Incident Response

Incident Response and Evidence Collection

3.1. Legal admissibility and validity
3.2. Information systems and legal processes
3.3. Incident response processes
3.4. Digital (Electronic) Evidence
3.5. Hash Values (MD5, SHA1, SHA256)
3.6. Rules for incident response
3.7. Problems and solutions
3.8. Acquisition sheets (Hands on)
3.9. Incident response reports (Hands on)

4.1. eDiscovery and planning
4.2. Preparation of incident response devices and systems
4.3. Securing crime/incident scene
4.4. Collection of critical and volatile evidence
4.5. Forensic imaging
4.6. Securing forensic images
4.7. Hands on No-1: Computer is running (live incident response)
4.8. Hands on No-2: Computer is shut downed (death incident response)
4.9. Problems and solutions at incident scene
4.10. Triage analysis of forensic images
4.11. Examination
4.12. Analysis
4.13. Investigation
4.14. Preparation of sketch and diagram
4.15. Preparation of questions to be asked
4.16. Creating a whole piece (Induction)
4.17. Dividing the whole into pieces (Deductive)
4.18. Problems and solutions of investigations

• Evidence Dynamics Principle of Edmond Locard
• Not being able to see the whole picture
• Focus on wrong parts
• Subjectivize the incident
• Failure to disassemble the whole
• Analytic thinking
• Relationship analysis and its importance

5.1. Type of digital evidence

• Data at rest (HDD, SSD, Memory cards, optical storages)
• Data in transit (Network traffic)
• Data in execution (RAM)

5.2. Forensic imaging with disk duplicators (Hands on)

• CRU Wiebetech Ditto DX
• CRU RTX Forensic
• DIFOSE FD2

5.3. Forensic Imaging with write blockers (Hands on)

• CRU Wiebetech Forensic UltraDock v5
• CRU Wiebetech USB 3.0 Write Blocker
• DIFOSE WB1

5.4. Forensic imaging with FTK Imager and Forensic Imager (Hands on)
5.5. Forensic imaging with GuyMager (Hands on)
5.6. Forensic Imaging with DD command (Hands on)
5.7. DEFT Linux (Hands on)
5.8. CAINE Linux (Hands on)
5.9. Paladin Linux (Hands on)
5.10. Forensic imaging of an Apple MacBook (Hands on)
5.11. Forensic imaging of a RAID system (Hands on)
5.12. Remote forensic imaging (Hands on)

6.1. Forensic imaging of RAM
6.2. System state report
6.3. Working processes
6.4. Open ports
6.5. How to use YARA
6.6. Custom content imaging
6.7. Forensic copying of $MFT and parsing
6.8. Forensic copy of registry files

• System
• Security
• Software
• SAM

6.9. Forensic copy of Pagefile.sys file
6.10. Forensic copy of Hiberfil.sys file
6.11. Forensic copy of event logs
6.12. Forensic copy of driver files
6.13. Forensic copy of scheduled tasks
6.14. Forensic copy of boot records
6.15. Forensic copy of shell bags
6.16. Forensic copies of all open windows
6.17. Forensic copies of most important artifacts

11.1. Network traffic capturing on a server and a PC
11.2. Lawful interception

• SPAN method
• TAP method

11.3. Packet capturing on wireless network
11.4. How to make wireless network to wired network
11.5. Network packet capturing for forensic purposes
11.6. Preparing network packet capturing report