Guide to Integrating Forensic Techniques into Incident Response

   

   

Guide to Integrating Forensic Techniques into Incident Response

   

   

 

Table of Contents

Executive Summary..................ES-1

1. Introduction.........................1-1

1.1 Authority......................1-1

1.2 Purpose and Scope.....1-1

1.3 Audience.....................1-1

1.4 Publication Structure...1-2

2. Establishing and Organizing a Forensics Capability.............2-1

2.1 The Need for Forensics...............2-1

2.2 Forensic Staffing.........2-3

2.3 Interactions with Other Teams.....2-4

2.4 Policies........................2-5

2.4.1 Defining Roles and Responsibilities......................2-5

2.4.2 Providing Guidance for Forensic Tool Use............2-6

2.4.3 Supporting Forensics in the Information System Life Cycle........................2-6

2.5 Guidelines and Procedures.........2-7

2.6 Recommendations......2-8

3. Performing the Forensic Process......3-1

3.1 Data Collection............3-2

3.1.1 Identifying Possible Sources of Data.....................3-2

3.1.2 Acquiring the Data............3-3

3.1.3 Incident Response Considerations........................3-5

3.2 Examination................3-6

3.3 Analysis.......................3-6

3.4 Reporting.....................3-6

3.5 Recommendations......3-7

4. Using Data from Data Files.4-1

4.1 File Basics...................4-1

4.1.1 File Storage Media...........4-1

4.1.2 Filesystems......4-3

4.1.3 Other Data on Media........4-4

4.2 Collecting Files............4-5

4.2.1 Copying Files from Media.4-6

4.2.2 Data File Integrity.............4-7

4.2.3 File Modification, Access, and Creation Times......4-9

4.2.4 Technical Issues..............4-9

4.3 Examining Data Files.4-10

4.3.1 Locating the Files...........4-11

4.3.2 Extracting the Data.........4-11

4.3.3 Using a Forensic Toolkit.4-13

4.4 Analysis.....................4-14

4.5 Recommendations....4-15

5. Using Data from Operating Systems.5-1

5.1 OS Basics...................5-1 iv

 

5.1.1 Non-Volatile Data.............5-1

5.1.2 Volatile Data.....5-3

5.2 Collecting OS Data......5-4

5.2.1 Collecting Volatile OS Data...................................5-5

5.2.2 Collecting Non-Volatile OS Data...........................5-8

5.2.3 Technical Issues with Collecting Data.................5-10

5.3 Examining and Analyzing OS Data.................................5-11

5.4 Recommendations....5-12

6. Using Data From Network Traffic.......6-1

6.1 TCP/IP Basics.............6-1

6.1.1 Application Layer..............6-2

6.1.2 Transport Layer6-2

6.1.3 IP Layer...........6-3

6.1.4 Hardware Layer6-4

6.1.5 Layers’ Significance in Network Forensics............6-4

6.2 Network Traffic Data Sources......6-5

6.2.1 Firewalls and Routers.......6-5

6.2.2 Packet Sniffers and Protocol Analyzers.................6-5

6.2.3 Intrusion Detection Systems..................................6-6

6.2.4 Remote Access6-7

6.2.5 Security Event Management Software..................6-7

6.2.6 Network Forensic Analysis Tools..........................6-8

6.2.7 Other Sources..6-8

6.3 Collecting Network Traffic Data...6-9

6.3.1 Legal Considerations.......6-9

6.3.2 Technical Issues............6-10

6.4 Examining and Analyzing Network Traffic Data..............6-11

6.4.1 Identify an Event of Interest.................................6-12

6.4.2 Examine Data Sources...6-12

6.4.3 Draw Conclusions..........6-16

6.4.4 Attacker Identification.....6-17

6.5 Recommendations....6-18

7. Using Data from Applications............7-1

7.1 Application Components..............7-1

7.1.1 Configuration Settings......7-1

7.1.2 Authentication..7-2

7.1.3 Logs.................7-2

7.1.4 Data.................7-3

7.1.5 Supporting Files...............7-3

7.1.6 Application Architecture....7-4

7.2 Types of Applications..7-5

7.2.1 E-mail...............7-5

7.2.2 Web Usage......7-6

7.2.3 Interactive Communications..................................7-7

7.2.4 File Sharing......7-7

7.2.5 Document Usage.............7-8

7.2.6 Security Applications........7-8

7.2.7 Data Concealment Tools..7-8

7.3 Collecting Application Data..........7-9 v

 

7.4 Examining and Analyzing Application Data.......................7-9

7.5 Recommendations....7-10

8. Using Data from Multiple Sources.....8-1

8.1 Suspected Network Service Worm Infection.....................8-1

8.2 Threatening E-mail......8-3

8.3 Recommendations......8-5

 

List of Appendices

Appendix A— Recommendations..............A-1

A.1 Organizing a Forensics Capability....................................A-1

A.1.1 Forensic Participants........A-1

A.1.2 Forensic Policies, Guidelines, and Procedures......A-1

A.1.3 Technical Preparation......A-2

A.2 Performing the Forensics Process....................................A-2

A.2.1 Data Collection.A-3

A.2.2 Examination and AnalysisA-4

A.2.3 Reporting.........A-4

Appendix B— Scenarios.............B-1

B.1 Scenario Questions.....B-1

B.2 Scenarios....................B-1

Appendix C— Glossary..............C-1

Appendix D— Acronyms............D-1

Appendix E— Print Resources...E-1

Appendix F— Online Tools and Resources...................................F-1

Appendix G— Index....................G-1

List of Figures

Figure 3-1. Forensic Process.......3-1

Figure 4-1. File Header Information............4-12

Figure 6-1. TCP/IP Layers............6-1

Figure 6-2. TCP/IP Encapsulation6-2

List of Tables

Table 4-1. Commonly Used Media Types....4-2 

 

 

 

직접다운로드

SP800-86.pdf