
 Incident Response Fundamentals

These first three modules are presented in slide deck format and cover Incident Response (IR) from a
high-level. These are appropriate for all IR Stakeholders.

1. Current State of Security

Description: This introduction leverages Verizon’s first-hand knowledge of current trends associated
with recently investigated data compromise incidents, analyzing the key elements behind these data
breaches. It establishes a solid foundation for follow-on IR training by illustrating methodologies and
goals of the contemporary computer criminal. This module is based on our most-recent Data Breach
Investigations Report as well as case studies from recent investigations.
Intended Audience: All IR Stakeholders; Prerequisite: None.

2. Incident Response Process

Description: Taking the proper steps at the outset of a computer security incident can have a major
impact on ensuring the success of the overall investigation. Even if your organization does not have an
internal IR capability, knowing what to do and what not to do in a first response situation can make or
break an investigation. This module familiarizes participants with the various phases of the IR process,
providing examples of real-world situations, focusing on best practices and guidelines for organizations
to achieve a successful containment, remediation, and recovery from a computer security incident.
Intended Audience: All IR Stakeholders; Prerequisite: Current State of Security.

3. Evidence Handling Procedures

Description: In almost every computer security incident the potential exists for some form of evidence
to enter into the picture. Evidence may range from volatile data in RAM to data stored on electronic
media, such as hard drives. Evidence, within the bounds of technical investigations, is governed by
standards and best practices that provide oversight on the proper acquisition, handling, shipping,
storage, and disposition of evidence. This module reviews these industry standards and best practices.
Intended Audience: All IR Stakeholders; Prerequisite: Incident Response Process.

2015-04-11 3 of 7
 Basic First Responder Techniques

These next two modules are presented in slide deck format, include hands-on instruction, and cover IR
from a tactical, first responder-level. These are appropriate for tactical-level First Responders.

4. Volatile Data Collection & Tactical Analysis Techniques

Description: Volatile data is data that will be lost once the system is powered down or taken offline.
Volatile data – such as running processes, open ports, and network connections – may provide critical
evidence of how an attack against a system might have occurred, as well as provide important leads in
a subsequent forensic investigation. This module discusses and provides hands-on training for the
various types of volatile data, collection techniques, and the types of information on Windows systems
that are available to first responders and investigators, which can assist with ensuring effective
containment of an incident and drive further investigative efforts.
Intended Audience: Tactical-Level First Responders; Prerequisite: Evidence Handling Procedures.

5. Forensic Imaging Techniques

Description: Acquiring evidence in a forensically sound manner is a requirement of most first
responders. The perishable nature of technical evidence, especially in volatile form, often dictates that
first responders acquire evidence themselves rather than wait for external assistance. This module is
aimed at training responders on approaching both volatile and non-volatile evidence and the various
imaging techniques and tools that are available for Windows systems.
Intended Audience: Tactical-Level First Responders; Prerequisite: Volatile Data Collection & Tactical
Analysis Techniques.

2015-04-11 4 of 7
 Advanced First Responder Techniques

These next two modules are presented in slide deck format, include hands-on instruction, and cover IR
from a tactical, first responder-level. These are appropriate for tactical-level First Responders.

6. Basic Forensic Analysis Techniques – System Analysis

Description: The focus of this training will be to gain an understanding of the underlying technical
principles behind computer forensics. During this module students will learn where to look for digital
evidence on Windows systems, and how to process it using a variety of open source and freeware
utilities. Specific topics may include conducting keyword searches, hash analysis, signature analysis,
and deleted file recovery.
Intended Audience: Tactical-Level First Responders; Prerequisite: Forensic Imaging Techniques.

Incident Response Plan Testing

Even the best Incident Response plans require periodic review and testing to ensure an organization is
able to respond effectively and efficiently when an incident occurs. Based on its extensive experience
in responding to and investigating a wide range of computer security incidents, Verizon assists
customers in taking their Incident Response policies and procedures for a test drive through
moderating a mock incident table top exercise using the Customer’s existing IR Policies and Procedures
as a guideline.

7. Mock Incident Table-Top Exercise

Description: The mock scenarios are based on real events but are tailored to the Customer’s needs
and are meant to test and identify gaps in Customer’s existing procedures. The scenarios range from
insider threats and corporate espionage activities to external threats such as network intrusions and
sophisticated data breaches. In order to obtain the most value from this type of training, Verizon
recommends Customer’s audience include representation of personnel from each critical functional
area that has a role in responding to a security incident. This may include not only technical personnel,
such as Information Security, Information Technology and Infrastructure, and Help Desk personnel, but
also includes representation from Legal, Human Resources, Public/Corporate Relations, Loss

2015-04-11 5 of 7
Prevention, Risk Management, Customer Service, and others as may be appropriate to the
organization.

E-Discovery Fundamentals

These last four modules are presented in slide deck format and cover E-Discovery from legal and
technology points-of-view. These are appropriate for both Legal Practitioners and IT Personnel.

8. Information Technology and eDiscovery Concepts

Description: For many organizations, responding to eDiscovery requests is presented typically as a
legal problem with an IT dimension. Legal and IT are integral parts of an organization's discovery
response process and must work together to meet discovery requirements. These two entities vary
greatly in terms of culture, vernacular, and approach to tackling solutions, and often bring different
perspectives (and expectations) to the table on E-Discovery matters. It has become increasingly
important for legal professionals to know and understand computer systems and their corporate
information management landscape; and for IT organizations to thoroughly understand discovery
requirements, specifically as it relates to preservation and collection. This module attempts to help
mitigate some of the communication gaps between IT and Legal by discussing E-Discovery
requirements and expectations for both entities and organizing exercises that emphasize
communication and cooperation.
Intended Audience: Legal Practitioners & IT Personnel; Prerequisite: None.

9. Discovery Response Fundamentals

Description: When responding to E-Discovery requests, it is imperative that your response follows a
defensible process - repeatable, transparent, documented, auditable, and efficient. The Electronic
Discovery Reference Model (EDRM) has become the industry standard in responding to requests to
produce electronic data. This module covers the fundamentals of discovery response, to include
information governance, identification protocols litigation hold, collection planning, early case
assessment, and including the remaining phases of E-Discovery, with particular emphasis on the 'left-
side' of the EDRM: Identification, Preservation, and Collection.
Intended Audience: IT Personnel & Legal Practitioners; Prerequisite: None.

2015-04-11 6 of 7
 E-Discovery Fundamentals (Continued)

10. E-Discovery Tool Scoping & System POC Testing

Description: Having the right tools in your toolbox directly impacts efficiency, overall cost, and
defensibility. These tools must be accurate, auditable, and functional in your ESI environment. This
module covers three phases of selecting the right E-Discovery solution. The first phase covers an initial
assessment of your E-Discovery requirements (i.e., is a network appliance tool or an in-house
processing tool needed?). The second phase covers Tool Scoping - whittling down the field to the top
2-3 contenders. The third phase covers System POC Testing - assessing these tools coupled with your
litigation needs in your ESI environment.
Intended Audience: IT Personnel; Prerequisite: Discovery Response Fundamentals.

2015-04-11 7 of 7