Professional Documents
Culture Documents
FIR Speed Run
FIR Speed Run
FIR Speed Run
Containment is vital before an incident causes too much harm or strains resources.
Decisions like shutting down systems or disconnecting from networks are easier if
you have pre-defined strategies.
Organizations should set acceptable risk levels and create strategies accordingly.
Sometimes, after containment, you need to remove the incident's components (e.g.,
malware, compromised accounts).
Recovery Phase
Optimizing Containment
To have effective incident response, understand how containment fits into the
overall process.
Incident Classification
What is Incident Classification?
Each incident is categorized based on its impact and the affected areas.
Determines who should be notified and their roles in resolving the incident.
Incident Recording
Incident Reporting and Recording:
Opening codes are assigned to indicate the nature of the incident, aiding
resource prioritization.
Once a decision is made to record a crime, the incident record is often closed to
avoid duplication.
Closing codes provide a summary of what happened and may differ from
opening codes.
Important for ensuring necessary actions are completed and for categorizing
incident types.
Recording a Crime:
Determine how many crimes to record and what offenses have been committed.
For multiple offenses involving one victim and one offender, only one crime is
recorded.
If multiple victims in the same incident, a crime should be recorded for each
victim.
Closed when the crime is detected (solved), such as through cautions, charges,
or summonses.
Each force has a crime registrar responsible for overseeing compliance with the
crime recording process.
Senior officers, typically the deputy chief constable, oversee the force's
approach to crime recording.
Data collection methods for host-based information involve live data collection
and forensic duplication.
Volatile data includes system date and time, running applications, network
connections, open sockets, and more.
Three variations of live response: initial, in-depth, and full live response.
Forensic duplication creates a mirror image of the target system, often preferred
for severe incidents or legal actions.
Forensic Analysis:
Forensic analysis involves reviewing all collected data, including log files,
configuration files, trust relationships, web browser history, emails, installed
applications, and graphics files.
This process is especially relevant for host-based media, such as hard drives.
Password Cracking
Password cracking is a technique used to discover or guess passwords for
computer or network resources. It can have both legitimate and malicious purposes,
such as recovering forgotten passwords or gaining unauthorized access to systems.
Here are some key points about password cracking based on the provided text:
1. Brute Force Attack: This method involves trying every possible combination of
characters until the correct password is found. It can be time-consuming and
resource-intensive, especially for complex passwords.
4. Malware: Malware, such as keyloggers and screen scrapers, can capture user
keystrokes or screenshots without their knowledge. This information can then
be used to obtain passwords and other sensitive data.
3. No Reuse: Avoid using the same password for multiple accounts to prevent
unauthorized access if one is compromised.
Windows Forensics
Windows Forensics Overview:
Windows forensics is a branch of computer forensics that focuses on analyzing
Windows operating systems to identify traces or evidence of activities related to
criminal offenses. It plays a crucial role in modern criminal investigations as many
criminal activities have links to computing environments or involve the use of
computers. Windows forensics involves the systematic analysis of various aspects
of a Windows system to draw evidential conclusions in criminal cases.
Removable storage refers to external media devices that computers use for data
storage and are often known as Removable Disk drives or External Drives. These
1. Optical Discs (CDs, DVDs, Blu-ray Discs): Optical discs store data using a laser
beam to create a spiral pattern of pits and ridges, representing binary 0s and 1s.
They include:
Compact Disc (CD): Holds around 650 to 700 megabytes of data and requires
a CD drive for reading.
DVD (Digital Versatile Disc): Offers more than six times the capacity of a CD,
typically storing 4.7 GB to 17 GB of data.
2. Memory Cards: These small, portable storage devices are commonly used in
cameras, smartphones, and other devices to store various types of data.
3. Floppy Disks: Once widely used but now outdated, floppy disks are flexible disks
with a magnetic coating that could store up to 1.44 MB of data.
4. Magnetic Tapes: Magnetic tape is coated with a magnetic layer and is used for
long-term data storage and backup purposes.
5. Disk Packs: Disk packs consist of multiple disks enclosed in a single unit, often
used in older computer systems.
6. Paper Storage (Punched Tapes, Punched Cards): Historically, data was stored
on paper in the form of punched tapes or punched cards, with holes representing
binary data.
DVD (Digital Versatile Disc): Offers higher capacity than CDs, typically holding 4.7
GB to 17 GB of data.
Network Forensics
Network Forensics:
Network forensics is a specialized field within digital forensics that focuses on
investigating and analyzing network activities to uncover evidence related to
cybercrimes and security incidents. Here are some key points about network forensics:
Definition: Network forensics involves examining a network and its traffic to identify and
investigate suspicious or malicious activities. It enables the retrieval of various forms of
data such as messages, file transfers, emails, and web browsing history, reconstructing
the original transactions for analysis.
Processes in Network Forensics:
3. Accumulation: Detailed reports of the crime scene are documented, and digital
evidence is duplicated.
Address Spoofing: Attackers may use address spoofing techniques to hide their
identity and location.
Several tools are used in network forensics to assist in the investigation and analysis of
network traffic. Some examples include: