Digital Forensics and Incident Response (DFIR)

---

Goals

• Understand key disaster recovery terms such as BIA, MTD, BCP, and DRP
• Understand the phases of incident response
• Be able to integrate forensics into an incident response plan

Disaster Recovery

Business continuity plan (BCP) is focused on keeping the organization functioning as well as possible until a full recovery can be made.

Disaster recovery plan (DRP) is focused on executing a full recovery to normal operations.

Federal Standards For BCPs

• ISO-IEC 27001
• NIST SP 800-34
• NFPA 1600

Business Impact Analysis

• Business Impact Analysis (BIA)
• Disaster Recovery Metrics
• Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE)

Describing the Incident

• Common Vulnerability Scoring System (CVSS)
• CVSS Metrics
• DREAD
• Remote Network Monitoring (RMON)
• Mean Squared Deviation (MSD)
• Mean Percentage Error (MPE)
• Ishikawa Diagram

The Recovery Plan

• consists of 2 parts
  • DRP
  • BCP
• ultimate goal is complete recovery
• 3 primary types of backups:
  • full
    • all changes
  • differential
    • all changes since last full backup
  • incremental
    • all changes since last backup of any type
• new backup type
  • hierarchical storage management (HSM)
    • provides continuous online backup by using optical or tape “jukeboxes”
    • it appears as an infinite disk to the system
    • can be configured to provide the closest version of an available real-time backup

Post Recovery Follow-Up

• may be called different names
• this phase is about discovering if the disaster was caused by some weakness in the system
• need to discover the root cause

Incident Response

• Detection
• Containment
• Eradication
  • should start forensics before this phase
    • otherwise you may wipe out evidence
  • image the drive to conduct investigation later
• Recovery
• Follow-Up

Preserving Evidence

An event is any observable occurrence within a system or network.

Adverse events are events with a negative result.

• attacks are adverse events

A computer security incident is any event that violates an organization’s security policies.

• includes acceptable use, etc.
• e.g.,
  • Denial-of-Service (DOS) attacks
  • malicious code
  • unauthorized access
  • inappropriate usage

Adding Forensics to Incident Response

• specific steps to intertwine forensics in incident response:
  1. identify forensic resources that the organization can use in case of an incident
     • no policy will be effective without forensically trained individuals
     • one approach is to get basic forensics training for IT security staff
     • or have an outside party that can respond to incidents with forensic personnel
  2. forensic methodology must be interwoven into the incident response policy
     • all policies regarding disaster recovery and incident response should be updated
     • ensure evidence is not destroyed during those processes
       • forensically image infected machines before eradicating malware