Incident Response Digital Forensics Investigating Procedures Response (Research Paper Sample)

Incident Response
(Author’s name)
(Institutional Affiliation)
Incident Response
Introduction
Incident response is one the most crucial steps in taking action after an event has happened to a network or system, it has many steps and methods that make problems solvable and able to recover from. The purpose of this paper is to define an incidence response, outline steps of a proper incidence response, to discuss methods of reducing incidence response, to explore trends in today’s current incident response general understanding and future trends and applications.
What is an incident response
In the event of a compromise of security, it is a strategic plan to get back on track. A vast number of unauthorized hacking activities are intended to extract information that can be used for other illegal activities like demand for ransom among others.
First, getting back on track after an insecurity breach enables the computer security incident response team (CSIRT) assess the magnitude of damage and identification of potential evidence related to the incident (Freiling & Schwittay, 2007). Some hackers usually leave evidence behind and the more time an organization takes to get back, the easier it is for that evidence to be tampered with. Getting back on track helps in easy identification of and preservation of the evidence in its original state. Grace (2002) caution against alteration of the original content asserting that altered content cannot be presented in court as evidence of insecurity breach. Secondly, the initial response by the CSIRT may prove to be cheaper and time saving compared to the future technical analysis of the system (Cichonski, Millar, Grance & Scarfone, 2012). The future technical analysis may involve laboratory and expensive forensic examinations compared the immediate responses from the first responder (Grace, 2002). Finally, getting back assures stakeholders of the security of their information and reduces unnecessary panic.
Incidents are easy to detect even to person with a limited technical background. Different parties including witnesses, reporters of the incident and the company officials and information security officer, organization’s ISP, software vendors, affected parties and organizations IAIP and ISAC (Cichonski et al., 2012) are usually involved when an incident occurs. However, it is the role of the CSIRT to investigate the potential incident and affirm of its credibility. An incident is first acknowledged to be true incident if reports from the intrusion detection system (IDS) and logs from the network surveillance system have been breached (Freiling & Schwittay, 2007). Additionally, the investigation phase also involves interviewing of all personnel who reported the incident. From these, the CSIRT compiles a report that acknowledges the nature of the incident. It is also important to note that the urge of the response team is determined by the severity of the incident whether the incident is of high, medium or low severity.
Steps of proper incident response
Grace (2002) outlines, securing and protection of the incident scene, powering off the computer, evidence labeling, evidence documentation, evidence transportation and provision of chain-of-custody to the documented content as appropriate incident response procedures to be taken. The procedures are as discussed below.
* Securing the scene involves denial of accessibility of the scene until the CSIRT arrives for assessment. Individuals are not allowed to touch anything including shutting down the computer or accessing any programs after the incident. Only people within the scene and those who were directly involved ought to be properly interviewed and allowed to stay (Grace, 2002).
* The purpose of the CSIRT is to secure any evidence without tampering with it. Shutting down computers is one of the ways of safeguarding any evidence. CSIRT should properly shut down suspected computers else deletion or overwriting of data may occur and hence loss of evidence stored in databases, spreadsheets or in other locations (Grace, 2002).
* Marking of all sources including plugs, media and computer should be labeled before discounting them. It is also proper practice to take photographs of the labeled sources. Storage devices ought to be collected and labeled in the state they were found in (Grace, 2002).
* After collection and labeling of sources, detailed documentation containing entries and description of the sources should be performed. It may include the physical condition of the sources before and after marking, how they sources were labeled and any other relevant information (Grace, 2002).
* Handling and transportation of the evidence should be done properly and in a manner that will not compromise the integrity of the evidence. CPUs and storage media should be safely transported to avoid loss of data through hard disk failure or through breakage of the storage media (Grace, 2002).
* Finally, collected and transported evidence should preserve well for analysis by qualified forensic experts. Before examination by forensic experts begins, collected data is backed up for protection and maintaining originality of the evidence (Grace, 2002).
Planning to maximize incident response/ team
An organization ought to have a well-structured plan that will enable it to maximize the output of the incident response team. Success in the operation of an incident response team is not determined by the number of members within the team but by the ability of individuals to participate and cooperate within the organization (Cichonski et al., 2012). Discussed below are some of the approaches to be adopted in order to enhance smooth functioning and operation of the incident response team.
* Team models: an organization can adopt different team models to enhance efficiency and effectiveness of responses. Available models, as outlined by Cichonski et al. (2012) are central, distributed and coordinating incident response teams respectively. Central incident response teams only deal with a single incident and are often suitable for smaller organizations. The distributed response team is segmented into different teams with each team handling a specified jurisdiction while the coordinating team guides others on what to do (Cichonski et al., 2012). A company may adopt a model that suits its operation.
* Team model selection: companies should ensure that the selected team is easily available to handle incidences. Real-time and onsite presence of the team is important to reduce the potential damage and loss from an incident through quick reaction of the team (Cichonski et al., 2012). A large organization should ensure that each department has an expert specialized in incident management for effectiveness and swiftness of reaction in the event of an incident.
* Investment in knowledge: organizations ought to invest in their teams by ensuring that they are aware of current trends affecting computer insecurity. It can achieve this by purchasing books and other technical references that enhance and facilitate a deeper understanding of technical knowledge. Mentoring prog...