What is an Incident Response Toolkit?
Contents
What is an Incident Response Toolkit?#
Have you seen crime scene investigation (CSI) shows on TV? After a crime occurs, a professional walks in with a bulky case containing equipment to collect fingerprints, take photographs and plastic bags to safely collect evidence. The evidence collected helps provide clues to solve the crime. The professional is an Incident Responder and the bulky case is referred to as Incident Response Toolkit (IRT). Having a ready IRT assists the Incident Responder to collect evidence methodically. The same technique can be adopted to the cyberworld too. This blog post discusses how you can prepare an Incident Response Toolkit to assist in handling cyber incidents.
What does a cyber IRT contain?#
An organization can prepare an Incident Response Toolkit aligned with their business need. This section lists the possible items an IRT can contain.
Hardware Tools#
Gloves: Great care must be taken while dealing with electronic equipment to prevent damage due to electrostatic discharge. The incident responder can wear gloves to ensure that any collected evidence remains intact.
Camera: The moment you arrive at the crime scene, you can capture high-quality photographs of the affected computer and the surroundings. Images of the screens on the computer can be taken for future reference. In some cases, individuals store passwords or other critical information scribbled in notes on their desk. It is a good idea to capture a photograph before collecting the notes as evidence.
Sanitized storage media: In some situations, a forensic image of the hard disk on the suspect computer may be required. The acquired forensic image must be stored in sanitized storage media.
A hard disk used to store the acquired forensic image may have been used in a previous investigation. To ensure that data from the previous case does not spill into this one, the hard disk must be sanitized. This can be done by writing zeros to the entire space on the hard disk. This process is referred to as ‘sanitization’. To know about forensic images, take a look at this article.
Write blockers: During the acquisition of a forensic image, to ensure that data on the suspect hard disk does not undergo any modifications, hardware or software write blockers can be used.
Cables: If you intend to transfer files between your computer and mobile device, a cable may be required. Likewise, during an incident, you may need to transfer files between the suspect’s devices and your computer. Ensure that you have a set of cables ready to use, suitable across multiple devices.
Evidence bags: In case you collect any USB drives or cables or any other articles from the suspect environment, ensure to pack them safely in evidence bags and label them.
Maintenance tools: Sometimes, hardware tools like screwdrivers, prying tools, tweezers, etc. may be required. Ensure to have those in your IRT.
Specialized computer or laptop: This is the most important tool for an Incident Responder. You may need to quickly write scripts to collect evidence from the crime scene. You can set up the required software tools on your computer. You can also configure other software tools like commercial forensic suites on your computer to help acquire evidence.
Software Tools#
It is always a good practice to have many tools to help perform the same task. If one tools fails, then the other one comes in handy.
Forensic imaging tools: Various software suits exist to assist specifically in the acquisition and verification of forensic images. Ensure to have them set up and ready to go.
Memory capture tools: In some cases, the Incident Responder may need to acquire memory from systems running either Windows or Linux or Mac. Being aware of how to acquire memory from various operating systems is a great skill to have.
Triage tools: In enterprise environments with many systems, it may not be possible to acquire all possible sources of evidence like forensic images. In such cases, triage tools can be used to quickly ‘sweep’ all systems in the enterprise for specific sources of evidence.
Commercial forensic tools: Standard commercial forensic tool vendors provide various software and hardware tools to assist in incident response. Most tools require specialized training to be able to use them effortlessly. Get acquainted with the commercial tools used by your organization.
Getting ready to handle incidents#
Now that you have an idea about the possible tools in an Incident Response Toolkit, you are in a better position to handle incidents. Practice using the available hardware and software tools in your free time. When an incident occurs, you will be ready take on the role of the Incident Response Professional walking in with a bulky case to help contain the incident!
See also
Want to learn practical Digital Forensics and Incident Response skills? Enrol in MCSI’s MDFIR - Certified DFIR Specialist Certification Programme