Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Digital forensics usage
  • Supporting role
  • Vitally important function
  • Traditional forensics procedures
  • Maintaining evidence gathered
  1. Stages of Incident Response
  2. Incident investigation

The role of Digital Forensics

Digital forensics usage

May be used in every phase of IR

Heavily used for investigations

Remember to not interferewith overall IR process

  • Forensics resources will usually be shared

Supporting role

Forensics is a supporting function

Not IR itself

Goal of forensics in IT is different from traditional forensics

  • Traditional primary goal was evidence preservation and admissibility

  • IR forensics primary goal is usually help move from one phase to the other

    • Admissibility is a consideration, but usually not primary

Vitally important function

Needed to answer IR questions

Often needed to add context to discovered artifacts

Key component of investigative functions

Traditional forensics procedures

May not work

Could be contrary to IR goals

Could interfere with IR goals

  • Traditional forensics analyst need IR training to work in IR

Maintaining evidence gathered

Evidence should still be life-cycled

Still follow sound forensics procedure

Documentation and chains of custody can still apply

Refer to overall corporate or agency security policy on evidence maintenance

PreviousInvestigation data sourcesNextIncident eradication

Last updated 8 months ago