Unit CSEC04: Incident Response, Investigations and Forensics

QUALIFI Level 5

Extended Diploma in Networking and Cyber Security

Unit CSEC04:Incident

Response, Investigations and Forensics

About this workbook

The main purpose of this workbook is to support you as you study for the Qualifi Level 4 Diploma in Cyber Security, so it specifically focuses on the content of the syllabus for the Unit CSEC04:Incident Response, Investigations and Forensics

This workbook provides underpinning knowledge and develops understanding to improve your skills as well as to prepare you for future assessment. If you are studying towards the Qualifi Level 4

Diploma in Cyber Security then, if you choose to do so, you will be assessed on your knowledge and understanding of the learning outcomes

Aim of Unit

• In this unit the learner will examineIncident Response, Computer Emergency Response Teams (CERTS), and events requiring investigative techniques. Learners will identify and examine aligned business tasks and task forces including Disaster Recovery, Business Continuity Management and Crisis Management. The unit then focuses on exploring cyber-related incident investigations, including evidential analysis gathering, logging and reporting. Learners will have the opportunity to look at case studies and assess how the approaches used could be applied into their own workplace.

LO1: Understand the role and composite parts of Incident Response as a business function and how CERTS operate

1.1 Explain the people, structures, processes and tools involved in Computer Incident Responses

1.2 Discuss the different roles within a Computer Emergency Response Team and their importance

Purpose of Incident Response Team

• The purpose of security incident response is to bring needed resources together in an organized manner to deal with an adverse event known as an “incident” that is related to the safety and or security of the information system. The security incident response process is centred on the preparation, detection and analysis, containment,investigation, eradication, recovery, and post incident activity surrounding such an incident.

The Security Incident Response Team Members

• ■ The incident responder needs to be logical in their approachto each and every situation. Each event and activity which is to be handled must be approached with an open mind and a sound methodology for investigationand containment.

• ■ The incident responder has to be thorough in all actions that they take when responding, analysing, evaluating and documenting the incident. The full scope of the incident must be accountedfor during and after the actual handling activities occur so that nothing is missed and left to continue to create issues in the future

The Security Incident Response Team Members

• ■ The incident responder is required to be as objective as possible during and after the response effort to ensure integrity and impartiality of their efforts. The actual data involved in the incident, along with the methods and techniques of exposure need to be identified, catalogued, and traced to ensure the full depth and breathe of the incident is investigated.

• ■ The incident responder must be observant of all activities, events, and surrounding environment while responding to gather as much information about the situation as can be gleaned from the incident scene. All sources of data for the investigation must be included in the incident data collection efforts.

The Security Incident Response Team Members

• ■ Resourcefulness is the hallmark of an incident responder when checking, examining, and reviewing all of the parameters of any type of incident. Utilizing all possible sources of information about surrounding and concerning the hardware and software in relation to the data collected is needed to ensure the full scope of the investigation is covered.

• ■ Above all other criteria, the incident responder must be accurate in his findings, results, and reports of the incident, the surroundings, and root cause for the incident. The final and ultimate criteria for the responder are the need for direct, distinct, and decisive in the examination and development of the results and report of the incident.

TYPES OF TECHNICAL SKILLS NEEDED

These skills, abilities, and knowledge are provided as a guide, not a full set of personnel requirements.

Realistically, not many incident handlers will have all of these skills, but they should have a working knowledge of most of them.

TYPES OF TECHNICAL SKILLS NEEDED

■ The basic security principles and engineering practices such as found in NIST SP 800-27 are as follows:

■ confidentiality

■ availability

■ authentication

■ integrity

■ access control

■ privacy

■ nonrepudiation.

TYPES OF TECHNICAL SKILLS NEEDED

TYPES OF TECHNICAL SKILLS NEEDED

• Understanding the Internet (aspects ranging from architecture and history to future and philosophy) Each SIRT member should know about the history, philosophy, and structure of the Internet, and the various infrastructures that support it.

• The SIRT member needs to know this information in order to understand why and the way that the various protocols are designed and work across the Internet.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ Detailed knowledge of network protocols (IP, ICMP, TCP, UDP, FTP) The SIRT member needs to have a basic understanding of the common network protocols that are used in their operating environment. For each protocol, he/she should have a basic understanding of the protocol, its specification, and how it is used. In addition, the SIRT member should understand the common types of threats or attacks against the protocol, as well as strategies to mitigate or eliminate such attacks.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ In-depth understanding of network infrastructure elements (router, DNS, mail-server) The SIRT member needs to have a basic understanding of the concepts of network security and be able to recognize vulnerable points in network configurations. The SIRT member should understand the concepts and basic perimeter security of network firewalls (design, packet filtering, proxy systems, DMZ, bastion hosts, etc.), router security, potential for information disclosure of data traveling across the network (e.g., packet monitoring or “sniffers”), or threats relating to accepting untrustworthy information.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ How network applications, services, and related protocols (SMTP, HTTP, HTTPS, FTP, TELNET, SSH, IMAP, POP3) function and interact with each other.

The SIRT members need a basic understanding of the common network applications and services that the team and the customeruse (DNS, NFS, SSH, HTTP, etc.). For each application or service, the SIRT member should understand the purpose of the application or service, how it works, common usage, secure configurations, and the common types of threats or attacks against the application or service, as well as mitigation strategies.

TYPES OF TECHNICAL SKILLS NEEDED

TYPES OF TECHNICAL SKILLS NEEDED

■ Ability to identify host system security issues, from both a user and system administration perspective (backups, patches) The SIRT members should have a variety of expertise and exposure to the various types of operating systems(UNIX, Windows, LINUX, MacOS, or any other operating systems used) deployed in their area of responsibility. The members need to have experience in the operating aspects of the operating system, how the operating system is managed, maintained, patched, and how the security parameters of the operating system are installed and monitored.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ Ability to identify network security issues (firewalls and virtual private networks) The SIRT member should have the ability to anticipate, identify, isolate, and describe potential new vulnerabilities that could affect the area of responsibility as a result of changes in network design, hardware, or software. The SIRT member should be able to identify security weaknesses in current network configurations, deployments, and architectures. The SIRT member should be able to identify and develop tools or processes that would mitigateor resolve these potential security weaknesses.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ Which encryption technologies (Triple DES (3DES), AES, IDEA, Blowfish) are in use in the organization The SIRT member needs to have awareness and understanding of the basics for use and employment of encryption within the area of responsibility. He/she needs to be aware of both major methods of encryption, symmetric and asymmetric, and how each is used.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ How digital signatures (RSA, DSA) are used and defined The SIRT member should be cognizant of the methods and means used by the customer of Digital Signature activities for verification and validation of messagetraffic and electronic contract actions. The basic core Digital Signature algorithms (RSA and DSA) and their usage under corporate and federal standards (FIPS-186) are areas of focus for the SIRT member.

• ■ Where cryptographic hash algorithms (MD5, SHA-1) are utilized and under what conditions are they used Hashing is often used throughout an organization for multiple requirements, such as password control, digital signatures, software version integrity checking, and file system integrity reviews.

TYPES OF TECHNICAL SKILLS NEEDED

• ■ An understanding of public data networks (telephone, ISDN, X.25, PBX, ATM, frame relay) The SIRT member should be well versed in the organization’s data source provider’s services and the telephone service provider’s delivery mechanisms. Understanding the delivery and services being provided gives the SIRT member some awareness of the types of security controls inherited by the organization from their service providers and allows the team member to use the “upstream” security to assist in response efforts if the suspicious incident is originating from outside the organization. So the SIRT member needs to know what type of telephone services are provided, what kind of data delivery is provided and through what technologies is the data service delivered to the organization, and what access is provided to the organization from the Internet Service Provider.

TYPES OF TECHNICAL SKILLS NEEDED

■ Possibly even domain experts from the fields of:

■ applications,

■ system,

■ security,

■ network,

■ mail,

■ database.

Incident Response Process

• Incident Response was devised by the US Government’s NIST organization and is straightforward and simple in its design, but detailed in implementation

• This first part includes security engineering activities for the network, systems, and the various applications running on the systems and networks. Reviews of security products, services, and systems before installation are considered important which can establish the base level of security in the multiple areas of administrative, technical, and operational security controls. The incident response team level of security experience and subject matter expertise is vital to this effort.

1: Preparation

2: Detection and Analysis

• The second stage of this Incident Response Methodology is the Detection and Analysis Stage. This is the phase where the actual detection of an incident occurs. There are many methods available today which allow for the automated detection of possible events and incidents. Software- and hardware based devices and components can detect changes in network traffic patterns, change in file directory structures and sizes of the files themselves, or even the behaviour of files on the servers or network.

3: Containment, Eradication, and Recovery

Various questions need to be answered during this stage by the responders and their managers, such as:

a. Should we shut the system off?

b. Should we disconnect the network from the machine?

c. Should we disable certain ports, protocols, or services first?

Full eradication of the cause of the incident is the next goal within this framework for response. Eradication actions could include deletion of the malicious software or code snippet, disabling certain accounts on the system, closing the applicable firewall ports, etc. Remember, based on the type of incident, full eradication may not be needed and could actually cause further damage, so the method of eradication is also an important consideration during this stage. Recovery back to full business operations is the ultimate goal of this stage. Recovery activities will include restoring the system affected from full, uninfected backups, rebuilding systems from scratch, hardening systems to prevent further occurrenceof incident, adding new or expanded security parameters on boundary devices, changing administrative passwords, increasing the logging of events immediately after the incident to ensure full recovery, and increased monitoring of the network and system sincethe incident often has follow-up event and attacks applied in its aftermath.

4: POSTINCIDENT ACTIVITY

• In the full arena of incident response, one of the most important activities is after the event learning action. The results of the response are ideally always improving and this post incident effort is the key to ensuring the learning process is taking place. Each team and team member should review the effort, the techniques used, the timing of the response, the threat realized, and the support actions taken with the eye on improving the response then next time. Each incident response team should evolve to reflect new threats, improved technology and lessons learned. These lessons learned actions can dramatically improve the security of the organization, as well as improve the incident handling and response mechanisms within the response team.

Incident Response

Tools

• There are many different types of tools required for proper incident response. Incident response team members must be trained and tested in these various types of tools. Specific focus on a specific class of tool, by a specific team member, is acceptable and expected. A Windows-server specialist would definitely act different, investigatedifferently, and have different tools than a UNIX-server specialist or a firewall specialist.

• There are many commercial and open source incident response tools available along with or embedded inside full investigativecase management systems.

Incident Response

Tools

All operating systems currently on the market are included in the scope of these available tools. Types of tools that are available include:

■ File system navigation tools The standard operating system today comes with an embedded file navigation mechanism.

■ Hashing tools Each and every time an evidence component is captured, it is to be cryptographically signed to ensure its integrity.

Incident Response

Tools

■ Binary search tools The tools used for binary search have the purpose of examining files to reveal bit patterns within.

■ Imaging tools for bit-stream image copies One of the basic requirements for any incident response activity is to capture the data in a format that allows for examinationof the complete data-set being retrieved.

■ Deep retrieval tools A forensics-based tool designed to retrieve data that has been deleted or “erased” for long periods of time, as well as the more recent material.

■ File Chain & Directory Navigationtools A tool designed to trace dependencies and linking of files as they are found in the directories throughout the computer.

Incident Response Tools

■ IR Case Management tools Additional tools for particular Incident Response requirements include tools from Mandiant, Tenable Security, Technology Pathways, and others.

• There are many commercial and open source incident response tools available along with or embedded inside full investigative case management systems. All operating systems currently on the market are included in the scope of these available tools. Available resources and tools for investigative activities also include:

• 1. Resource lists include contact information for all appropriate personnel (e.g., cell phone and pager numbers) and for external sources, such as other department/organization/agency incident response teams and law enforcement.

Incident Response Tools

2. Corporate security activities and procedures, such as those which provide for:

■ All software components are consistently patched for the latest vulnerabilities.

■ All custom coding is through a security review to eliminate any potential buffer overflows and other vulnerabilities.

■ Antivirus software is installed and continually updated on all servers.

■ Backups occur as scheduled, tests backups are performed monthly, and rotation backups are stored offsite.

Investigativetools usage and application require aforementioned corporate security policy and procedures to be in place.

What Incident Response Tools should include?

These security incident response tools should include:

■ evidence gathering tools,

■ chain of custody tracking tools and procedures,

■ SIRT specialized training and testing,

■ corporatemedia control requirements,

■ system and application version control,

■ investigation variation procedures.

ENISA has put together a tool for IncidentResponse Tools and their use called CHIHT, “Clearing House for IncidentHandling Tools”

Incident Responder’s Responsibilities

An incident responder’s responsibilities before, during, and after the incident include the following:

1. Proper information gathering and collection techniques—techniques should be based on the best business practices as well as predefined corporate guidelines. The actual performance of data gathering, investigation, analysis, and examination needs to follow proper protocols and documented methods and techniques.

Incident Responder’s Responsibilities

• 2. Proper documentation—full documentationshould be developed as the incident transpires and is contained when possible and also includes the support manuals and vendor documentation.The one basic activity necessary during any event is to document everything that transpires during the event. All actions, activities, evaluations, supporting data collection, and any other relevant act must be fully documentedby the responder during the response activity.

Incident Responder’s Responsibilities

• 3. Proper performance—the obvious key to the whole process in containing and eradicating the incident root cause especially if the incident is caused by external factors. Complete and professional investigative and response performance is paramount for any incident responder.

• 4. Certification on response tools and techniques—industry certifications in Incident Handling go a long way to ensure the responders have the necessary background to properly respond no matter what the incident may be. Multiple professional certifications in incidence response, malware analysis, reverse engineering of software, penetration testing, and ethical hacking are all available and add to the expertise and standing of the assigned incident responders.

Incident Responder’s Responsibilities

• 5. Proper methodologies—the proper way to handle an incident always.

Detailed, enhanced technical writing capabilities—I often talk about the first job of any security professional is to “secure the data” and the second job is to “report, report, and report.” This area is critical to the successful improvement and enhancement of the organizational security posture after the incident is handled as well as the potential further investigative activities in the Forensics arena.

Reading List

• Kawakami, J., (2016) Backups: Avoiding computer disasters on Windows, Mac and Linux, John Kawakami Publishing

• ‘Krebs on Security’ cyber security and news blog accessed at:

https://krebsonsecurity.com/

• Luttgens T., Pepe., M. and Mandia, K., (2014) Incident Response & Computer Forensics (3rd Ed.), McGraw Hill Education

• Leighton Johnson 2014, Computer Incident Response and Forensics Team

Management : Conducting a Successful Incident Response, Syngress, Rockland

Reading List

• Borodzicz, EP 2005, Risk, Crisis and Security Management, John Wiley & Sons, Ltd., Hoboken.

• Boyle, RJ, & Panko, RR 2015, Corporate Computer Security, Global Edition, Pearson Education Limited, Harlow, United Kingdom

LO2: Understand aligned task/task forces for Business Continuity, Disaster Recovery and Crisis Management

2.1 Explain the terms BC, DR and CM

2.2 Analyse the standards, protocols and concepts underpinning BC, DR and CR and their application within organisations

Business Continuity (BC)

Incident and Disaster Response Natural disasters such as floods and hurricanes, major building fires, and massive security incidents such as cyberterror or cyberwar could place the company’s basic operation in jeopardy and could even threaten the survival of the firm. Every company should have a strong business continuity plan that specifies how a company will maintain or restore core business operations after disasters.

A business continuity plan specifies how a company plans to maintain or restore core business operations when disasters occur. A business continuity planning team with broad representation from departments across the firm creates the plan. The plan specifies what business actions will be taken, not simply what technological actions need to be taken.

Business Continuity (BC)

Disaster Recovery (DR)

Disaster Recovery (DR)

Disaster Recovery

• IT disaster recovery looks specifically at the technical aspects of how a company can get its IT back into operation using backup facilities

• It is a subset of business continuity related to disasters that only affect IT

• All decisions are business decisions, and should not be made by merely IT or IT security staff

Crisis Management (CM)

Theorists and practitioners are faced with a dangerous plethora of events and terminology. ‘Major incident’, ‘emergency’, ‘crisis’, ‘disaster’, ‘accident’, ‘catastrophe’ and ‘abomination’ are all examples of terms used to describe events capable of rupturing our social world and devastating our physical one. What these terms mean, and how we should respond, remains problematic. However, without a model to understand the phenomena that we are describing, event response and theorizing is made more difficult.

Historically, disasters were popularly conceived of as ‘freak’ events, ‘acts of God’ (Toft and Reynolds, 1994: 1) or ‘abominations’ (Douglas, 1970). In contrast, scientific approaches to the study of disasters appear to suggest that all disasters should have causal agents and, further, that these could be identified and therefore prevented. The notion of a causal agent suggests that blame may be identified. For public inquiries, an exhaustive amount of time and expense may be focused on establishing causality and responsibility (Toft and Reynolds, 1994).

Crisis Management (CM)

A number of theorists have acknowledged crises as distinct phenomena: ‘There are a number of distinctive characteristics of a crisis’ (Heinzen, 1996: 16). For Heinzen, there are four key characteristics. First, the crisis constitutes a series of events rather than the management of a single entity. Second, the crisis may be caused by a disaster (although no definition of disaster is provided by Heinzen). Heinzen does, however, acknowledge that the ‘disaster’ may not necessarily be a physical one. Third, the crisis has a diffuse origin making it difficult for decision makers to gain a macro view of events. Fourth, it is unclear what action needs to be taken (Heinzen, 1996: 16– 17).

Many of Heinzen’s points are congruent with the definitionsgiven here and those offered by contemporary theorists. Crisis situationsdo pose a special problem, because despite giving the appearanceto decision makers of an emergency, there are few signals to suggest a more serious underlyingthreat. Lagadec makes this pointusing the analogyof triggers: ‘What is missing is the characteristic feature of an emergency: a clear trace that would justify triggering the warning procedures and mobilizing resources’ (Lagadec, 1995).

Principles of Business Continuity (BC) management

Before divinginto the specifics of business continuity planning, we should look at three basic principles that should underlie all thinkingabout business continuity.

People First : The first job of planningand event managementis to provide for the safety of people.

• There should be evacuation plans and evacuationdrills.

• The company should never allow staff members into an unsafe environment with buildingstructural weaknesses or toxicchemicals.

• The company should have a systematicway to account for all staff immediately so that actions can be taken if people are missing. In addition, the company needs to make informationabout employee status available to loved ones.

• Afterwards, there will be a need for counseling.

Reduced capacity In decision making: Another basicprinciple is that people are not at their best cognitively duringcrises. People under stress, emotional situations, and time pressures tend not to think things through well. Consequently, it is important to do as much planningahead of time and to have people rehearse what they will do, makingas many actions as possible as automaticas possible

Principles of Business Continuity (BC)

management

Avoiding Rigidity: At the same time, rigid pre-planning should not lead to a loss of flexibility in response. Unexpected situations will arise frequently in a crisis, communication will be spotty, and information will be unreliable. If there is too rigid a structure, decision makers will not be able to react to these uncertainties.

People on the front line with the most knowledge need to be able to make decisions. This should not mean that careful planning is unnecessary. As noted earlier in this chapter, adaptation within a strong plan usually is far better than total improvisation.

Communication, communication, communication: In crises, communication inevitably breaks down because technology cannot survive building damage or prolonged periods without electrical power. Decision makers need to cope with communication breakdowns by having emergency backup communication systems. This includes such low-tech solutions as phone trees, in which each employee calls a fixed number of other employees to pass on important messages.

Principles of Business Continuity (BC)

management

Testing the Plan

• Difficult because of the scope of disasters

• Difficult because of the number of people involved

Updating the Plan

• Must be updated frequently

• Business conditions change and businesses reorganize constantly

• People who must execute the plan also change jobs constantly

• Telephone numbers and other contact information must be updated far more frequently than the plan as a whole

• Should have a small permanent staff

Business process analysis

Identificationof Business processesand their Interrelationships

The first step in creating a business continuity plan is to identify a firm’s major processes and to rate the importance of each. A firm is a web of business processes, such as accounting, sales, production, and marketing. These processes are interdependent. Each must be identified. More significantly, the key interactions between business processes must be specified and understood.

Prioritizationof Business processes

The next step is to prioritize business processes, so that the firm can restore the most important business processes first. A key factoris how sensitive a function is to downtime. The company must get order entry systems running quickly or sales will be lost. Billing can be down a little longer before it begins affecting the business. To complicate matters, some low-value business processes must be startedfirst because one or more higher value business processes require them.

Specify resource needs In addition to prioritizing each process, planning should specify which resources each process needs. Due to disruptions during and after the disaster, the company may have to shift some of its remaining resources from lower priority processes to higher priority processes.

Specify actions and sequences The Walmart case study in the beginning of this chapternotes that the plan specified some very precise actions, including getting cleanup supplies and security personnel to individual stores.

IT Disaster Recovery Protocols

Different types of Backup Facilities :

Hot sites

• Ready to run (power, HVAC, computers):just add data

• Considerations:rapidreadinessat high cost

• Must be careful to have the software at the hot site up-to-date in terms of configuration

Cold sites

• Buildingfacilities, power, HVAC, communicationto outside world only

• No computer equipment

• Less expensive but usually requires too longto get operating

Site sharing

• Site sharingamonga firm’s sites (problem of equipment compatibility and data synchronization)

• Continuous data protectionneeded to allow rapid recovery

IT Disaster

Recovery

Planning

Office Computers

• Hold much of a corporation’s data and analysis capability

• Will need new computers if old computers are destroyed or unavailable

✓ Will need new software

✓ Well-synchronized data backup is critical

People will need a place to work

IT Disaster Recovery Planning

Restoration of Data and Programs

• Restoration from backup tapes: need backup tapes at the remote recovery site

• May be impossible during a disaster

Testing the IT Disaster Recovery Plan

• Difficult and expensive

• Necessary

Reading List

• Kawakami, J., (2016) Backups: Avoiding computer disasters on Windows, Mac and Linux, John Kawakami Publishing

• ‘Krebs on Security’ cyber security and news blog accessed at: https://krebsonsecurity.com/

• Luttgens T., Pepe., M. and Mandia, K., (2014) Incident Response & Computer Forensics (3rd Ed.), McGraw Hill Education

• Leighton Johnson 2014, Computer Incident Response and Forensics

Team Management : Conducting a Successful Incident Response, Syngress, Rockland

Reading List

• Borodzicz, EP 2005, Risk, Crisis and Security Management, John Wiley & Sons, Ltd., Hoboken.

• Boyle, RJ, & Panko, RR 2015, Corporate Computer Security, Global Edition, Pearson Education Limited, Harlow, United Kingdom

LO3: Understand how major computer incidents are formally investigated

• 3.1 Explain the processes, people and tools used in a planned and structured major incident investigation

• 3.2 Analyse how evidence is contained, analysed, processed and deployed in a major cyber-related investigation

Forensics Team Requirements Members

MEMBER CRITERIA

The criteria for the forensics team members are identified below. Each team member is identified, trained, and certified in their areas of expertise and experience. The manager needs to review these team member’s criteria and determine the needs of his own forensics team and provide requirements, skills, and expertise needs to his HR department for the proper person or people to be retained and hired for his team. The forensics team manager needs to ensure each team member has the basic forensics expertise to perform the analyst activities under multiple circumstances and under any condition. Once that basic requirement is found to be functional, then each analyst, investigator, and examiner gets their special forensics domain approved and listed as part of the basic qualifications for the overall team. As an example, the forensics investigator that is also certified with an MSCE or an MCITP then gets listed as the forensics point person for Windows responses and investigations. The same goes for the UNIX, Linux, and the Macintosh focused personnel.

Forensics Team Requirements

Members

The basic steps for the forensics specialist include the following, but are not necessarily limited to:

a. For target drives, use only recently wiped media that have been reformatted and inspected for computer viruses.

b. Inventory the hardware on the suspect computer/device and note the condition of the computer when seized

c. Remove the original drive from the computer and then check the date and time values in the system’s CMOS.

d. Perform the bit-stream image capture of the entire dataset identified. e. Conduct a cryptological “hash” of the dataset. f. Notate the “hash” of the captured dataset for reference.

Forensics Investigator

The forensics investigator needs to have “expert-level” skills and technical knowledge for:

1. The operating system under review

2. The application and its data structures under review

3. The hardware and machines under review

4. Any databases being reviewed for data

5. The network appliances and devices and their data.

Forensics Investigator

The basic steps for the forensics investigatorprocess include:

a. Record how the data was acquired from the suspect drive or dataset.

b. Process the datamethodically and logically.

c. List all folders and files on the image or drive.

d. If possible, examine the contentsof all data files in all folders, starting at the root directory of the volume partition.

e. For all password-protectedfiles that might be related to the investigation, make a best effort to recover file contents.

f. Identify the function of every executable (binary or .exe) file that doesn’t match known hash values.

g. Maintain controlof all evidence and findings, and document everything as the examination is conducted.

h. Document every step as the reason for each step of the examination.

MEMBER EXPERTISE

Forensics Expertise Areas Team membership should include personnel who can examine any storage or computing device wherein the data relevant to the case is found during the initial data capture events. Areas of consideration include:

1.Windows-based machines

2.Unix-based machines

3.Apple-based machines

4.Linux-based machines

5.Network appliances

6.Storage area network (SAN) devices

MEMBER EXPERTISE

7.“Smartphone” devices

8.Cell phone devices

9.Internet-based storage mechanisms

10.Specific applications used in client environment

11.Specific database management systems used in client environment

12. Various hard drive equipment

13. Various network connection hardware components

14. External hard drive equipment and components

Forensics Tools

Forensic tools are valuable not only for acquiring disk images but also for automating much of the analysis process, such as:

■ Identifying and recovering file fragments and hidden and deleted files and directories from any location (e.g., used space, free space, slack space)

■ Examining file structures, headers, and other characteristics to determine what type of data each file contains, instead of relying on file extensions (e.g., .doc, .jpg, .mp3)

■ Displaying the contents of all graphics files

■ Performing complex searches

■ Graphically displaying the acquired drive’s directory structure

■ Generating reports.

Forensics Tools

Organizations have an ever-increasing amount of data from many sources. For example, data can be stored or transferred by standard computer systems, networking equipment, computing peripherals, cell and “smart” phones, personal digital assistants (PDAs), consumer electronic devices, and various types of media, among other sources. Always keep in mind as the Forensics process is conducted, the four main sources of data within any network or computer:

TYPES OF FORENSICS

TOOLS

There are many other areas being discovered each day with new tools coming to the workplace all the time, so do NOT view this as covering all areas.

■ File System Navigation tool

■ Binary Search tool

■ Hashing tool

■ Imaging tool

■ Deep Retrieval tool

■ File System Tools

■ Case Management Systems

Windows tools include:

■ Log Parser

TOOLS

FOR SPECIFIC OPERATING SYSTEMS AND PLATFORMS

■ EnCase

■ ILook (LEO only)

■ ProDiscover UNIX tools include:

■ File control utilities—DD, etc.

■ Wireshark—Ethereal (packet sniffer)

■ UNIX Operating System embedded tools

■ Nmap (security) Open Source

FORENSICS ANALYSIS PROCESS

The basic forensics process to be implemented by the organizationand its staffis defined in this policy. An example would be the process as defined in Section 10. The staff needs to adhere to the documented process to ensure repeatability and validity of the forensics results and reports that follow the investigationand subsequent analysis for each event and examination. The policy itself and procedureswhich follow from this policy will define the methods and basic techniques for forensics activities in three or more types of event response.

a. One type will be the normal follow-on activities from a Security Incident Response Team (SIRT) response effort as found in the first part of this book.

b. The second type would be the stand-alone forensics response as requested by some manager or corporateentity for administrativeor legal purposes.

c. The third type is the response efforts based upon external, possibly law enforcement, requests for legal or other governmental reasons.

THE FORENSIC INVESTIGATION PROCESS

This process, the Investigative Smart Practices, however, need not detail exactly every step-bystep procedure of a cyber forensic investigation, as this could be an exercise in futility; there are so many different directions in which an investigation can evolve, and attempting to follow a specific investigative template or to fit every investigation into the same investigative approach could have disastrous outcomes. Additionally, such procedures would quickly become dated as new investigative technologies are sure to develop.

THE FORENSIC PROCESS

• In general, the cyber forensic investigative process is likely to incorporatea combination of the following initial steps (see Figure 10.1). These InvestigativeSmart Practices, however, are not necessarily meant to be followed sequentially, nor are they mutually exclusive. As stated, each investigationshould be evaluated and processed on its own merits and the steps taken throughout the investigationshould be those that ensure an organizationor department’scyber forensic investigationprocedures are clearly followed, and that there can be no question as to the completeness of the process followed or the accuracyof the evidence collected.

Step 1: The Initial Contact, the Request

For there to be an investigation someone needs to come forward and make a request. Usually there are two opposing parties or sides, the requester and the target or subject. The subject is the person who is being investigated. Depending upon the case it may be a spouse, co-worker, contractor, or someone in a foreign country that has written some malicious code. The subject could be labeled “suspect” but naming him/her as such may be presumptuous or lead to subjectivity.

Usually there is some “document of request,” establishing a basis or justification to conduct the investigation. Examples of specific documents that would possibly form the basis for launching an investigation include, but are not limited to, the following:

Letter of Engagement, Contract Official (Corporate), Request Subpoena, Search Warrant, Court Order

Step 2: Evidence Handling

Law enforcement is perhaps most obliged, due to specific requirements and legal compliances, to follow stringent evidence handling procedures. For example, some cyber forensic investigatorsin a corporateenvironment may skip photographing and documenting irregular markings on hard drives contained within their environment, where this may be a standardprocedure by law enforcement professionals. The cases presented to law enforcement are at times more serious in nature and tend to be criminal versus those cases that may typically arise within a corporateenvironment. The consequences of mishandling evidence in a criminal investigationare perhaps higher, so therefore the requirements for controlsare higher. A general accepted principle in cyber forensics is it is better to be overly cautious; document every step, photographevery piece, take many notes, and so on, rather than being less diligent and failing to document a potentially critical piece of evidence.

Step 2: Evidence Handling

The chain of custody is the evidence handling procedure that tracks the evidence as it changes possession. Chain of custody usually takes the shape of a form or document of some sort. A form is usually involved because the signatures of those receiving and those relinquishing the evidence are required. A chain of custody form will usually contain some of the following fields:

Case number or assignment

Date

Time

Serial/model numbers

Description fields

Location

Step 2: Evidence Handling

Chain of custody forms take on many appearances. In some cases a form may be broken down into two separate parts:

1. Item description— describes the articles being transferred. This will include serial and model numbers, make, and descriptions (see figure up right)

2. Signatures— Custody transfer— this piece includes the date and time of transfer and the signature of the releaser and the signature of the receiver (see Figure bottom right).

Step 2: Evidence Handling

The important thing to remember is that chain of custody needs to occur before, during, and after the transfer of any evidence . Beginning an initial chain of custody process should not occur after the evidence has been examined, as being able to prove who has had access to the evidence will allow for accountability over the integrity of the evidence. This accountability is an essential step in preserving evidence.

Step 2: Evidence Handling

• Ronelle received the evidence, in the form of an 80GB hard drive from her Legal department. It was hand delivered in a sealed container. Upon receipt, Ronelle opened the container and found the hard drive and chain of custody form. The form has been filled out and is awaiting Ronelle’s signature.

Step 3: Acquisition of Evidence

Objective: Obtain a forensically sound image and preserve the integrity of the original evidence. The acquisition of evidence generally refers to the imaging of the evidence in a forensically sound manner. A forensically sound manner is one in which the evidence is not altered. Nothing is written, altered, changed, or otherwise modified on the piece of evidence.

The acquisition of evidence can, in theory, fall under the previous evidence handling section. Most if not all of the cyber forensic investigator’s interaction with the evidence can fall under evidence handling. As mentioned previously, the evidence handling section discussed the physical movement of evidence and the handing off of evidence, which is the action requiring chain of custody. This line does get blurry.

Step 3: Acquisition of Evidence

Evidence It is perhaps important to stop for a moment in our discussion of the investigative process to address the various types of evidence which an investigatormay encounter According to the Federal Rules of Evidence, there are three classificationsor types of evidence:

1. Original . An “original” of a writing or recording is the writing or recording itself or any counterpart intended to have the same effect by a person executing or issuing it. An “original” of a photograph includes the negative or any print there from. If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original.”

Step 3: Acquisition of Evidence

2. Duplicate . A “duplicate” is a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording, or by chemical reproduction, or by other equivalent techniques which accurately reproduces the original.

3. Best evidence. The best evidence rule is a common law rule of evidence which can be traced back at least as far as the eighteenth century. In Omychund v. Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was “the best that the nature of the case will allow.” The general rule is that secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability.

Step 3: Acquisition of Evidence

Hashing:

A hash is usually a mathematical function or algorithm that converts a variable-sized set of data into an invariable, completely random data set. The resulting hash data length is dependent upon the hash type and its intended function. In forensics, uniqueness and distinctiveness is critical, so hash lengths of 128 bits and 256 bits are not uncommon to ensure evidence uniqueness .

Hashes are usually displayed in HEX. Each hexadecimal character can encode 4 bits of binary data. (For a refresher of HEX, refer to Chapter 3.) So, a HEX value of 64 characters is equivalent to 256 binary bits. Likewise, a 128 HEX value would represent a 512-bit hash. Although, currently in cyber forensics, a 128-bit hash is sufficient for establishing uniqueness of data.

HARDWARE SPECIFIC ACQUISITION —SIM

CARDS, CELL PHONE, USB STORAGE, ETC.

Selection of the correct tool to examine and evaluate the particular device, the data stored on that device and the meta-dataassociated with the device, and the data are all important for each event. The primary purpose of this policy is to ensure the proper data handling for the specific component is followed and repeatable. Each type of storagedevice has hardwareparameters, vendor recommendations for use, and technical characteristicswhich all affect the retrieval of the data stored on the device. Whether the storagedevice is a SIM card from some “smart-phone” or cell phone, or a USB external storagestick, or some other device or hard drive, each item must have its requirements, characteristics, and specifications available to the examiner to keep the device secure, safe, and functioning during the data retrieval and examination processes. This policy creates the requirement for any examiner, investigator, or analyst on the forensics team to research and obtain all the particular hardware characteristicsof the equipment they are reviewing or examining. It is important that the exact size, parameters, and characteristicsof each device is known to ensure full and complete examination is performed without missing any potential hidden or missing datastructures. See the policy below about research for further understanding and explanation.

DATA TYPE ACQUISITION—AUDIO FILES, VIDEO FILES, IMAGE FILES, NETWORK FILES, LOG FILES

The various file types for data use and storage provide many varying methods for suspect data to be storage and retrieved from each data location. Each f ile type has particular data about the data, “meta-data,” as well as file storage parameters associated with it. Audio files are stored in several different formats which have various CODEC formats; the same is true for video files. There is a long history of image files having data stored within the image files that is unassociated with the original image or picture. Each of these file types needs specific tools, techniques, and approaches for data examination and investigation.

There are many types of digital evidence which could be encountered by digital forensic analyst in dealing with forensics investigations and examinations. Not only files, videos, digital images, encrypted items, unallocated clusters, slacks, and so forth, but also digital audio files and digital image files might have to be captured and analyzed.

Step 4: Data Preparation

Objective: Prepare and identify data for analysis and investigation. Data preparation can be broken down into two types:

1. Preprocessing

2. Searching

Preprocessing involves those steps that prepare the evidence before the evidence is searched. Searching the evidence, on the other hand, brings about results, which then need to be investigated.

Mounting The mounting of the filing systems contained within a piece of evidence is necessary so that the data structure can be viewed, so that the organization of the data can be made apparent. Without mounting the evidence, the simple task of finding a fi le can be very complex and tedious. Imagine having to manually identify the partition type and then manually carving out each and every file by going through each and every byte of the file system. Tedious is an understatement.

Step 4: Data Preparation

Recover Deleted Files: Recovery of deleted items involves recovering fi les from unallocated space. Typically, the tools that recover these fi les look for fi le headers and footers, thereby requiring a fi le to be entirely intact. It is known that when a file is deleted it is first sent to the deleted items folder. Then, when a fi le is deleted from the deleted items its space is thereby made available, or unallocated. The fi le is not moved or magically erased; its space is only made available for some other file to be written to. Until this space is overwritten the data contained within the file is still resident on the drive.

Verifying data ensures the data is what it claims to be. As already discussed, there is the evidence verification process achieved by hash matches; but here verification implies attempting to uncover a deliberate concealment of evidence. Verifying file types is of great importance as a suspect can quickly and easily rename a file.

Step 4: Data Preparation

Searching

Searching essentially involves refining the original evidence into a smaller subset of data which then can be investigated. Searching can be broad in meaning to encompass a wide scope of data, such as data between date ranges or specific file types. It can also imply the actual searching for more exact criteria, such as a keyword. Indexing greatly improves the efficiency of searching when an exact or precise target, perhaps a keyword, is involved. Filtering may differentiate itself from searching in that it is usually broader in scope, perhaps applying to data falling into a subset. For example, data falling into a certain date range, or all data of a certain file type. Culling is the process of collecting the refined data that is relevant to the investigation. It differs from filtering in that culling usually invokes an eDiscovery effort. It is the collecting of data pertaining to a certain individual or case.

Step 5: Investigation

Objective: Finding the data that matches the search criteria. Investigation is the step within the process that finds the data matching the criteria identified in the investigation request. It is this piece that ultimately finds the proverbial smoking gun. Sure, chain of custody done improperly can destroy a case, but without this evidence there might not be a case

Reading List

• Kawakami, J., (2016) Backups: Avoiding computer disasters on Windows, Mac and Linux, John Kawakami Publishing

• ‘Krebs on Security’ cyber security and news blog accessed at: https://krebsonsecurity.com/

• Luttgens T., Pepe., M. and Mandia, K., (2014) Incident Response & Computer Forensics (3rd Ed.), McGraw Hill Education

• Leighton Johnson 2014, Computer Incident Response and Forensics Team Management : Conducting a Successful Incident Response, Syngress, Rockland

Reading List

• Borodzicz, EP 2005, Risk, Crisis and Security Management, John Wiley & Sons, Ltd., Hoboken.

• Boyle, RJ, & Panko, RR 2015, Corporate Computer Security, Global Edition, Pearson Education Limited, Harlow, United Kingdom

LO4: Understand laws and guidance in relation to the conduct of planned and structured major incident investigations

• 4.1 Examine how relevant laws and professional practice are applied to computer incident investigations

Legal Requirements and Considerations

There are three main areas within the legal scope of incident response to be considered.

1. First

—privacy

2. Second

—ethics

3. Third—investigations themselves. Then several legal areas of focus on Incident Response and evidence gathered during incident handling activities are covered.

1: PRIVACY

• National and internationalprivacy laws and regulations require that all incident response activities be conductedas privately as possible. There could be liability of some sort on the part of the corporationor organizationif the incident response results are given to the wrong party or publicly released. Additionally, there could be severe financial repercussionsfor the corporation, the organization, and/orthe individuals involved if the privacy requirements are not maintained. Additional reviews of the actual national and internationalprivacy requirements are found in Section 9 on the governmental statutoryand regulatory requirements for incident response. The SIRT leader always needs to keep in his/her mind who can receive the information, who can receive the evidence and who has the authority to give instructionsand make decisions about the incident. Security incidents often end up in courtsof law— criminal or civil or administrative proceedings; therefore, privacy must be of the utmost importance during the investigation.

2: Ethics

• Ethics also refers to the study and developmentof personal ethical standards, as well as community and corporate ethics, in terms of behaviour, feelings, laws, and social habits and norms which can deviate from more universal ethical standards. Ethics are based in the notion of responsibility (as free moral agents, individuals, organizations, and societies are responsible for the actions that they take) and accountability (individuals, organizations, and society should be held accountable to others for the consequences of their actions). So there are two areas that the organizationneeds to have ethics addressed in its corporate documentation:

• ■ Corporate Policy in place definingethics—Focus on Responsibility

The corporate policy for ethical behaviour should reflect the senior executive and board of directors’ stance on the expected employee and corporate behaviours at all times, especially when representing the company. The Internet Use Policy, the Data HandlingPolicy, and the Corporate Compliance Policy are all examples of this type of Policy.

2: Ethics

• ■ Rules of Conduct—Focus on Accountability Employee rules of conduct will reflect the expected day-to-day behaviors during the normal conduct of work-related efforts. The Acceptable Use Policy and the Password Policy are examples of this type of policy. There are many ethics guides and policy templates available on the Internet and through the various professional security organizations such as International Information Systems Security Certification Consortium (ISC2) and Information Systems Audit and Control Association (ISACA). Each of these organizations requires their certificate holders to adhere to a professional code of ethics and publishes these documents publicly for all to see and read.

3: INVESTIGATION GUIDELINES

• All responders and senior executives that oversee incident response activities must be familiar with the current local, regional, national and international law rules, guidelines and current litigations surrounding the incident response efforts and evidence. There are differences within governmental and corporate jurisdictions with respect to evidence, search and seizure, self-incrimination, and privacy.

• ■ Familiar with Laws There is an old law enforcement saying the “ignorance of the law is no excuse for violating the law.” Each responder and executive must ensure they are aware of any statutory or regulatory requirement during the performance of their duties and activities.

INVESTIGATION GUIDELINES

• ■ Violation of laws Each responder must know what the repercussions are for violating the standard laws of the local area as well as the regional, national, and potentially even international laws when investigation an incident.

• ■ Successful Litigation The responder takes the first critical steps during the investigation which provide the successful framework for future litigation involving the potential crime, event, or administrative action. These steps include following the appropriate chain of custody actions, full and complete analysis and other actions explained in previous sections.

■ Familiar with Rules Familiarity with the rules of evidence, chain of evidence, meaningful use, eDiscovery rules, and many other standards for investigation and analysis are all important for the SIRT manager to provide guidance and direction on to the team members.

INVESTIGATION GUIDELINES

■ Familiar with Guidelines SIRT members will require the Team Manager to provide them the necessary corporate guidance, the response guidelines for the actual situation being investigated, the forensics/evidentiary guidance for the hardware, network and software involved, as well as the direct onsite guidance for handling of the people, situation, and environment during the incident response.

INVESTIGATION GUIDELINES

• ■ Differences with governmental jurisdictions Order of precedence for legal jurisdiction is always needed and should be reviewed by the SIRT Manager when getting ready to respond to an incident. This order is dependent upon your local, regional, and national legal structure and should be identified and defined by your corporate legal counsel during the team set-up process. Now a couple of focus areas for consideration by the SIRT Manager are needed at this point during the review of what are the legal and ethical standings for the SIRT actions and activities. There are two primary US-based areas to always keep in mind when overseeing and managing SIRT actions.

US

Federal Rules of Evidence

• The Federal Rules of Evidence (FRE) are the guides for investigators and responders in the actual collection and use of evidence in court cases. The FRE is the code of evidence law governing the admission of facts by which parties in the US federal court system may prove their cases, both civil and criminal. The FRE were the product of protracted academic, legislative, and judicial examination before being finally approved in 1975. US states are free to adopt or maintain evidence rules different from the Federal Rules, but a significant majority (47 out of 50) has adopted codes in whole or part based on the FRE.

US Federal Rules of Evidence

There are 67 individually numbered rules, divided among 11 articles within the FRE:

• 1. General Provisions

• 2. Judicial Notice

• 3. Presumptionsin Civil Actions and Proceedings

• 4. Relevancy and Its Limits

• 5. Privileges 6. Witnesses

• 7. Opinions and Expert Testimony

• 8. Hearsay

• 9. Authenticationand Identification

• 10. Contents of Writings, Recordings, and Photographs

• 11. Miscellaneous Rules.

The FRE embody some very common concepts, and attorneys frequently refer to those conceptsby the rule number.

US Federal Rules for Civil Procedures

• The Federal Rules for Civil Procedures (FRCP) govern the procedure in all civil actions and proceedings in the US district courts, except as stated in Rule 81. They should be construed and administered to secure the just, speedy, and inexpensive determination of every action and proceeding. The FRCP was adopted and went into effect on December 1, 2010. Specifically relevant to SIRT activities is the Rule 34 related to producing documents, electronically stored information (ESI) and tangible things, or entering onto land for inspection and other purposes.

Government Laws, Policies and Procedures:

European Laws

• Within the European Union, privacy and data protectionare considered as two separate fundamental rights. Protection of personal data is a right which is separate, but closely linked to the right to privacy:

• a. Respect for private life was established in 1950 with the adoption of the European Convention of Human Rights—in the framework of the Council of Europe. Put in short terms, the right to privacy may be described as a right which prevents public authorities from measures which are privacy invasive, unless certain conditions have been met.

• b. The right to data protectionwas introduced in the 1980sas a consequence of technical developments. Put in short terms, data protection principles aim to establish conditions under which it is legitimate and lawful to process personal data. Data protection legislation obliges those responsible to respect a set of rules and empowers the people concerned by granting them rights. Finally, it provides for supervision by independent authorities

EU Security Requirements for Incidence Response:

• Article 13a of the Framework directive: “Security and Integrity”

The Telecoms reform, passed into law in 2009, adds Article 13a to the Framework directive, regarding security and integrity of public electronic communication networks and services. Article 13a states:

• ■ Providers of public communication networks and services should take measures to guarantee security and integrity (i.e. availability) of their networks.

Article 13a of the Framework directive: “Security and Integrity”

• ■ Providers must report to competent national authorities about significant security breaches.

• ■ National authorities should inform ENISA and authorities abroad when necessary, for example in case of incidents with impact across borders.

• ■ National authorities should report to ENISA and the EC about the incident reports annually.

Article 13a also says that the EC may issue more detailed implementation requirements if needed, taking into account ENISA’s opinion. The EC, ENISA, and the national regulators have been collaborating for the past 2 years to implement Article 13a and to agree on a single set of security measures for the European electronic communications sector and a modality for reporting about security breaches in the electronic communications sector to authorities abroad, to ENISA, and the EC. In May 2012, ENISA received the first set of annual reports from Member States, concerning incident that occurred in 2011. ENISA received 51 incident reports about large incidents, which exceeded an agreed impact threshold.

2.2 Article 4 of the e-Privacy directive:

“Security of processing” The Telecoms reform also changed the e-Privacy Directive, which addresses data protection and privacy related to the provision of public electronic communication networks or services. Article 4 of the e-Privacy directive requires providers to notify personal data breaches to the competent authority and subscribers concerned, without undue delay. The obligations for providers are:

■ To take appropriate technical and organizational measures to ensure security of services,

■ To notify personal data breaches to the competent national authority,

■ To notify data breaches to the subscribers or individuals concerned, when the personal data breach is likely to adversely affect their privacy, and

■ To keep an inventory of personal data breaches, including the facts surrounding the breaches, the impact and the remedial actions taken. Article 4 also says that the EC may issue technical implementing measures regarding the notification formats and procedures, in consultation with the Article 29 Working Party, the European Data Protection Supervisor (EDPS), and ENISA.

2.3 Articles 30, 31 and 32 of the Data Protection regulation

The EC has proposed to reform the current European data protection framework (Directive 95/46/EC), and has proposed an EU regulation on dataprotection. The regulation regards organizationsthat are processing personal data, regardless of the business sector the organizationis in. Security measures and personal data breach notifications are addressed in Articles 30, 31, and 32:

■ Organizationsprocessing personal datamust take appropriate technical and organizationalsecurity measures to ensure security appropriateto the risks presented by the processing.

■ For all business sectors the obligationto notify personal data breaches becomes mandatory.

■ Personal databreaches must be notified to a competent national authority without undue delay and, where feasible, within 24 hours, or else a justificationshould be provided.

■ Personal databreaches must be notified to individuals if it is likely there will be an impact on their privacy. If the breached data was unintelligible, notification is not required.

2.4 Article 15 of the e-Sig and e-ID regulation: “ Security requirements”

The EC recently released a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market. Article 15 in this proposal introduces obligations concerning security measures and incident reporting:

■ Trust service providers must implement appropriate technical and organizational measures for the security of their activities.

■ Trust service providers must notify competent supervisory bodies and other relevant authorities of any security breaches and where appropriate, national supervisory bodies must inform supervisory bodies in other EU countries and ENISA about security breaches.

■ The supervisory body may, directly or via the service provider concerned, inform the public.

■ The supervisory body sends a summary of breaches to ENISA and the EC. There are other countries with Incident Response directives, legislation, and regulation. It is always paramount when managing an SIRT, the manager knows the statutory and regulatory requirements for Incident Response reporting and coordination with the national and international IR organizations.

Kawakami, J., (2016) Backups: Avoiding computer disasters on Windows, Mac and Linux, John Kawakami Publishing

‘Krebs on Security’ cyber security and news blog accessed at: https://krebsonsecurity.com/

Reading

List

Luttgens T., Pepe., M. and Mandia, K., (2014) Incident Response & Computer Forensics (3rd Ed.), McGraw Hill Education

Leighton Johnson 2014, Computer Incident Response and Forensics Team Management : Conducting a Successful Incident Response, Syngress, Rockland

Reading List

• Borodzicz, EP 2005, Risk, Crisis and Security Management, John Wiley & Sons, Ltd., Hoboken.

• Boyle, RJ, & Panko, RR 2015, Corporate Computer Security, Global Edition, Pearson Education Limited, Harlow, United Kingdom

THE END