31 Aug The Incident Response Plan (IRP) documents the strategies, personnel, procedures, and resources required to respond to any incident affecting the system. The primary assumptions abou
Want help with copying the entire project to own words. Your job will be to copy the answers from (Document to copy it from. Answer sheet) to my (Project 1 Report Template). U will also have to copy or move the images as well.
1
1
1
Final Forensic Lab
Name
University
Subject
Date , 2022
Incident Response Plan
The Incident Response Plan (IRP) documents the strategies, personnel, procedures, and resources required to respond to any incident affecting the system.
The primary assumptions about the organization that will serve as the subject of this IRP include that it consists of one primary geographic location, has approximately 100 members, utilizes the standard Microsoft office suite for most administrative functions to include Outlook and Skype for email, text, and video communications, utilizes a database application for some customer and company records and services, maintains a public web site to provide information to customers and an internal web portal used for internal collaboration and guidance to organization members, manages its own VOIP phone service, has employees that work both on site and off site requiring secure remote access to applications, communication services, and networked storage and each employee will be provided with an EC2 instance with the expectation that the employee will access it from a personally owned or company provided device.
Scope
This IRP has been developed for the company’s private intranet which is classified as a moderate-low-low impact system for the three security objectives: confidentiality, integrity, and availability.
Roles and Responsibilities
The roles and responsibilities for various task assignments and deliverables throughout the incident response process are depicted in Table 1. The primary source utilized for Table 1 is the DCSA web site (DCSA Assessment and Authorization Process Manual, n.d.).
Table 1
Roles and Responsibilities
Roles |
Responsibilities |
Information System Owner/Program Manager (ISO/PM) – Incident Occurs |
The responsibilities of the ISO/PM when an incident occurs are listed but not limited to the following: – Providing the ISSM with updates to the Incident Response Plan, including identifying correction actions, determining resources required, documenting milestone completion dates, and addressing any residual findings. – Overseeing the development, maintenance, and tracking of the Incident Response Plan. – Enforcing training requirements for individuals participating in the Incident Response Plan. |
System Administrator |
The responsibilities of the SA are listed but not limited to the following: · Taking necessary precautions to protect the C-I-A of information encountered while performing privileged duties. · Documenting and reporting to the ISSM all system security configuration changes and detected or suspected security-related system problems that might adversely impact system security. · Comply with the Incident Response Plan requirements. |
Program Security Officer |
The responsibilities of the PSO are listed but not limited to the following: – Maintains the appropriate operational security posture for a system security program. |
Information System Security Manager/Information System Security Officer (ISSM/ISSO) |
The responsibilities of the ISSM/ISSO are listed but not limited to the following: · Developing, maintaining, and overseeing the system security program and policies associated with the Incident Response Plan. · Maintaining a working knowledge of system functions, security policies, technical security safeguards, and operational security measures. · Monitoring all available resources that provide warnings of system vulnerabilities or ongoing attacks and reporting them as necessary. · Ensuring audit records are collected and analyzed in accordance with the security plan. |
Roles |
Responsibilities |
· Monitoring system recovery processes to ensure security features and procedures are properly restored and functioning correctly. · Ensuring proper measures are taken when a system incident or vulnerability affecting systems or information is discovered. · Reporting all security-related incidents in accordance with the Incident Response Plan. |
Definitions
Event
An event is an occurrence not yet assessed that may affect the performance of an information system and/or network. Examples of events include an unplanned system reboot, a system crash, and packet flooding within a network. Events sometimes provide indication that an incident is occurring or has occurred.
Incident
An incident is an assessed occurrence having potential or actual adverse effects on the information system. A security incident is an incident or series of incidents that violate the security policy. Security incidents include penetration of computer systems, spillages, exploitation of technical or administrative vulnerabilities, and introduction of computer viruses or other forms of malicious code.
Types of Incidents
The term “incident” encompasses the general categories of adverse events listed below.
It is important to note that these categories of incidents are not necessarily mutually exclusive.
Data Destruction and Corruption
The loss of data integrity can take many forms including changing
permissions on files so that they are writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt.
Data Compromise and Data Spills
Data compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system he is not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output.
Malicious Code
Malicious code attacks include attacks by programs such as viruses, Trojan horse programs, worms, and scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem.
Virus Attack
A virus is a variation of a Trojan horse. It is propagated via a triggering mechanism (e.g.,
event time) with a mission (e.g., delete files, corrupt data, send data). Often self-replicating, the malicious program segment may be stand-alone or may attach itself to an application program or other executable system component in an attempt to leave no obvious signs of its presence.
Worm Attack
A computer worm is an unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques. A worm spreads using communication channels between hosts. It is an independent program that replicates from machine to machine across network connections often clogging networks and computer systems.
Trojan Horse Attack
A Trojan horse is a useful and innocent program containing additional hidden code that allows unauthorized Computer Network Exploitation (CNE), falsification, or destruction of data.
System Contamination
Contamination is defined as inappropriate introduction of data into a system not approved for the subject data (i.e., data of a higher classification or of an unauthorized formal category).
Privileged User Misuse
Privileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.
Security Support Structure Configuration Modification
Software, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled since they are essential to maintaining the security policies of the system. Unauthorized modifications to these configurations can increase the risk to the system.
Incident Response
The company’s IRP shall follow the incident response and reporting procedures specified in the security plan. Upon learning of an incident or a data spillage, the ISSM will take immediate steps intended to minimize further damage and/or regain custody of the information, material or mitigate damage to program security.
The primary source of the incident response and reporting procedures listed below is the
Cyber Security Incident Response Template available online (Cyber Security Incident Response Template, n.d.). An additional resourced utilized specifically for Step 1: Preparation included the SecurityMetrics web site (6 Phases in the Incident Response Plan, n.d.).
Incident response will follow the six steps listed below.
Step 1: Preparation
One of the most important facilities to a response plan is to know how to use it once it is in place. Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run.
1. The ISO/PM will ensure employees are properly trained regarding their incident response roles and responsibilities in the event of data breach
2. The ISSM/ISSO will develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
3. The ISO/PM and Program Security Officer will ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance
Step 2: Identification
Identify whether or not an incident has occurred. If one has occurred, the response team can take the appropriate actions.
1. The ISSM/ISSO will identify and confirm that the suspected or reported incident has happened and whether malicious activity is still underway.
2. The ISSM/ISSO will determine the type, impact, and severity of the incident.
3. The System Administrator and ISSM/ISSO will take basic and prudent containment steps.
4. The System Administrator or ISSM/ISSO will inform or activate the incident response team, based on the severity of the incident.
5. The ISSM/ISSO will determine the need for Subject Matter Experts (SME) to be involved in the Containment, Eradication, and Recovery processes.
Step 3: Containment
Containment involves limiting the scope and magnitude of an incident. Because so many incidents observed currently involve malicious code, incidents can spread rapidly. This can cause massive destruction and loss of information. As soon as an incident is recognized, immediately begin working on containment.
1. The System Administrator, ISSM/ISSO, and Program Security Officer will take immediate steps to curtail any on-going malicious activity or prevent repetition of past malicious activity.
2. The System Administrator and ISSM/ISSO will re-direct public facing websites, if needed. Provide initial public relations and legal responses as required.
Step 4: Eradication
Removing the cause of the incident can be a difficult process. It can involve virus removal, conviction of perpetrators, or dismissing employees.
1. The ISSM/ISSO will provide full technical resolution of threat and related malicious activity.
2. The ISO/PM will address public relations, notification, and legal issues.
Step 5: Recovery
Restoring the system to its normal business status is essential. Once a restore has been performed, it is also important to verify that the restore operation was successful and that the system is back to its normal condition.
1. The System Administrator, ISSM/ISSO and ISO/PM will recover any business process disruptions and re-gain normal operations.
2. ISO/PM and Program Security Officer will address longer term public relations or legal issues, if required, and apply any constituent remedies.
Step 6: Follow-up
Some incidents require considerable time and effort. It is little wonder, then, that once
the incident appears to be terminated there is little interest in devoting any more effort to the incident. Performing follow-up activity is, however, one of the most critical activities in the response procedure. This follow-up can support any efforts to prosecute those who have broken the law. This includes changing any company policies that may need to be narrowed down or be changed altogether.
1. The ISO/PM and Program Security Officer will formalize documentation of incident and summarize learnings.
2. The System Administrator, Program Security Officer, ISSM/ISSO, and ISO/PM will apply learnings to future preparedness.
Incident Response Training
All program personnel will receive incident response training at least annually and a record of the training will be maintained. This training can be integrated into the overall program specific annual security awareness training.
Bushell Lab Report
This lab provides the analyst with a scenario where a resident of the United Kingdom is arrested under criminal circumstances and is believed to be importing weapons illegally. The analyst is tasked with reviewing the suspect’s internet browsing data utilizing the EnCase forensic tool in accordance with the lab instructions. The EnCase forensic tool is a powerful forensic program used by digital forensics investigators to recover evidence from seized hard drives. The software assists the investigator in conducting in depth analysis of user files to collect evidence such as documents, internet history, pictures, and Windows registry information (All Answers Ltd, 2022). As part of the lab the analyst was provided an image created using the FTK Imager. FTK Imager is a data preview and imaging tool with the ability to create perfect copies or forensic images of computer data without making changes to the original evidence, generate hash reports for regular files and disk images, and mount an image for a read-only view that leverages a web browser to see the content of the image exactly as the user saw it on the original drive (FTK Imager, 2022).
The analyst begins the lab by creating a case, adding the evidence, and processing it utilizing the EnCase forensic tool. This is documented in the section below. The following sections provide the primary deliverables of this which lab include answers to questions that relate to the evidence searched, the time zone of the image, and image search results.
Evidence Processing
Create a Case
First, utilizing the MARS environment, the analyst accessed the assigned Windows, opened the EnCase forensics tool by clicking on the icon, and clicked on “New Case” as shown in Figure 1.
Figure 1
Analyst Opening and Selecting “New Case”
In accordance with the lab instructions and as shown in Figure 2, the analyst configured the New Case Options pop-up. The analyst selected “Basic”, entering the case name “PassportBushell”, entered the case number “20”, the examiner name “HGB”, the description “Bushell Passport”, entered the name “Passport-Bushell”, left the secondary evidence cache blank, and unchecked the “Backup every” before hitting OK.
Figure 2
New Case Options Configuration
As shown in Figure 3, the analyst successfully created a case.
Figure 3
Passport-Bushell Case Home Page
Add Evidence
As directed in the instructions and as shown in Figure 4, Figure 5, and Figure 6 the analyst selected “Add Evidence”, selected “Add Evidence File”, and then selected the
“Sample1.E01” file.
Figure 4
Analyst Selection of “Add Evidence”
Figure 5
Analyst Selection of “Add Evidence File”
Figure 6
Analyst Selection of “Sample1.E01” File
Figure 7 shows the Evidence Tab with “Report” selected. The verification hash matches in this example.
Figure 7
Evidence Tab with “Report” Selected
Process the Evidence
Figure 8 shows that the analyst selected “Process Evidence” and then “Process”.
Figure 8
Analyst Selection of “Process Evidence and then “Process”
Figure 9 shows the EnCase Processor Options window. In accordance with the instructions, the analyst left “Unprocessed Evidence Files”, and “Immediately queue the evidence” selected. Further, the analyst made sure that prioritization was selected prioritizing Documents and Pictures in the pop-up box. Next the analyst selected “Recover Folders”, “File signature analysis”, “Protected file analysis”, “Thumbnail creation”, “Hash analysis”, “Expand compound files”, “Find email”, “Find Internet artifacts”, and “Index test and metadata”. The analyst, when selecting “Windows Artifact Parser” configured the pop-up box Parse Options to include Link Files, Recycle Bin Files, MFT Transitions, and ShellBags. The analyst left “File Carver” unselected in accordance with the lab instructions. Finally, the analyst entered the appropriate keywords for the “Search for keywords” option and selected the “Whole Word” option.
Figure 9
EnCase Processor Options Window
The analyst then selected “OK” and tracked the progress of processing until it completed.
Figure 10 shows that the processing completed.
Figure 10
Processing Completed
Processed Evidence Search
Below are three questions the analyst is tasked with answering in regards to a processes evidence search.
Using the Hex tab in the evidence window, what are the first four hex values displayed?
As shown in Figure 11, utilizing the Hex tab, the first four hex values are 49, 4E, 44, and
58.
Figure 11
First Four Hex Values
Using the Permissions tab in the evidence window, what are the unique Names listed?
Utilizing the Permissions Tab, the unique names listed are Administrators, System,
Authenticated Users, Users, and Domain Users. This is shown in Figure 12.
Figure 12
Unique Names Listed Utilizing Permissions Tab
Using the Attributes tab in the evidence window, what is the Full Serial Number?
Utilizing the Attributes Tab, as shown in Figure 13, the Full Serial Number is
20D8B6BBD8B68E92.
Figure 13
Full Serial Number
Time Zone of Image
Below is one question the analyst is tasked with answering in regards to the time zone of the image.
What is the time zone listed for the image?
In accordance with the lab instructions, to determine the time zone listed for the image, the analyst must reveal the system control details by first expanding “Recovered Folders”, and then “Windows”, followed by “System32” and “config”. This first step is shown in Figure 14.
Figure 14
Expanded Folders
Next the analyst must find the file “system”, highlight the file, right-click it, and chose
“Entries” followed by “View File Structure”. This is shown in Figure 15.
Figure 15
Parsing the File Structure
The analyst then gets a pop-up box where the analyst must not select anything and select “OK”. EnCase will then complete parsing of the file structure and the file name becomes a hyperlink causing a green arrow to appear next to the icon. The analyst then must click the arrow and expand the ControlSet001TimeZoneInformation and view TimeZoneKeyName to answer the question.
Figure 16 shows that by using the Text Tab, the analyst can see that the time zone is
Standard Turkey Time.
Figure 16
Text Tab of TimeZoneKeyName
Image Search Results
Below are four questions the analyst is tasked with answering regarding image search results. To answer the questions below the analyst must click on the “Home” icon and then “Evidence under the “Browse” heading. A page with evidence files is then added to the display in an explorer style view.
What type of weapons do you immediately see when you browse the 9RD3Y03V folder?
When selecting the 9RD3Y03V folder, and selecting the Gallery Tab, the analyst immediately sees knives, pistols, and rifles, as shown in Figure 17.
Figure 17
Gallery View of 9RD3Y03V Folder
Which folder contains a Mastercard Image?
As shown in Figure 18, the folder H34XEM27 contains a Mastercard image.
Figure 18
Mastercard Image
Which folder contains a Login and Facebook image?
As shown in Figure 19, the folder NEN1MQSJ contains a Login and Facebook image.
Figure 19
Login and Facebook Image
Which folder contains at least two images of people?
As shown in Figure 20, the folder PGQ57MZE contains images of at least two people.
Figure 20
Imag
es of At Least Two People
Keyword Search Results
The analyst is tasked with answering questions about the central themes on two topics below by viewing keyword results. To answer these questions the analyst must return to the home page and select “Keyword Hits”. The analyst can then see the number of hits found in the image and see the results returned by clicking on the items. The analyst can then navigate to the tabs to get more detail. The analyst can also utilize the transcript tab to see associated content.
Central Theme of Search for Guns
To determine the central theme of a search conducted on guns, the analyst is tasked to go to the first hit on Guns and then follow the times to search[1].htm. For an unknown reason the analyst did not have any hits for “guns” in the search[1] file but did in other files. This is shown in Figure 21. The primary theme highlighted in the search are methods of preventing guns from being detected. Examples of text highlighting this theme is listed below.
· “Can,Dogs,Smell,Your,Gun, Can Dogs Smell Your Gun?”
· “how to mask firearm smell – Bing”
· “search?q=how+to+mask+firearm+smell&qb=1&FORM=AXRE”
Figure 21
Access to Search Results for Guns
Central Theme of Search for Password
The central theme of search for “Password” is focused on the use of CCleaner. Below is a list of references from the EnCase search results. This action is shown in Figure 22.
· “CCleaner Tutorial”
· “How to Install CCleaner”
· “Using CCleaner to Clean Your Computer”
· “How to Use CCleaner”
Figure 22
Access to Search Results for Password
Bushell Lab Conclusion
This lab demonstrated the basic capabilities of the EnCase software and provided an overview of how it can be utilized by forensics investigators.
Data Hiding and Recovery Lab
This lab provides the analyst with an opportunity to examine techniques for hiding data on a windows computer. The first section of this lab tasks the analyst with hiding data in two images utilizing the OpenStego program, and then extracting the data with the same program. OpenStego is a free steganography solution providing two main functionalities that include data hiding within a cover file and watermarking files with an invisible signature (OpenStego, n.d.). The second section of this lab tasks the analyst with utilizing the HxD program and the https://www.javainuse.com/aesgenerator site to create an encrypted secret message. The analyst must then extract the message and discuss the methods used. The HxD program is a fast hex editor that is carefully designed, is a fast hex editor, and can handle raw disk editing and modifying of main memory (RAM) for files of any size. Additional features include searching and replacing, exporting checksums and digests, insertion of byte patterns, a file shredder, concatenation, and statistics (Hörz, n.d.). The https://www.javainuse.com/aesgenerator web site contains an online AES encryption and decryption tool. As described by the web site, “The AES engine requires a plain-text and a secret key for encryption and same secret key is used again to decrypt it.” (Online AES Encryption and Decryption Tool | JavaInUse, n.d.).
OpenStego
For this section of the lab the analyst is tasked with uploading two images into the MARS environment, uploading or creating two text files with a message named Message1.txt and Message2.txt. Message1.txt includes the text, “I’m feeling tacos tonight. Meet me at Taco Bell at 7 PM.” Message2.txt contains the message, “Meet me at the Eagle’s concert tomorrow night.” As shown in Figure 23. The analyst uploaded two images and created the two text files.
Figure 23
Two JPG Files and Two Text Files
As shown in Figure 24, the analyst then clicked on the OpenStego icon to bring up the OpenStego program, uploaded the Message1.txt file, uploaded the FAEFBE35.jpg file, selected the output file, designated the encryption algorithm as AES128, provided a password, ensured that “Hide Data” was selected on the left, and clicked “Hide Data” to proceed. The analyst then received as success message as shown in Figure 25.
Figure 24
Message1.txt and FAEFB35.jpg File Selection
Figure
25
OpenStego Success Message
As shown in Figure 26, the analyst clicked on the OpenStego icon to bring up the OpenStego program, uploaded the Message2.txt file, uploaded the IMG_3149.jpg file, selected the output file, designated the encryption algorithm as AES128, provided a password, ensured that “Hide Data” was selected on the left, and clicked on “Hide Data” to proceed. The analyst then received a success message as shown in Figure 27.
Figure 26
Message2.txt and IMG_3149.jpg File Selection
Figure
27
OpenStego Success Message
Figure 28 and Figure 29 compare both jpg files and bmp files created by OpenStego with the encrypted message. The original FAEFB3,jpg file is 2,322 KB in size. The
TacoTonight.bmp file is 35,722 KB in size and has been shifted 90 degrees to the left. The file also does not appear to have lost any quality and utilizes more pixels. The original
IMG_3149.jpg file is 2,133 KB in size. The EaglesConcert.bmp file is also 35,722 KB in size and has been shifted 90 degrees to the left. The does not appear to have last any quality and useds more pixels also.
Figure 28
Comparison FAEFB35.jpg and TacoTonight.bmp
Figure 29
Comparison of IMG_3149.jpg and EaglesConcert.bmp
The analyst is then tasked with extracting the message using OpenStego. As shown in Figure 30 and Figure 31, for both pictures with hidden messages the analyst opened OpenStego, selected the “Extract Data” option on the left, entered the name of the OpenStego file created in the previous step, entered the previously created password, provided an output folder, and pressed “Extract Data”.
Figure 30
Extract Hidden Data fromTacoTonight.bmp
Figure
31
Extract Hidden Data from EaglesConcert.bmp
Figure 32 and Figure 33 demonstrate that OpenStego successfully extracted both hidden messages and created the files Message1.txt and Message2.txt in the correct directory.
Figure 32
Message1.txt
Figure 33
Message2.txt
HxD
In this section, the analyst is directed to use the https://www.javainuse.com/aesgenerator web site to encrypt a message utilizing AES, setting up a secret key and initialization vector, and use the HxD hex editor to modify the HiddenTxtPlay file, embedding a secret message. First the analyst starts by utilizing the https://www.javainuse.com/aesgenerator web site to encrypt the message, “!!!Meet me at the Cofee Shop!!!”, as shown in Figure 34 and Figure 35.
The encrypted output as shown in Figure 35 is
IO9P0BonqylBABHRAFn
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.
About Wridemy
We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.
How It Works
To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Are there Discounts?
All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.