Incident Investigation | SSCP Study Guide and DVD Training System

When an instance of a threat occurs, it is referred to as being an incident. Incidents are unexpected or unwanted events that can threaten security, and have the ability to adversely effect the confidentiality, availability, or integrity of systems, projects, or businesses. Because a risk is the instance of a threat, it can occur from any number of the reasons discussed earlier in this chapter in the Risks and Threats section.

Certain threats may involve deliberate or malicious actions, so it is important that they are investigated and handled immediately after being identified. Companies may find their Web sites or networks hacked by outside parties, receive threats via e-mail, or fall victim to any number of cybercrimes. In other cases, an administrator may discover that people internal to the organization are committing crimes or violating policies. When certain incidents occur, the administrator not only needs to fix the immediate problem, but also needs to investigate the person behind it.

The Goals

As with any process, there are certain goals to achieve in an incident investigation. While the particular goals will depend on what is being investigated, they may include:

To ensure that all applicable logs and evidence are preserved
To obtain the information needed to justify a subpoena to obtain information from an ISP
To narrow the list of suspects
To understand how the intruder is entering the system
To discover why the intruder has chose the system(s) in question
To build a detailed case file on the intrusion
To document the damage caused by the intruder
To have enough information to decide if the incident merits involving law enforcement.

Preservation of logs and other evidence is an important part of an investigation, as it serves as proof of how an incident occurred and may show who was responsible for it. Logs, data on hard disks, and other sources of evidence can provide details that may be unavailable through other means. As will be seen later in the section on computer forensics, if evidence has been compromised in any way, it may be considered inadmissible in court. In some cases, this may make the purpose of the investigation pointless.

Information acquired during an investigation not only serves as evidence for court, but also provides clues that can be used to identify the culprit responsible. For example, if a person were receiving threatening e-mails, header information in the e-mail would show where it originated. Acquiring this information could allow law enforcement to obtain a subpoena and obtain records from the ISP that would show who owned the account that sent the e-mail. Without such information, the investigation could hit a dead end, and proceed no further.

Investigative techniques can also narrow a list of suspects to a single person or group of people. For example, if the administrator identified that someone in a particular department was using company computers to hack Web sites, then the initial suspects might be the people working in that office. During an investigation, they may find that only one employee's password was used to log onto the computer and access the Internet. By properly conducting an investigation, this larger group of suspects was narrowed down to the actual person committing the act. To avoid accusing innocent parties of involvement in an incident, it is important that every person who is not involved is removed from the list of initial suspects.

Establishing how an intruder entered a system is another imperative of an investigation. It is important to ascertain the methods used by an intruder to gain entry, so this information can be provided in court. This will allow the court to fully understand what occurred and properly prosecute the suspect. Understanding how vulnerabilities were exploited also shows where weaknesses exist in systems and what safeguards are needed to prevent future intrusions. In doing so, an organization is better protected from future incidents.

Discovering why a hacker chose a particular system may also be useful to an organization. They may find that it was selected due to a lack of safeguards or because it made a tempting target. In some situations, they may find that information about the data on certain systems has leaked out to the public. For example, they may have sensitive data available in a restricted area of their Web site. Without knowing it, it is possible that an Internet search engine has indexed those documents and is now partially displayed when people conduct certain searches. By understanding why a hacker chose to attempt intrusion, they may find additional information that can be useful in improving security.

Documentation is vital to an investigation. Not only does it provide a reference that can be used later to repair any weaknesses in systems, but it may also serve as evidence in court. By building a detailed case file on intrusions, a company will not need to rely on the fallible memories of people afterwards.

Documentation is also important to document the damage that is caused by an intruder. Such information may be needed when putting in an insurance claim to be reimbursed for damages, or if the company decides to pursue a civil suit against the person responsible. If criminal prosecution applies, a catalogue of damages will provide law enforcement with the information needed to charge the person correctly.

Such information, combined with other evidence obtained in the investigation, allows a company to determine whether law enforcement involvement is necessary. In some cases, senior management may decide that the matter should be dealt with internally, as the infringement was negligible or out of a desire to avoid negative publicity. In other situations, an internal breach of policy can change during the investigation to being a criminal one, as more evidence is acquired. For example, an employee may have violated a company's acceptable use policy and spent considerable time viewing pornography during work hours. By using forensic procedures to investigate the incident, the company will create a tighter case against the employee. Because every action taken followed established guidelines and acquired evidence properly, the employee will have a more difficult time arguing the facts. If during the investigation illegal activities are found (such as possession of child pornography), then the internal investigation becomes a criminal one. Because investigations may change swiftly and require the involvement of law enforcement, any investigation should always be approached as one that may be scrutinized in court.

The Tools

The tools of any trade often determine the quality of work performed. For incident investigations, there are numerous tools available. Software, equipment, policies, procedures, and other forms of information can all play important roles in determining whether an incident is effectively investigated.

Being prepared for an incident has a large impact on whether an investigation will be successful. Tools must be available and implemented before an incident occurs. If they are not, policies may be unenforceable, procedures may not be able to be followed, and certain actions required to complete an investigation may be impossible to perform.

Exam Warning

Good policies are a major tool in dealing with incidents. Business continuity policies, incident response policies, and disaster recovery policies provide procedures on how to deal with incidents. Acceptable use policies, confidentiality agreements, and other policies can also be used as contracts that are signed by employees and can be used for disciplinary actions.

Policies

A policy is used to address concerns and identify risks to a company, while procedures are used to provide information on how to perform specific tasks and/or deal with a problem. For example, a policy may be created to deal with the potential threat of unauthorized access to restricted areas of a building, and procedures may be implemented that state how a visitor should be signed into a building and escorted to a particular department. Through the policy, an issue that is pertinent to the organization is explained and dealt with. Through the procedure, people are shown how to abide by policies by following specific instructions.

When considering the sheer number of issues an organization may face, you can see that there are many different types of policies and procedures that may be implemented. Regardless of the type however, each should have the following features:

They should be straightforward, stating points clearly and understandably. If areas of a policy can be interpreted in different ways, then it can be disputed when attempting to enforce it.
It must define what actions should be taken. Procedures must lay out the steps needed to complete a task, while policies must outline the actions that may be taken if the policy is violated.
They cannot violate any applicable law. If policies do violate any existing legislation, then it cannot be adequately enforced. Also, the company may face civil or criminal charges, because they implemented policies that forced employees to break the law.
They must be enforceable. If a policy is not enforced each time it is violated, or cannot be enforced for some reason (such as because it violates contractual agreements with individuals or unions), then the policy becomes worthless to the company. Policies must be fairly and equally enforced whenever it is violated, or any disciplinary actions dictated in the policy can be disputed.

When implementing policies, methods should be devised to confirm that employees have read and agreed to comply with them. One method is to have employees read and sign copies of certain policies when they are hired. However, if there are changes to the policy, then each person already hired must reread and sign the policy. Another method is to implement one policy that employees sign upon being hired, which states that part of their employment relies on reading and acknowledging compliance with all policies. The policies can be posted on the corporate intranet, enabling employees to read them at their convenience. Still another method is to e-mail copies of policies to all of the employees internal e-mail addresses, and request them to respond stating they have read and agree with the terms of the policy. Whatever method is implemented, it is important that some process is in place. If employees are unaware of the policies, they cannot realistically be expected to comply with them.

Acceptable Use Policy

One such policy employees should be required to acknowledge reading and complying with is an acceptable use policy. This type of policy establishes guidelines on the appropriate use of technology. It is used to outline what types of activities are permissible when using a computer or network, and what an organization considers proper behavior. Acceptable use policies not only protect an organization from liability, but also provide employees with an understanding of what they can and cannot do using company resources.

Acceptable use policies restrict certain actions, including what types of Web sites or e-mail an employee is allowed to access on the Internet at work. You may have read news articles about employees who access pornography over the Internet. Not only does this use up bandwidth and fill hard disk space on non-work related activities, but when others see the employee view the material it can create an uncomfortable work environment. Worse yet, a company can be liable for creating or allowing a hostile work environment under the Civil Rights Act of 1964 or other legislation. For these reasons, businesses commonly include sections in their acceptable use policies that deal with these issues.

Beyond dealing with potentially offensive materials, acceptable use policies also deal with other online activities that can negatively impact network resources or sidetrack users from their jobs. For example, a user with a stock ticker on their desktop watching streaming media, installing game software, or other technologies will often serve as a distraction from the duties the employee was hired to perform. These distractions are activities the company did not intend to pay the user to perform. For this reason, restrictions on installing software and other technologies on company computers can be found in acceptable use policies.

Acceptable use policies would also specify methods of how information can be distributed to the public, to avoid sensitive information from being "leaked." Imposing rules on the dissemination of information might include:

Specifications that prohibit classified information from being transmitted via the Internet (for example e-mail or FTP)
Provisions on how content for the Web site is approved
Rules on printing confidential materials
Restrictions on who can create media releases, and so on

Through this, important information is protected and employees have an understanding of what files they can or cannot e-mail, print, or distribute to other parties.

Incident Response Policy

Incident response policies are implemented to provide an understanding of how certain incidents are to be dealt with. The policy should identify an incident response team, who is to be notified of issues and who have the knowledge and skills to deal with them effectively. Members of the team should be experienced in handling issues relating to unauthorized access, denial or disruptions of service, viruses, unauthorized changes to systems or data, critical system failures, or attempts to breach the policies and/or security of an organization. If the incident is of a criminal nature, the policy should specify at what point law enforcement should be contacted to take control of the investigation.

A good incident response policy will outline who is responsible for specific tasks when a crisis occurs. It will include such information as:

Who will investigate or analyze incidents to determine how an incident occurred and what problems are faced because of it.
Which individuals or departments are to fix particular problems and restore the system to a secure state.
How certain incidents are to be handled, and references to other documentation.

Including such information in the incident response policy will ensure that the right person is assigned to a particular task. For example, if the Webmaster was responsible for firewall issues and the network administrator performed backups of data, then tasks would be assigned relating to these responsibilities in the incident response policy. By determining who should respond and deal with specific incidents, administrators' will be able to restore the system to a secure state more quickly and effectively.

Incident response policies should also provide clearly defined steps on what users are supposed to do when identifying a possible threat. Upon realizing an issue exists, they should notify their supervisor, a designated person, or department, who can then contact the incident response team. While awaiting the team's arrival, the scene of the incident should be vacated and any technologies involved should be left as they were. In other words, those on the scene should not touch anything, as this could alter the evidence. The users should also document what they observed when the incident occurred, and list anyone who was in the area when the incident occurred.

To address how a company should handle intrusions and other incidents, it is important that the incident response policy includes a contingency plan. The contingency plan addresses how the company will continue to function during the investigation, such as when critical servers are taken offline during forensic examinations. Backup equipment may be used to replace these servers or other devices, so that employees can still perform their jobs and (in such cases as e-commerce sites) customers can still make purchases. A goal of any investigation is to avoid negatively impacting the normal business practices as much as possible.

Tracing Tools

When performing an investigation, the administrator may need to view volatile data in memory, determine the origin of an intruder, or trace who is connected to a particular computer back to the source. To do this, a number of tools are available in the normal distribution of the IP protocol suite that can provide information about potentially relevant details. These tools include:

Address Resolution Protocol (ARP)
IPCONFIG/IFCONFIG
NETSTAT
NSLOOKUP
Packet Internet Groper (PING)
ROUTE
TRACERT/TRACEROUTE

ARP is a command line utility that allows the administrator to view the IP addresses and physical addresses (MAC addresses) of the Ethernet card that was used to connect to a computer. Because it reveals what computer connected to a machine, it can be useful in identifying the computer used to hack into a network computer running IP.

IPCONFIG and IFCONFIG are tools that can provide information about how IP is configured. IPCONFIG is a command line tool for computers running Microsoft operating systems, while IFCONFIG is a similar tool used to list IP configuration information on UNIX/Linux machines. Typing IPCONFIG at the command prompt provides administrators with the IP address, subnet mask, and default gateway configured on the machine. To acquire more detailed information, they can type IPCONFIG /ALL at the command prompt. This allows them to view such information as the hostname (for example, computer name) assigned to the machine, the domain name, the physical or MAC address of the Ethernet adapter installed, whether Domain Name Service (DNS) or Windows Internet Name Service (WINS) is enabled, and other information that shows how the computer has been configured.

NETSTAT is a tool that provides information about active connections to a machine running IP, and can provide information on whether a hacker is still connected to a particular computer. Typing this command at the command prompt displays each connection on a different line, and shows the local address and port of the machine NETSTAT is running from, the foreign or remote address of the connected machine, the protocol used for the connection, and the connection's status.

NSLOOKUP is a useful command line tool for tracking an intruder or e-mail back to its origin. If a company receives threatening or otherwise unwanted e-mail, information within the e-mail header may show the IP address of the mail server used to send the message. If an intruder breaks into a network, firewall logs may record the IP address when hacking their way in. To resolve the IP address with an actual domain name, NSLOOKUP can be used to query DNS servers on the Internet about hosts and domains that own the IP address. Upon finding this information, the administrator could then try to obtain a subpoena for account information on the person who used that address during the time of the incident.

PING is a command line tool that allows the administrator to check the configuration of IP on a machine, and determine if IP connections can be made to other IP addresses. It works by sending out Internet Control Message Protocol (ICMP) request messages to a destination, which results in echo reply messages being sent back to the machine. Information provided by the reply message includes the number of packets sent and received, the percentage of packet loss, and the time it took for the packet to make a round trip between the computer and that IP address. To use PING, the administrator would enter the word PING followed by the IP address or computer name of a machine on the local or remote network, as follows:

PING <IP address>

To test the configuration of IP on the local machine, they would use the loopback address 127.0.0.1. To test connections to routers, computers, and any other equipment that has an IP address, they would enter the IP address of that particular machine.

ROUTE is another tool that is available for both Windows and UNIX-based machines. It allows the administrator to view and modify routing tables, which determine how packets will be sent from the computer to other machines on a network. As Windows and UNIX-based machines will automatically build this information, it generally is not necessary to use ROUTE to manually add, delete, or modify routes in the table. However, using the ROUTE PRINT or (NETSTAT -RN) command is useful for viewing existing routing table information.

TRACERT and TRACEROUTE are command line tools that allow administrator's to trace the route taken by a packet to reach a remote host. TRACERT is available on Microsoft operating systems, while TRACEROUTE is used on UNIX-based machines. By typing these commands at a prompt, followed by an IP address or hostname of a machine, the administrator can view the number of hops required to reach the destination, and how long it will take for each hop. In doing so, it also provides the names of routers through which the packets were passed.

Test Day Tip

The tools mentioned in this section are vital to acquiring volatile data from memory and identifying the source of a threat. It is important that you know each of these tools, and their purpose for acquiring information from computers and the network

Exercise 5.05: Using Tools to View Volatile Data in Memory

You have received a complaint about a possible hacking attempt on servers used by the company for file storage. These machines run Windows NT Server and Windows 2000 Server operating systems. When you arrive, you find that these machines are still running. You want to document any volatile information that may reside in memory before proceeding with further forensic procedures. Follow the following steps to acquire this volatile data:

Using a computer running Windows NT or Windows 2000, click on the Start | Run command. Type CMD at the Run command, and click OK.
When a window opens, you will see a command prompt. Type NETSTAT and press Enter. Document any information on current network connections that is displayed. This will show whether the hacker is still connected to the machine.
Type IPCONFIG and press Enter. Document any information about the state of the network.
Type ARP -A to view the ARP cache. Document the addresses of computers that have connected to the system. This will show the addresses of machines recently connected to the system, and may show the IP address of the machine used by the hacker.
Close the command prompt window.

Log Analysis

Logs can be valuable tools when troubleshooting problems and identifying adverse incidents (such as intrusions to the system). Many systems provide logs that give automated information on events that have occurred, including accounts that were used to log on, activities performed by users and by the system, and problems that transpired. Logs are not only a function of operating systems, but may also be provided through a wide variety of applications. For example, while Windows 2000 provides logs dealing with the operating system, additional logs may be provided through the firewall running on the server.

Logs can also provide insight into physical security problems. Computerized door lock systems may require a Personal Identification Number (PIN) number, biometrics, or card key before access is granted. In other cases, a system may be implemented requiring a person to sign his or her name before entering a secure area. Logs of such entries may correspond to a problem occurring, and provide valuable information of who caused or witnessed it.

Due to the valuable information that can be obtained through various logs, it is important that the administrator review logs on systems being investigated. Logs generated by firewalls, servers, application software, and any other elements of a network or system should be analyzed. In doing so, they may acquire evidence that can be used in the identification, arrest, and possible conviction of the culprit behind an attack.

Crime Scene Analysis

The analysis of a crime scene is as important as the examination of a computer involved in an investigation. A crime scene is the area in which an incident occurs, and can be as limited as a single computer or as broad as hundreds of machines across a network. Because of this, it is important to determine upon arriving at a scene what has been effected, to establish the scope of the incident.

Once this has been established, effort must be made to protect any evidence at the scene. There are a number of tasks that must be performed when arriving at a crime scene, which include:

Preventing people who are not involved in the investigation from entering the crime scene, as they may destroy, delete, remove, or modify any evidence at the scene.
Gathering information from people who reported the incident and who were within the crime scene before it was secured.
Ensuring that systems that are turned on are left on, and that systems that are turned off are left off.
Preserving and gathering volatile evidence.
Establishing a chain of command.

It is important to realize that evidence may not only reside on computers, but may exist in other areas within the crime scene. Passwords may be written down, information may have been printed out, manuals for affected systems may be within the area. In addition to this, fingerprints, fibers, and other trace evidence may exist that must be collected. By keeping the area secure, and analyzing possible sources of evidence within the crime scene, the security administrator will be better able to obtain information that will catch and possibly convict those involved.

Documentation

Because any evidence may be used in possible criminal proceedings, thorough documentation cannot be stressed enough. Documentation provides a clear understanding of what occurred to obtain the evidence, and what the evidence represents. No matter what role the administrator plays in an, they must document any observations and actions that were made. Information should include the date, time, conversations pertinent to the investigation, tasks that were performed to obtain evidence, names of those present or who assisted, and anything else that was relevant to the forensic procedures that took place.

Documentation may also be useful as a personal reference, should the need arise to testify in court. Because of the technical nature involved, administrators' may need to review details of the evidence before testifying at trial. Without it, their memory may fail them at a later time, especially if a case does not go to court until months or years later. These notes may also be referred to on the stand, but doing so will have them entered into evidence as part of the court record. As the entire document is entered into evidence, the administrator should remember not to have notes dealing with other cases or sensitive information about the company in the same document, as this will also become public record.

In addition to the documents created, it is important that procedures used for incident investigation and handling are also available to investigators, members of the incident response team, and other IT staff. Documented procedures allow incident responses to be more organized and effective. They provide a methodical approach, allowing those investigators to perform necessary tasks step-by-step. This can be particularly important during investigations, as investigators are not required to rely on memory when dealing with unexpected events. Investigators can simply move through the documented process, completing each of the necessary tasks in a set order.

Investigation Steps

To perform an investigation properly, it is important to follow set procedures, which detail the steps to be taken. In the investigation process, there are six different steps that need to be followed:

Preparation
Detection
Containment
Eradication
Recovery
Follow up

Following these will help the administrator to meet the goals of an incident investigation, and provide information that can be used to handle the incident so it does not escalate into a more significant problem.

Preparation

As stated throughout this chapter, it is important that threats are dealt with proactively, with safeguards and other measures in place before problems occur. If the networked components do not have safeguards, it is possible for an incident to spread from system-to-system. If the necessary policies, procedures, and tools are not available when responding to an incident, valuable time can be wasted trying to get organized. Preparation is the key to handling and investigating incidents.

Training is an important part of properly managing how an incident is handled and investigated. Members of the team should have a thorough understanding of the tasks they are expected to perform, where reference material and other information is located, and expertise in using any tools that are needed. Management and users should also be trained in identifying and reporting problems, inclusive to procedures for contacting the necessary people in an emergency.

Earlier in this chapter, we discussed the importance of an incident response policy to provide information that can be used in responding to incidents. Part of this policy should include or reference a communications plan that provides contact information on who will need to be called when problems are first identified. This includes members of the incident response team, other IT staff, third party vendors and support, senior management, department managers, public relations people, and anyone else who may need to be conferred with. The contact list should include the names of anyone who may need to be called during an incident, and their phone numbers, pager numbers, addresses, and any other relevant information.

In an emergency, you do not want people scrambling to find contact information, so it should be left with a centralized source of information. Some options might be the company switchboard, dispatch, or other departments. If an incident needed to be reported, employees could notify the switchboard operator or dispatcher, who in turn could contact incident response team members.

In some cases, notifying the appropriate parties may be automated, allowing network administrators and other parties to be alerted when certain events occur. Systems may be configured to send out alerts via e-mail or to a pager number, notifying the person of such things as low disk space, errors, loss of power, or other events that may indicate a significant problem. When automated alerts are used, notified personnel may arrive to fix problems before users are even aware of the incident.

Because every member of an incident response team will not be sitting by their phone and may otherwise be unavailable, it is important to ensure that important knowledge is still available. Documentation on specific procedures should be available to team members through files on the network, the corporate intranet, or other methods. Printouts of this material should also be available, in the areas where electronic versions are targets of a particular incident. After all, if the server has failed containing this information, then no one will be able to access the electronic documents that explain how to fix the problem.

Passwords are another piece of information that should be available in emergencies. Members of IT staff or the incident response team may have varying levels of security, and may be unable to get into certain areas of the network or certain systems. For example, they may not have passwords to access administrative functions in certain systems, or workstations and servers may be locked down and cannot be accessed without an administrator password. To allow them entry in extreme situations, copies of passwords should be written down, sealed in an envelope, and stored in a locked container (such as a safe). Any encrypted keys needed to access critical data should also be stored with these passwords. In an emergency, if the person who knows the passwords is unavailable, a member of the team can access the passwords and keys, and use them to fix issues requiring them.

In some incidents, data may be altered, corrupted, or deleted. When this happens, the data may be irrevocably lost, unless backups have been regularly performed beforehand. As discussed earlier, data can be backed up in a variety of ways, and restored to systems when needed. To make it easier for members of the team to restore the data, recovery procedures should be documented thoroughly, allowing members to follow the understandable steps to restore systems to their previous state.

To aid in the detection process of incident investigation, preparation also requires that logging is activated on systems. Logging information to a file is a feature that is commonly provided for operating systems and certain software and equipment. Logs can provide a great deal of information, revealing indicators that may show whether an incident has occurred. The more information that is provided in these logs, the more evidence the administrator will have for discovering incidents and dealing with them accordingly.

Baselines should also be created by recording data on how the system behaves normally. The metrics recorded in a baseline would include measurements of network traffic, memory usage, and other information that provides a clear understanding of how systems normally run. The incident response team can compare the baseline to measurements taken when a problem is suspected, and thereby detect whether an incident has occurred.

Detection

Determining whether an incident has actually occurred is the next step of the incident investigation process. After all, just because someone reported that something does not seem right, does not mean that the company is at risk. A user could report that files have been deleted, and although it could be indicative of hacking, it could just mean the user is too embarrassed to admit he deleted them by accident. The detection phase of incident investigation examines such reports, and determines what further actions (if any) are required.

Detection requires looking at the safeguards and auditing controls that have previously been set up, and determining whether anomalies exist. For example, logs may provide a great deal of information that can confirm or discard any notions of unwanted activity. Members of IT staff or information security personnel should check logs on a regular basis and determine if indications of problems have been recorded. System logs may show errors related to security violations, impending hardware failure, or other potential problems. Firewall logs should also be analyzed to identify indications of attempted hacking from the Internet, policy breaches, or other damaging events. By checking logs regularly, an incident may be avoided early thereby preventing more significant problems from occurring.

Software specifically designed to deal with certain incidents or elements of an incident can be used in the detection process. Antivirus software packages can be used to detect viruses, and can be configured to automatically deal with them upon detection. Intrusion detection systems (IDSs) can also be used to identify whether system security has been violated, systems have been misused, or accounts have been used or modified. Implementation of such software not only aids in protecting the network, but also allows administrators to detect incidents early.

In addition to the logs created by systems on the network, the administrator should also keep a manual log. This will provide a record of dates, times, observations, system names, error messages, actions taken, and other details that may be considered valuable. The name of the person who reported the incident and the names of people who had access to systems should also be recorded. Creating a log should be done as early as possible. Information recorded in the log may be vital to solving problems, and may be needed for reference purposes if they are later required to testify in court.

Another reason for maintaining a log is that it can reveal patterns. Hackers may make several attempts to hack into a network, and being able to reference information on these previous occurrences can be valuable in identifying vulnerabilities, finding who is making these attempts, and may be used in the prosecution of that person. It can also be useful in identifying training issues, such as when multiple mistakes by the same person result in damaged data, invalid data entry, or erroneous reporting of incidents. Without a log of previous incident investigations, such patterns may be unidentifiable.

When an incident is confirmed, it is important that an image of the affected system is made as soon as possible. Disk imaging software can be used to make an exact duplicate of a computer's hard disk. This allows the administrator to examine data on the disk, while leaving the original computer untouched. This is important, because examinations of the original computer's data could modify data on the disk. Even opening a file can alter information (such as the date/time of when it was last opened) and negatively affect any further investigation or future prosecution. It is important to make an image of the system as soon as possible, because further intrusions into the system or malicious programs could delete evidence used to identify a suspect. Rather than giving the suspect a chance to cover their tracks, it is important to preserve evidence quickly.

Containment

It is important to limit the extent and significance of an incident so that it does not spread to other systems and continue doing damage. It makes no sense to identify a hacker's entry into a server, and then allow them to continue entering other servers on the network. In the same light, allowing viruses to spread across the network increases the level of damage and defeats the purpose of even having an incident response team. Containment limits the scope of such incidents, preventing the damage from spreading.

How an incident is contained depends on the type of incident that has occurred, what is affected, and the importance of systems to the business. If someone hacked into a network file server, it might be prudent to remove that server from the network, such as by unplugging the network cable from the adapter. In doing so, the hacker would be unable to do further harm and unable to modify or delete any evidence they left behind. In other situations, such as an employee breaching policy (such as by downloading pornography), it might be overkill to prevent everyone from using network resources. In this case, having a member of the incident response team stay with that person to prevent them from using the computer would probably suffice.

Eradication

Just as it is important to prevent further damage by containing an incident, it is equally important to remove its cause. Eradication removes the source of a threat so that further damage is not caused or repeated. In doing so, the system is left more secure and further incidents may be prevented.

Eradication may occur through a variety of methods. For example, if a virus were detected on systems, eradication would require removing the virus from all media and systems by using antivirus software. In situations involving violations of law or policy, the eradication phase of incident investigation might require disciplinary action (such as terminating the employee) or pressing criminal charges. As can be seen, the appropriate method of eradicating an incident depends on what or who is being dealt with.

Recovery

Once an incident has been handled, the security administrator will need to ensure that any data, software, and other systems are back to normal. The recovery phase is where these are restored to a normal state. It is here that they ensure that the incident did not permanently effect elements of the network, and that everything is as it was previous to the incident.

Recovery is important because data may be modified, deleted, or corrupted during incidents, and configurations of systems may be changed. Other problems that may result include malicious code that was planted on systems. Such code may be triggered by certain events, or activate at a later date when everything is presumed to be okay. Because of the possibility of future threats, the administrator needs to determine whether any remnants of an attack exist and what may have been damaged by the incident.

Systems may be restored in a variety of ways. Certain systems may need to reconfigured to the way they were before the incident, data may need to be validated to verify that it is correct, or in other cases, the system may need to be completely restored from backups. If data has been modified or destroyed, and a backup is restored, then any work that took place since the backup was performed will need to be redone.

Follow Up

The follow up to an incident investigation is where it is determined whether improvements can be made to the incident-handling procedures. At this point, the previous phases of the investigation are examined and a review is performed of what was done and why. The follow up requires an analysis of such details as:

Preparation for the investigation and whether additional preparation is needed
Whether communication was effective or if information was not conveyed in a timely fashion
Steps taken during the investigation and problems identified
Determining whether the incident was detected quickly and accurately
Whether the incident was adequately contained or spread to different systems
Evaluating tools used in the investigation and whether new tools would result in improvements

It is also important to establish how much the incident cost, so changes to budgets can be made to effectively manage the risks associated with certain incidents. This includes the cost of downtime, personnel costs, the value of data that was lost, hardware that was damaged, and other costs related to the investigation. By determining the financial costs associated with an incident, insurance claims can then be filed to reimburse the company and cost/benefit analyses can be updated.