Incident Response Methodology is one of the popular process to investigate the incident which is unlawful, unauthorized or unacceptable action on computer system or computer network.

1. PRESENTED BY
BHUPESHKUMAR M.V. NANHE
DEPARTMENT OF FORENSIC SCIENCE,
SHRI SHIVAJI COLLEGE OF ARTS, COMMERCE & SCIENCE, AKOLA (MH)

2. Synopsis
Introduction to Computer Security Incident
Goals of Incident Response
Experts involves in Incident Response
Incident Response Methodology
Pre-Incident Preparation
Detection of Incident
Formulate a Response Strategy
Data Collection
Data Analysis
Reporting
Resolution
02/15

3. Introduction to Computer Security Incident
Computer Security Incident as any unlawful, unauthorized or
unacceptable action that involve a computer system or a computer
network.
Such actions can be;
Email harassment
Embezzlement
Possession and dissemination of child pornography
DoS attacks
Theft of trade secretes
03/15

4. Goals of Incident Response
Confirms whether an incident occurred or not
Minimizes disruption of business and network operation
Promote accumulation of accurate information
Protect privacy rights established by law and policy
Provide accurate report and useful recommendations
Allows criminal or civil actions against perpetrator(s)
Protect your organization’s reputation and assest
Educates senior management
04/15

5. Experts involves in Incident Response Process
Computer Security Incident Response Team (CSIRT) respond the
incident and that includes followings experts.
 Technical experts,
 Cyber Security experts,
 Legal counsel,
 Corporate security officer,
 Business Managers,
 End User
 Human Recourses personnel
 Workers
05/15

6. Incident Response Methodology
Fig. Incident Response Methodology
06/15

7. Pre-Incident Preparation
Preparation of Organization
Implementing host based security
Implementing network based security
Employing an intrusion detection system (IDS)
Creating strong access control
Training end user
Preparation of CSIRT
The hardware needed to investigate computer security incidents
The software needed to investigate computer security incidents
The documentation needed to investigate computer security incidents
07/15

8. Detection of Incident
IDS Detection of remote attack
Numerous failed logon attempts
Logins into dormant or default
accounts
New account not created by system
administrator
Unfamiliar file and executable
program
Altered pages on webserver
Gaps in log files
Slower System performance
System Crash
Receipt of Email Exporting your
organization
Child Pornography
08/15

9. Initial Response
Interviewing the system administration
Interviewing business unit personnel
Reviewing the IDS report and network-based logs to identify the
data
Reviewing the network topologies and access control list .
09/15

10. Formulate a Response Strategy
Based on the results of all known facts, determine the best response and
obtain management approval.
Determine what civil, criminal, administrative or other actions area
appropriate to take, based on the conclusion drawn from the investigation.
10/15

11. Data Collection
1. Network Based Evidence
Obtain IDS logs
Obtain existing router logs
Obtain relevant firewall logs
Perform network monitoring
Obtain Backup
2. Host Based Evidence
Obtain volatile data during a live response
Obtain the system time/date for every file on the victim system
 Obtain backup
3. Other Evidence
 Obtain oral testimony from witnesses
11/15

12. Forensic Analysis
Fig. Forensic Analysis 12/15

13. Reporting
Documents immediately
Write concisely
Use standard format
13/15

14. Resolution
Identify the organization’s top priorities and resolve them
 Returning all the system in operational status
Implement proper computer as well as network security
Restore any affected or compromised system
 Apply corrections required to address any host-based vulnerabilities
14/15

15. 15/15