CYBER FORENSICS

B.TECH IV YEAR - I
SEM (2024-25)

DEPARTMENT OF COMPUTER SCIENCE

.
 UNIT - II

Initial Response and forensic duplication, Initial Response & volatile data collection from windows system-
Initial Response & volatile data collection from UNIX system
Forensic Duplication: Forensics duplications as admissible Evidence, Forensic duplication tools requirement,
creating a forensic duplicate /qualified forensic duplicate of a hard drive
TEXT BOOKS:

1. Computer Forensics, Computer Crime Investigation by John R,Vacca, Firewall

Media, New Delhi.

2. Computer Forensics and Investigations by Nelson, Phillips Enfinger, Steuart,

CENGAGE Learning.
 INDEX
UNIT-II
Initial Response & volatile data collection from windows system
Initial Response & volatile data collection from Unix system
Forensic duplication tools requirement
 UNIT –II

2.1 WHAT IS A COMPUTER SECURITY INCIDENT?

We define a computer security incident as any unlawful, unauthorized, or
unacceptable action that involves a computer system or a computer network.
Such an action can in- clude any of the following events:
▼ Theft of trade secrets
 Email spam or harassment
 Unauthorized or unlawful intrusions into computing systems
 Embezzlement
 Possession or dissemination of child pornography
 Denial-of-service (DoS) attacks
 Tortious interference of business relations
 Extortion
▲ Any unlawful action when the evidence of such action may
be stored on computer media such as fraud, threats, and
traditional crimes.
Notice that many of these events include violations of public law, and they
may be actionable in criminal or civil proceedings. Several of these events have
a grave impact on an organization’s reputation and its business operations.
Responding to computer secu- rity incidents can involve intense pressure, time,
and resource constraints.
A severe incident affecting critical resources can seem overwhelming.
Furthermore, no two incidents are identical, and very few will be handled in
exactly the same manner.
 However, breaking down the procedure into logical steps makes incident
response manageable. In this chapter, we introduce an effective methodology
that will provide your organization with a tested and successful approach to
resolving computer security incidents.

2.2 WHAT ARE THE GOALS OF INCIDENT RESPONSE?

In our incident response methodology, we emphasize the goals of corporate
security pro- fessionals with legitimate business concerns, but we also take into
consideration the con- cerns of law enforcement officials. Thus, we developed
a methodology that promotes a coordinated, cohesive response and achieves
the following:
▼ Prevents a disjointed, noncohesive response (which could be disastrous)
 Confirms or dispels whether an incident occurred
 Promotes accumulation of accurate information
 Establishes controls for proper retrieval and handling of evidence
 Protects privacy rights established by law and policy
 Minimizes disruption to business and network operations
 Allows for criminal or civil action against perpetrators
 Provides accurate reports and useful recommendations
 Provides rapid detection and containment
 Minimizes exposure and compromise of proprietary data
 Protects your organization’s reputation and assets
 Educates senior management

2.3 WHO IS INVOLVED IN THE INCIDENT RESPONSE PROCESS?

Incident response is a multifaceted discipline. It demands a myriad of
capabilities that usually require resources from several different operational
units of an organization. Hu- man resources personnel, legal counsel, technical
experts, security professionals, corpo- rate security officers, business managers,
end users, help desk workers, and other employees may find themselves
involved in responding to a computer security incident.
Most organizations establish a team of individuals, often referred to as a
Computer Security Incident Response Team (CSIRT), to respond to any
computer security incident. The CSIRT is a multidisciplined team with the
appropriate legal, technical
 2.4 INCIDENT RESPONSE METHODOLOGY
We are always on a quest for the perfect way to organize a process. We search
for the right way to define phases of the process, look for bright-line separation
of phases to avoid murky areas, try to make the perfect flowchart to illustrate the
process, and organize the phases so the process can be applied to the widest
range of possible scenarios. Since the incident response process can involve so
many variables and factors that affect its flow, it is quite a challenge to create a
simple picture of the process while maintaining a useful level of accuracy.
However, we feel that we have developed an incident response process that is
both simple and accurate.
Computer security incidents are often complex, multifaceted problems. Just
as with any complex engineering problem, we use a “black box” approach. We
divide the larger problem of incident resolution into components and examine
the inputs and outputs of each component. Figure 2-1 illustrates our approach to
incident response. In our method- ology, there are seven major components of
incident response:
Pre-incident preparation Take actions to prepare the organization and the CSIRT before an
incident occurs.

Detection of incidents Identify a potential computer security incident.

 Initial response Perform an initial investigation, recording the basic details
surrounding the incident, assembling the incident response team, and notifying the
individuals who need to know about the incident.
 Formulate response strategy Based on the results of all the known facts,
determine the best response and obtain management approval. Determine what
civil, criminal, administrative, or other actions are appropriate to take, based on the
conclusions drawn from the investigation.
 Investigate the incident Perform a thorough collection of data. Review the data
collected to determine what happened, when it happened, who did it, and how it can
be prevented in the future.
 Reporting Accurately report information about the investigation in a manner useful to
decision makers.
 We will discuss each of these steps in this chapter, focusing on the big
picture. The remainder of this book focuses on achieving the goals of each step,
with the greatest emphasis placed on the investigating the incident phase.

2.5 Pre-Incident Preparation

Preparation leads to successful incident response. During this phase, your
organization needs to prepare both the organization itself as a whole and the
CSIRT members, prior to responding to a computer security incident.

We recognize that computer security incidents are beyond our control; as

investiga- tors, we have no idea when the next incident will occur. Furthermore,
as investigators, we often have no control or access to the affected computers
before an incident occurs. How- ever, lack of control does not mean we should
not attempt to posture an organization to promote a rapid and successful
response to any incidents.

Incident response is reactive in nature. The pre-incident preparation phase

comprises the only proactive measures the CSIRT can initiate to ensure that an
organization’s assets and information are protected.
Ideally, preparation will involve not just obtaining the tools and developing
tech- niques to respond to incidents, but also taking actions on the systems and
networks that will be part of any incident you need to investigate. If you are
fortunate enough to have any level of control over the hosts and networks that
you will be asked to investigate, there are a variety of steps you can take now to
save time and effort later.
2.6 Preparing the Organization
Preparing the organization involves developing all of the corporate-wide
strategies you need to employ to better posture your organization for incident
response. This includes the following:
▼ Implementing host-based security measures
 Implementing network-based security measures
 Training end users
 Employing an intrusion detection system (IDS)
 Creating strong access control
 Performing timely vulnerability assessments
▲ Ensuring backups are performed on a regular basis
Preparing the CSIRT
The CSIRT is defined during the pre-incident preparation phase. Your
organization will assemble a team of experts to handle any incidents that
occur. Preparing the CSIRT includes considering at least the following:
GNITC DEPARTMENT OF CSE

▼ The hardware needed to investigate computer security incidents

 The software needed to investigate computer security incidents
 The documentation (forms and reports) needed to investigate computer security incidents
 The appropriate policies and operating procedures to implement your response strategies
▲ The training your staff or employees require to perform incident response in a
manner that promotes successful forensics, investigations, and remediation
You do not want to be acquiring essential resources after an incident occurs. Typically, you
cannot afford unnecessary delays when attempting to resolve an incident.

COMPUTER FORENSICS
GNITC DEPARTMENT OF CSE

COMPUTER FORENSICS