BigSnarf blog

Infosec FTW

Incident Response -> Digital Forensics

First IR book I got my hands on above. My first computer conference was http://www.first.org/. It’s no wonder I’m a Blue Team kinda person. Here is my common process IR braindump.

  • Test your process? What automation is gonna help IR -> DF?
  • Finding the trail …
  • What kind of system are you looking at?
  • Do you have remote access? Root access?
  • What evidence do you wish to collect from the system?
  • Remote acquisition of HDD, Ram or interactive query?
  • VM? Cloud? Local? Remote Office? Laptop? OS?
  • Custom tools? Audit scripts? Forensics Automation?
  • pslist, malfind, filescan, sockets, connscan, and connections with Volatility Framework?
  • Who’s talking to badguy.com?
  • Did you check your DNS logs?
  • Did you check your Firewall logs?
  • Did you check the outbound proxy?
  • Who’s internal address is on 10.187.10.112?
  • What is that computer?
  • Who logged into that computer?
  • Did you check the DHCP logs?
  • Is that a static assignment?
  • OMG that’s a Windows XP box?
  • When was that last patched? Was it phished?
  • Is it exploited?
  • What did anti-virus or host based IDS say?
  • Facebook OSQuery installed on box?
  • GRR installed? MIG?
  • Can I remote image the HDD? Can I remote image the Mem?
  • What’s the baseline on the box?
  • Any sysinternal tools on the box for process monitoring baselines?
  • Files changed? Local logs?
  • Did Windows XP box at 10.187.10.112 communicate with anyone?
  • Did this box do anything? Scans? Talk to any systems locally? Exfil?
  • Did you check the proxies?
  • Did you check the mapped drives?
  • Did you check the SIEM? NTOP? Logs?
  • What are the IOCs? C&C communications?
  • Surricata? Bro? Snort? Security Onion? MIDAS?
  • Are there PCAPs? Network packet logging?
  • Moloch? Packet Pig? DNS Pig? PCAP-RPC? MHN?
  • Is it time for forensics? Do you need to contain? Observe?
  • Remote or local acquisition? Mem or HDD?
  • Process extraction? File extraction? PySSDeep?
  • What tools you gonna use? Volatility? Bulk extractor? Cuckoo? YARA? DNS Graph? Communications graph?
  • Correlate to threat intelligence? Situational awareness? Vulns? Activate other processes? Protect data?
  • What box do I got to get to next? Follow the white rabbit?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: