Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Logs
  • People
  • Drive images, memory dumps
  • Cloud service provider
  1. Stages of Incident Response
  2. Incident investigation

Investigation data sources

Logs

May require special permission for access

May be best sources

Some will be very sensitive

Consider privacy as well

People

Interviews are becoming more common

  • Client-side attacks via phising still top the list of breach causes

Be conscious of employee time and commitments

Consider the fidelity of information gathered during interviews

Can't be treated the same as raw data

Drive images, memory dumps

Memory if often the best for live breaches

Don't forget sensitivity of memory and drive images

Maintain access logs and chain of custody

Don't interfere with IR response process!

Cloud service provider

More frequently becoming a valued partner/data source in IR

Might have unique access to some information

Often key in helping establish root cause

Will sometimes offer IR services

PreviousIncident investigationNextThe role of Digital Forensics

Last updated 8 months ago