FIR Speed Run

Containment and Incidence classification

Containment
Containment in Incident Response
Why Containment Matters

Containment is vital before an incident causes too much harm or strains resources.

Most incidents require containment, so it's crucial to consider it early on.

It buys time to plan a proper fix and minimizes damage.

Key Decisions in Containment

Decisions like shutting down systems or disconnecting from networks are easier if
you have pre-defined strategies.

Organizations should set acceptable risk levels and create strategies accordingly.

Different types of incidents require different containment approaches.

After Containment: Eradication

Sometimes, after containment, you need to remove the incident's components (e.g.,
malware, compromised accounts).

Identify affected parts of the organization for remediation.

Not always needed or done during recovery.

Recovery Phase

Restore systems to normal operation.

Confirm that systems work as they should.

Remediate vulnerabilities to prevent future incidents.

Actions include backups, system rebuilding, patching, password changes, and

network security adjustments.

FIR Speed Run 1

 Phased Approach

Eradication and recovery happen in phases.

Prioritize steps for remediation.

Quick changes to boost security early, followed by long-term improvements.

Criteria for Containment

Consider factors like potential damage, loss of critical services, time/resources

needed, and containment effectiveness.

Assess if delaying containment could be more harmful.

Some threats might be better eradicated or escalated immediately.

Optimizing Containment

To have effective incident response, understand how containment fits into the
overall process.

Learn best practices and considerations for containing security incidents.

Effective containment helps prevent incidents from becoming serious threats.

Incident Classification
What is Incident Classification?

It's a way to organize incidents into categories with established criteria.

Incidents can be anything disrupting normal operations, like code errors or

hardware failures.

Each incident is categorized based on its impact and the affected areas.

Why Classify Incidents?

Helps prioritize critical incidents for a faster response.

Determines who should be notified and their roles in resolving the incident.

Ensures consistent responses, saving time and reducing confusion.

Measures the expected impact of incidents for long-term planning.

Identifies patterns in incidents to fix issues before they happen.

FIR Speed Run 2

 Benefits of Classification

Prioritize the most critical incidents first.

Assign roles for quicker resolution.

Consistency in responses saves time and reduces confusion.

Plan for long-term impact.

Spot patterns and prevent future incidents.

Setting Up a Classification System

Create categories based on impact and affected areas.

Establish response procedures for each category.

Example: ITIL Incident Classification

ITIL (Information Technology Infrastructure Library) uses incident classification.

Helps IT professionals manage incidents effectively.

Incident Recording
Incident Reporting and Recording:

Incidents can be reported in various ways: victims, witnesses, third parties,

online reports, police discovery, or referrals from other agencies.

Must be recorded on an auditable system, like an incident log or a force crime

system.

Opening codes are assigned to indicate the nature of the incident, aiding
resource prioritization.

Deciding If a Crime Should Be Recorded:

A reported incident will be recorded as a crime if it's an offense against an

identified victim, and there's no credible evidence to the contrary.

Victim statements are generally accepted unless there's credible contradictory

evidence.

FIR Speed Run 3

 Closing Incident Records:

Once a decision is made to record a crime, the incident record is often closed to
avoid duplication.

Closing codes provide a summary of what happened and may differ from
opening codes.

Important for ensuring necessary actions are completed and for categorizing
incident types.

Recording a Crime:

Determine how many crimes to record and what offenses have been committed.

For multiple offenses involving one victim and one offender, only one crime is
recorded.

If multiple victims in the same incident, a crime should be recorded for each
victim.

Closing Crime Records:

Crime records remain open during investigation, evidence collection, and

suspect identification.

Closed when the crime is detected (solved), such as through cautions, charges,
or summonses.

Checking Crime Records:

Each force has a crime registrar responsible for overseeing compliance with the
crime recording process.

The registrar conducts audits and ensures staff are trained.

Senior officers, typically the deputy chief constable, oversee the force's
approach to crime recording.

Data Collection and Forensic Analysis

Data Collection:

FIR Speed Run 4

 Data collection is crucial for forensic analysis as it forms the foundation for
drawing conclusions and resolving incidents.

Special skills are required for obtaining technical evidence.

Challenges in data collection include ensuring forensically sound collection,

handling vast electronic data, and protecting data integrity (evidence handling).

Three fundamental areas of information: host-based, network-based, and other

information.

Host-based information includes logs, records, documents, and system

backups.

Data collection methods for host-based information involve live data collection
and forensic duplication.

Volatile data, collected in a live response, provides a snapshot of the system at

the time of the incident.

Volatile data includes system date and time, running applications, network
connections, open sockets, and more.

Three variations of live response: initial, in-depth, and full live response.

Forensic duplication creates a mirror image of the target system, often preferred
for severe incidents or legal actions.

Network-based evidence includes data from IDS logs, monitoring logs,

wiretaps, router and firewall logs, authentication servers, and more.

Network surveillance is used to confirm suspicions, accumulate evidence,

identify co-conspirators, and determine the timeline of events.

"Other evidence" involves testimony, personnel files, interviews with employees

and witnesses, and traditional investigative techniques.

Forensic Analysis:

Forensic analysis involves reviewing all collected data, including log files,
configuration files, trust relationships, web browser history, emails, installed
applications, and graphics files.

It encompasses software analysis, examining time/date stamps, keyword

searches, and other investigative steps.

FIR Speed Run 5

 Low-level tasks involve looking for logically deleted data, such as deleted files,
slack space, or free space containing useful data fragments.

Forensic analysis requires data assembly and preparation before actual

analysis begins.

This process is especially relevant for host-based media, such as hard drives.

Forensic analysis is a critical step in understanding how an incident occurred

and is essential for incident resolution.

Password Cracking
Password cracking is a technique used to discover or guess passwords for
computer or network resources. It can have both legitimate and malicious purposes,
such as recovering forgotten passwords or gaining unauthorized access to systems.
Here are some key points about password cracking based on the provided text:

1. Brute Force Attack: This method involves trying every possible combination of
characters until the correct password is found. It can be time-consuming and
resource-intensive, especially for complex passwords.

2. Dictionary Search: In a dictionary attack, the attacker uses a list of common

words or phrases to guess the password. These dictionaries can be specialized,
focusing on specific topics or combinations of words to increase the chances of
success.

3. Phishing: Phishing is a social engineering technique where attackers trick

users into revealing their passwords or other sensitive information. It often
involves deceptive emails or websites that appear legitimate but are designed
to steal login credentials.

4. Malware: Malware, such as keyloggers and screen scrapers, can capture user
keystrokes or screenshots without their knowledge. This information can then
be used to obtain passwords and other sensitive data.

5. Rainbow Attack: Rainbow table attacks use precomputed tables of password

hashes to quickly crack passwords. These tables contain a list of previously
cracked or leaked passwords, making the cracking process more efficient.

FIR Speed Run 6

 6. Guessing: Attackers may attempt to guess a password based on available
information about the victim, such as personal details or common password
choices. This method is effective if the attacker has relevant information or if the
victim uses a weak or easily guessable password.

To create stronger passwords and enhance security:

1. Length Matters: Use passwords with a minimum of 12 characters; longer

passwords are harder to crack.

2. Diverse Characters: Combine letters, numbers, and special characters to

increase complexity.

3. No Reuse: Avoid using the same password for multiple accounts to prevent
unauthorized access if one is compromised.

4. Strength Indicators: Pay attention to password strength meters provided by

some systems to ensure your password is strong.

5. Avoid Predictable Choices: Steer clear of easily guessed information like

names, birthdays, or common passwords (e.g., "password" or "123456").

6. Encrypt Stored Passwords: Ensure that stored passwords in databases are

encrypted for added security.

Windows Forensics
Windows Forensics Overview:
Windows forensics is a branch of computer forensics that focuses on analyzing
Windows operating systems to identify traces or evidence of activities related to
criminal offenses. It plays a crucial role in modern criminal investigations as many
criminal activities have links to computing environments or involve the use of
computers. Windows forensics involves the systematic analysis of various aspects
of a Windows system to draw evidential conclusions in criminal cases.

Key Areas of Windows Forensics:

1. Volatile Information: This category includes data that can disappear or be

easily modified when the system is powered off. It includes information such as
system time, logged users, open files, network information, and mapped shared

FIR Speed Run 7

 folders. Tools like Doskey, Uptime2.exe, PsLoggedon, Netsessions, and NetStat
are used to gather this information.

2. Non-Volatile Information: Non-volatile data remains on secondary storage

devices and persists even after the power is turned off. This category
encompasses file systems, registry settings, logs, devices, slack space, swap
files, indexes, and partitions. Non-volatile information is collected after seizing
the system and includes data that is less perishable. Tools like 'dir /o:d,'
'regedit,' and 'reg' are used to access and analyze non-volatile information.

3. Windows Memory Analysis: Windows memory analysis involves examining

memory dumps and analyzing them for evidence. This can provide insights into
running processes, executable file paths, commands used, timestamps, and
loaded modules. Tools like Tlist, Tasklist, Pslist, and ListDlls are employed for
memory analysis.

4. Caches, Cookies, and History Analysis: Analyzing caches, cookies, and

browsing history in web browsers can reveal valuable information about a user's
online activities. These artifacts can be found in various web browsers and may
provide evidence relevant to an investigation.

5. Other Aspects: This category encompasses various other elements of a

Windows system that may contain evidence, including recycle bins, documents,
shortcut files, graphics files, and executable files.

6. 6.Registry Information: The Windows registry holds critical information that

can impact forensic analysis and investigations. Important registry keys include
'RunMRU' (storing recently typed commands from the Run window), 'Startup
objects' (apps that start automatically on Windows startup), 'Last accessed key,'
'Addresses in Internet Explorer,' and 'Last saved directory in Internet Explorer.'

Removable and Optical Storage Media

Removable Storage:

Removable storage refers to external media devices that computers use for data
storage and are often known as Removable Disk drives or External Drives. These

FIR Speed Run 8

 devices can be removed or ejected from a running computer, making it convenient to
transfer data between different systems.
Benefits of Removable Storage:
One key advantage of removable disks is their ability to provide fast data transfer rates,
similar to those found in storage area networks (SANs).
Types of Removable Storage:

1. Optical Discs (CDs, DVDs, Blu-ray Discs): Optical discs store data using a laser
beam to create a spiral pattern of pits and ridges, representing binary 0s and 1s.
They include:

Compact Disc (CD): Holds around 650 to 700 megabytes of data and requires
a CD drive for reading.

DVD (Digital Versatile Disc): Offers more than six times the capacity of a CD,
typically storing 4.7 GB to 17 GB of data.

Blu-ray Disc: A high-definition optical storage medium, capable of holding up to

27 GB on a single layer and up to 54 GB on a dual layer.

2. Memory Cards: These small, portable storage devices are commonly used in
cameras, smartphones, and other devices to store various types of data.

3. Floppy Disks: Once widely used but now outdated, floppy disks are flexible disks
with a magnetic coating that could store up to 1.44 MB of data.

4. Magnetic Tapes: Magnetic tape is coated with a magnetic layer and is used for
long-term data storage and backup purposes.

5. Disk Packs: Disk packs consist of multiple disks enclosed in a single unit, often
used in older computer systems.

6. Paper Storage (Punched Tapes, Punched Cards): Historically, data was stored
on paper in the form of punched tapes or punched cards, with holes representing
binary data.

Optical Storage Media:

Optical storage media use laser beams to read and write data, storing it as a spiral
pattern of pits and ridges denoting binary 0s and 1s. Examples include:

FIR Speed Run 9

 Compact Disc (CD): Holds around 650 to 700 MB of data and is commonly used
for audio and data storage.

DVD (Digital Versatile Disc): Offers higher capacity than CDs, typically holding 4.7
GB to 17 GB of data.

Blu-ray Disc: A high-definition optical medium that can store up to 27 GB on a

single layer and up to 54 GB on a dual layer, using a blue laser for reading and
writing.

Network Forensics
Network Forensics:
Network forensics is a specialized field within digital forensics that focuses on
investigating and analyzing network activities to uncover evidence related to
cybercrimes and security incidents. Here are some key points about network forensics:
Definition: Network forensics involves examining a network and its traffic to identify and
investigate suspicious or malicious activities. It enables the retrieval of various forms of
data such as messages, file transfers, emails, and web browsing history, reconstructing
the original transactions for analysis.
Processes in Network Forensics:

1. Identification: Investigators pinpoint and evaluate incidents by analyzing network

indicators.

2. Safeguarding: Data is preserved and secured to prevent tampering.

3. Accumulation: Detailed reports of the crime scene are documented, and digital
evidence is duplicated.

4. Observation: All visible data, along with metadata, is tracked.

5. Investigation: Investigators draw conclusions from collected evidence.

6. Documentation: All evidence, reports, and conclusions are documented and

presented in court if necessary.

Challenges in Network Forensics:

FIR Speed Run 10

 Data Management: Managing the vast amount of data generated during network
forensic analysis can be challenging.

IP Anonymity: The intrinsic anonymity of IP addresses can make it difficult to trace

malicious activities back to their source.

Address Spoofing: Attackers may use address spoofing techniques to hide their
identity and location.

Advantages of Network Forensics:

Security Threat Identification: Network forensics helps identify security threats

and vulnerabilities.

Performance Monitoring: It analyzes and monitors network performance

requirements.

Reduced Downtime: Network forensics can help reduce downtime by detecting

and addressing issues promptly.

Resource Optimization: It allows for better utilization of network resources through

reporting and planning.

Evidence Discovery: Network forensics conducts a detailed search for traces of

evidence left on the network.

Disadvantages of Network Forensics:

Complex Implementation: Implementing network forensics can be challenging due

to its technical complexity and the need for specialized tools and expertise.

Network Forensic Tools:

Several tools are used in network forensics to assist in the investigation and analysis of
network traffic. Some examples include:

Acunetix Web Vulnerability Scanner: A commercial web application security

testing solution that includes a web vulnerability scanner.

Aircrack-ng: An open-source suite of tools for assessing WiFi network security.

AirPcap/Riverbed AirPcap: A USB-based adapter for capturing 802.11 wireless

traffic, compatible with Windows.

FIR Speed Run 11

 Angry IP Scanner: A free and open-source network scanner used for scanning IP
addresses and ports, with results exportable in various formats.

FIR Speed Run 12