Professional Documents
Culture Documents
UNIT-4
Network based Evodence:-
PREPARATION:- INCIDENT REsponse analysist should have the necessary tools at there
disposal for acquiring host based evidence. for supporting an enterprise envino it
is
a good isea that incident response personnel have a solid understsnding of the type
of system commonly deployed.
one technique for incident response anlysis tpo be given individuals credentials
that r enable only during an incident.
EVIDENCE VOLATILITY:-
VOLAtility is used to describe how data on a host system is maintain after changes
such as
log off or power shutdowns.
-volatile data can be data in cpu routing tables or ARP Cache one of the most
critical
pieces of volatile evidence is the memory currently running on the system.
- malware leaves a number of key pieces f evidence within the memory of the system.
-non volatile data includes MFT entries, registry information and actual files in
the
hard drive.
EVIDENCE ACQUISITION:-
- local evidence acquisition-
-online acquisition- an online of evidence accurs when the incident response
analyst
evidence from a system that is power on and running.
-offline acquisition- the offline acquisition method is the one often used by law
enforcement
agency to preserve digital evidence on the hard disk. this technique requires that
the
system is power down and the hard drive remove.
EVIDENCE COLLECTION PROCEDURE:-
- phptpgraph the system and general scene one the key piece of the equpment that
can save
time is a small digital camera while it may seem overkill to photograph a syestem
in place
in teh event that action taken by the incident responder ever see the inside of the
codroom
having photos will allow propoer reconstructuon of the event.
-determine whether the sysrem is power up if the sys is poewer on leave it on and
if
sys is off do not power it on a number of changes take place when turning a system
on or off
-acquiring the running memory this is the critical piece of the evidence that can
produce a well of data concerning running processes,DLL in use and network
connections.
- acquire registry and log files while these files are non volatile in nature and
having near immediate access is benefitial specially whrn investigating malware or
exploitation means.
-unplug the power from the back of the system in the event that teh system is a
laptop
remove the battery as well tjis preserves the state of the systemn.
-