31 Aug The Incident Response Plan (IRP) documents the strategies, personnel, procedures, and resources required to respond to any incident affecting the system. The primary assumptions abou

1

1

1

Final Forensic Lab

Name

University

Subject

Date , 2022

Incident Response Plan

The Incident Response Plan (IRP) documents the strategies, personnel, procedures, and resources required to respond to any incident affecting the system.

The primary assumptions about the organization that will serve as the subject of this IRP include that it consists of one primary geographic location, has approximately 100 members, utilizes the standard Microsoft office suite for most administrative functions to include Outlook and Skype for email, text, and video communications, utilizes a database application for some customer and company records and services, maintains a public web site to provide information to customers and an internal web portal used for internal collaboration and guidance to organization members, manages its own VOIP phone service, has employees that work both on site and off site requiring secure remote access to applications, communication services, and networked storage and each employee will be provided with an EC2 instance with the expectation that the employee will access it from a personally owned or company provided device.

Scope

This IRP has been developed for the company’s private intranet which is classified as a moderate-low-low impact system for the three security objectives: confidentiality, integrity, and availability.

Roles and Responsibilities

The roles and responsibilities for various task assignments and deliverables throughout the incident response process are depicted in Table 1. The primary source utilized for Table 1 is the DCSA web site (DCSA Assessment and Authorization Process Manual, n.d.).

Table 1

Roles and Responsibilities

Roles	Responsibilities
Information System Owner/Program Manager (ISO/PM) – Incident Occurs	The responsibilities of the ISO/PM when an incident occurs are listed but not limited to the following: – Providing the ISSM with updates to the Incident Response Plan, including identifying correction actions, determining resources required, documenting milestone completion dates, and addressing any residual findings. – Overseeing the development, maintenance, and tracking of the Incident Response Plan. – Enforcing training requirements for individuals participating in the Incident Response Plan.
System Administrator	The responsibilities of the SA are listed but not limited to the following: · Taking necessary precautions to protect the C-I-A of information encountered while performing privileged duties. · Documenting and reporting to the ISSM all system security configuration changes and detected or suspected security-related system problems that might adversely impact system security. · Comply with the Incident Response Plan requirements.
Program Security Officer	The responsibilities of the PSO are listed but not limited to the following: – Maintains the appropriate operational security posture for a system security program.
Information System Security Manager/Information System Security Officer (ISSM/ISSO)	The responsibilities of the ISSM/ISSO are listed but not limited to the following: · Developing, maintaining, and overseeing the system security program and policies associated with the Incident Response Plan. · Maintaining a working knowledge of system functions, security policies, technical security safeguards, and operational security measures. · Monitoring all available resources that provide warnings of system vulnerabilities or ongoing attacks and reporting them as necessary. · Ensuring audit records are collected and analyzed in accordance with the security plan.
Roles	Responsibilities
	· Monitoring system recovery processes to ensure security features and procedures are properly restored and functioning correctly. · Ensuring proper measures are taken when a system incident or vulnerability affecting systems or information is discovered. · Reporting all security-related incidents in accordance with the Incident Response Plan.

Definitions

Event

An event is an occurrence not yet assessed that may affect the performance of an information system and/or network. Examples of events include an unplanned system reboot, a system crash, and packet flooding within a network. Events sometimes provide indication that an incident is occurring or has occurred.

Incident

An incident is an assessed occurrence having potential or actual adverse effects on the information system. A security incident is an incident or series of incidents that violate the security policy. Security incidents include penetration of computer systems, spillages, exploitation of technical or administrative vulnerabilities, and introduction of computer viruses or other forms of malicious code.

Types of Incidents

The term “incident” encompasses the general categories of adverse events listed below.

It is important to note that these categories of incidents are not necessarily mutually exclusive.

Data Destruction and Corruption

The loss of data integrity can take many forms including changing

permissions on files so that they are writable by non-privileged users, deleting data files and or programs, changing audit files to cover-up an intrusion, changing configuration files that determine how and what data is stored and ingesting information from other sources that may be corrupt.

Data Compromise and Data Spills

Data compromise is the exposure of information to a person not authorized to access that information either through clearance level or formal authorization. This could happen when a person accesses a system he is not authorized to access or through a data spill. Data spill is the release of information to another system or person not authorized to access that information, even though the person is authorized to access the system on which the data was released. This can occur through the loss of control, improper storage, improper classification, or improper escorting of media, computer equipment (with memory), and computer generated output.

Malicious Code

Malicious code attacks include attacks by programs such as viruses, Trojan horse programs, worms, and scripts used by crackers/hackers to gain privileges, capture passwords, and/or modify audit logs to exclude unauthorized activity. Malicious code is particularly troublesome in that it is typically written to masquerade its presence and, thus, is often difficult to detect. Self-replicating malicious code such as viruses and worms can replicate rapidly, thereby making containment an especially difficult problem.

Virus Attack

A virus is a variation of a Trojan horse. It is propagated via a triggering mechanism (e.g.,

event time) with a mission (e.g., delete files, corrupt data, send data). Often self-replicating, the malicious program segment may be stand-alone or may attach itself to an application program or other executable system component in an attempt to leave no obvious signs of its presence.

Worm Attack

A computer worm is an unwanted, self-replicating autonomous process (or set of processes) that penetrates computers using automated hacking techniques. A worm spreads using communication channels between hosts. It is an independent program that replicates from machine to machine across network connections often clogging networks and computer systems.

Trojan Horse Attack

A Trojan horse is a useful and innocent program containing additional hidden code that allows unauthorized Computer Network Exploitation (CNE), falsification, or destruction of data.

System Contamination

Contamination is defined as inappropriate introduction of data into a system not approved for the subject data (i.e., data of a higher classification or of an unauthorized formal category).

Privileged User Misuse

Privileged user misuse occurs when a trusted user or operator attempts to damage the system or compromise the information it contains.

Security Support Structure Configuration Modification

Software, hardware and system configurations contributing to the Security Support Structure (SSS) are controlled since they are essential to maintaining the security policies of the system. Unauthorized modifications to these configurations can increase the risk to the system.

Incident Response

The company’s IRP shall follow the incident response and reporting procedures specified in the security plan. Upon learning of an incident or a data spillage, the ISSM will take immediate steps intended to minimize further damage and/or regain custody of the information, material or mitigate damage to program security.

The primary source of the incident response and reporting procedures listed below is the

Cyber Security Incident Response Template available online (Cyber Security Incident Response Template, n.d.). An additional resourced utilized specifically for Step 1: Preparation included the SecurityMetrics web site (6 Phases in the Incident Response Plan, n.d.).

Incident response will follow the six steps listed below.

Step 1: Preparation

One of the most important facilities to a response plan is to know how to use it once it is in place. Knowing how to respond to an incident BEFORE it occurs can save valuable time and effort in the long run.

1. The ISO/PM will ensure employees are properly trained regarding their incident response roles and responsibilities in the event of data breach

2. The ISSM/ISSO will develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.

3. The ISO/PM and Program Security Officer will ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance

Step 2: Identification

Identify whether or not an incident has occurred. If one has occurred, the response team can take the appropriate actions.

1. The ISSM/ISSO will identify and confirm that the suspected or reported incident has happened and whether malicious activity is still underway.

2. The ISSM/ISSO will determine the type, impact, and severity of the incident.

3. The System Administrator and ISSM/ISSO will take basic and prudent containment steps.

4. The System Administrator or ISSM/ISSO will inform or activate the incident response team, based on the severity of the incident.

5. The ISSM/ISSO will determine the need for Subject Matter Experts (SME) to be involved in the Containment, Eradication, and Recovery processes.

Step 3: Containment

Containment involves limiting the scope and magnitude of an incident. Because so many incidents observed currently involve malicious code, incidents can spread rapidly. This can cause massive destruction and loss of information. As soon as an incident is recognized, immediately begin working on containment.

1. The System Administrator, ISSM/ISSO, and Program Security Officer will take immediate steps to curtail any on-going malicious activity or prevent repetition of past malicious activity.

2. The System Administrator and ISSM/ISSO will re-direct public facing websites, if needed. Provide initial public relations and legal responses as required.

Step 4: Eradication

Removing the cause of the incident can be a difficult process. It can involve virus removal, conviction of perpetrators, or dismissing employees.

1. The ISSM/ISSO will provide full technical resolution of threat and related malicious activity.

2. The ISO/PM will address public relations, notification, and legal issues.

Step 5: Recovery

Restoring the system to its normal business status is essential. Once a restore has been performed, it is also important to verify that the restore operation was successful and that the system is back to its normal condition.

1. The System Administrator, ISSM/ISSO and ISO/PM will recover any business process disruptions and re-gain normal operations.

2. ISO/PM and Program Security Officer will address longer term public relations or legal issues, if required, and apply any constituent remedies.

Step 6: Follow-up

Some incidents require considerable time and effort. It is little wonder, then, that once

the incident appears to be terminated there is little interest in devoting any more effort to the incident. Performing follow-up activity is, however, one of the most critical activities in the response procedure. This follow-up can support any efforts to prosecute those who have broken the law. This includes changing any company policies that may need to be narrowed down or be changed altogether.

1. The ISO/PM and Program Security Officer will formalize documentation of incident and summarize learnings.

2. The System Administrator, Program Security Officer, ISSM/ISSO, and ISO/PM will apply learnings to future preparedness.

Incident Response Training

All program personnel will receive incident response training at least annually and a record of the training will be maintained. This training can be integrated into the overall program specific annual security awareness training.

Bushell Lab Report

This lab provides the analyst with a scenario where a resident of the United Kingdom is arrested under criminal circumstances and is believed to be importing weapons illegally. The analyst is tasked with reviewing the suspect’s internet browsing data utilizing the EnCase forensic tool in accordance with the lab instructions. The EnCase forensic tool is a powerful forensic program used by digital forensics investigators to recover evidence from seized hard drives. The software assists the investigator in conducting in depth analysis of user files to collect evidence such as documents, internet history, pictures, and Windows registry information (All Answers Ltd, 2022). As part of the lab the analyst was provided an image created using the FTK Imager. FTK Imager is a data preview and imaging tool with the ability to create perfect copies or forensic images of computer data without making changes to the original evidence, generate hash reports for regular files and disk images, and mount an image for a read-only view that leverages a web browser to see the content of the image exactly as the user saw it on the original drive (FTK Imager, 2022).

The analyst begins the lab by creating a case, adding the evidence, and processing it utilizing the EnCase forensic tool. This is documented in the section below. The following sections provide the primary deliverables of this which lab include answers to questions that relate to the evidence searched, the time zone of the image, and image search results.

Evidence Processing

Create a Case

First, utilizing the MARS environment, the analyst accessed the assigned Windows, opened the EnCase forensics tool by clicking on the icon, and clicked on “New Case” as shown in Figure 1.

Figure 1

Analyst Opening and Selecting “New Case”

In accordance with the lab instructions and as shown in Figure 2, the analyst configured the New Case Options pop-up. The analyst selected “Basic”, entering the case name “PassportBushell”, entered the case number “20”, the examiner name “HGB”, the description “Bushell Passport”, entered the name “Passport-Bushell”, left the secondary evidence cache blank, and unchecked the “Backup every” before hitting OK.

Figure 2

New Case Options Configuration

As shown in Figure 3, the analyst successfully created a case.

Figure 3

Passport-Bushell Case Home Page

Add Evidence

As directed in the instructions and as shown in Figure 4, Figure 5, and Figure 6 the analyst selected “Add Evidence”, selected “Add Evidence File”, and then selected the

“Sample1.E01” file.

Figure 4

Analyst Selection of “Add Evidence”

Figure 5

Analyst Selection of “Add Evidence File”

Figure 6

Analyst Selection of “Sample1.E01” File

Figure 7 shows the Evidence Tab with “Report” selected. The verification hash matches in this example.

Figure 7

Evidence Tab with “Report” Selected

Process the Evidence

Figure 8 shows that the analyst selected “Process Evidence” and then “Process”.

Figure 8

Analyst Selection of “Process Evidence and then “Process”

Figure 9 shows the EnCase Processor Options window. In accordance with the instructions, the analyst left “Unprocessed Evidence Files”, and “Immediately queue the evidence” selected. Further, the analyst made sure that prioritization was selected prioritizing Documents and Pictures in the pop-up box. Next the analyst selected “Recover Folders”, “File signature analysis”, “Protected file analysis”, “Thumbnail creation”, “Hash analysis”, “Expand compound files”, “Find email”, “Find Internet artifacts”, and “Index test and metadata”. The analyst, when selecting “Windows Artifact Parser” configured the pop-up box Parse Options to include Link Files, Recycle Bin Files, MFT Transitions, and ShellBags. The analyst left “File Carver” unselected in accordance with the lab instructions. Finally, the analyst entered the appropriate keywords for the “Search for keywords” option and selected the “Whole Word” option.

Figure 9

EnCase Processor Options Window

The analyst then selected “OK” and tracked the progress of processing until it completed.

Figure 10 shows that the processing completed.

Figure 10

Processing Completed

Processed Evidence Search

Below are three questions the analyst is tasked with answering in regards to a processes evidence search.

Using the Hex tab in the evidence window, what are the first four hex values displayed?

As shown in Figure 11, utilizing the Hex tab, the first four hex values are 49, 4E, 44, and

58.

Figure 11

First Four Hex Values

Using the Permissions tab in the evidence window, what are the unique Names listed?

Utilizing the Permissions Tab, the unique names listed are Administrators, System,

Authenticated Users, Users, and Domain Users. This is shown in Figure 12.

Figure 12

Unique Names Listed Utilizing Permissions Tab

Using the Attributes tab in the evidence window, what is the Full Serial Number?

Utilizing the Attributes Tab, as shown in Figure 13, the Full Serial Number is

20D8B6BBD8B68E92.

Figure 13

Full Serial Number

Time Zone of Image

Below is one question the analyst is tasked with answering in regards to the time zone of the image.

What is the time zone listed for the image?

In accordance with the lab instructions, to determine the time zone listed for the image, the analyst must reveal the system control details by first expanding “Recovered Folders”, and then “Windows”, followed by “System32” and “config”. This first step is shown in Figure 14.

Figure 14

Expanded Folders

Next the analyst must find the file “system”, highlight the file, right-click it, and chose

“Entries” followed by “View File Structure”. This is shown in Figure 15.

Figure 15

Parsing the File Structure

The analyst then gets a pop-up box where the analyst must not select anything and select “OK”. EnCase will then complete parsing of the file structure and the file name becomes a hyperlink causing a green arrow to appear next to the icon. The analyst then must click the arrow and expand the ControlSet001TimeZoneInformation and view TimeZoneKeyName to answer the question.

Figure 16 shows that by using the Text Tab, the analyst can see that the time zone is

Standard Turkey Time.

Figure 16

Text Tab of TimeZoneKeyName

Image Search Results

Below are four questions the analyst is tasked with answering regarding image search results. To answer the questions below the analyst must click on the “Home” icon and then “Evidence under the “Browse” heading. A page with evidence files is then added to the display in an explorer style view.

What type of weapons do you immediately see when you browse the 9RD3Y03V folder?

When selecting the 9RD3Y03V folder, and selecting the Gallery Tab, the analyst immediately sees knives, pistols, and rifles, as shown in Figure 17.

Figure 17

Gallery View of 9RD3Y03V Folder

Which folder contains a Mastercard Image?

As shown in Figure 18, the folder H34XEM27 contains a Mastercard image.

Figure 18

Mastercard Image

Which folder contains a Login and Facebook image?

As shown in Figure 19, the folder NEN1MQSJ contains a Login and Facebook image.

Figure 19

Login and Facebook Image

Which folder contains at least two images of people?

As shown in Figure 20, the folder PGQ57MZE contains images of at least two people.

Figure 20

Imag

es of At Least Two People

Keyword Search Results

The analyst is tasked with answering questions about the central themes on two topics below by viewing keyword results. To answer these questions the analyst must return to the home page and select “Keyword Hits”. The analyst can then see the number of hits found in the image and see the results returned by clicking on the items. The analyst can then navigate to the tabs to get more detail. The analyst can also utilize the transcript tab to see associated content.

Central Theme of Search for Guns

To determine the central theme of a search conducted on guns, the analyst is tasked to go to the first hit on Guns and then follow the times to search[1].htm. For an unknown reason the analyst did not have any hits for “guns” in the search[1] file but did in other files. This is shown in Figure 21. The primary theme highlighted in the search are methods of preventing guns from being detected. Examples of text highlighting this theme is listed below.

· “Can,Dogs,Smell,Your,Gun, Can Dogs Smell Your Gun?”

· “how to mask firearm smell – Bing”

· “search?q=how+to+mask+firearm+smell&qb=1&FORM=AXRE”

Figure 21

Access to Search Results for Guns

Central Theme of Search for Password

The central theme of search for “Password” is focused on the use of CCleaner. Below is a list of references from the EnCase search results. This action is shown in Figure 22.

· “CCleaner Tutorial”

· “How to Install CCleaner”

· “Using CCleaner to Clean Your Computer”

· “How to Use CCleaner”

Figure 22

Access to Search Results for Password

Bushell Lab Conclusion

This lab demonstrated the basic capabilities of the EnCase software and provided an overview of how it can be utilized by forensics investigators.

Data Hiding and Recovery Lab

This lab provides the analyst with an opportunity to examine techniques for hiding data on a windows computer. The first section of this lab tasks the analyst with hiding data in two images utilizing the OpenStego program, and then extracting the data with the same program. OpenStego is a free steganography solution providing two main functionalities that include data hiding within a cover file and watermarking files with an invisible signature (OpenStego, n.d.). The second section of this lab tasks the analyst with utilizing the HxD program and the https://www.javainuse.com/aesgenerator site to create an encrypted secret message. The analyst must then extract the message and discuss the methods used. The HxD program is a fast hex editor that is carefully designed, is a fast hex editor, and can handle raw disk editing and modifying of main memory (RAM) for files of any size. Additional features include searching and replacing, exporting checksums and digests, insertion of byte patterns, a file shredder, concatenation, and statistics (Hörz, n.d.). The https://www.javainuse.com/aesgenerator web site contains an online AES encryption and decryption tool. As described by the web site, “The AES engine requires a plain-text and a secret key for encryption and same secret key is used again to decrypt it.” (Online AES Encryption and Decryption Tool | JavaInUse, n.d.).

OpenStego

For this section of the lab the analyst is tasked with uploading two images into the MARS environment, uploading or creating two text files with a message named Message1.txt and Message2.txt. Message1.txt includes the text, “I’m feeling tacos tonight. Meet me at Taco Bell at 7 PM.” Message2.txt contains the message, “Meet me at the Eagle’s concert tomorrow night.” As shown in Figure 23. The analyst uploaded two images and created the two text files.

Figure 23

Two JPG Files and Two Text Files

As shown in Figure 24, the analyst then clicked on the OpenStego icon to bring up the OpenStego program, uploaded the Message1.txt file, uploaded the FAEFBE35.jpg file, selected the output file, designated the encryption algorithm as AES128, provided a password, ensured that “Hide Data” was selected on the left, and clicked “Hide Data” to proceed. The analyst then received as success message as shown in Figure 25.

Figure 24

Message1.txt and FAEFB35.jpg File Selection

Figure

25

OpenStego Success Message

As shown in Figure 26, the analyst clicked on the OpenStego icon to bring up the OpenStego program, uploaded the Message2.txt file, uploaded the IMG_3149.jpg file, selected the output file, designated the encryption algorithm as AES128, provided a password, ensured that “Hide Data” was selected on the left, and clicked on “Hide Data” to proceed. The analyst then received a success message as shown in Figure 27.

Figure 26

Message2.txt and IMG_3149.jpg File Selection

Figure

27

OpenStego Success Message

Figure 28 and Figure 29 compare both jpg files and bmp files created by OpenStego with the encrypted message. The original FAEFB3,jpg file is 2,322 KB in size. The

TacoTonight.bmp file is 35,722 KB in size and has been shifted 90 degrees to the left. The file also does not appear to have lost any quality and utilizes more pixels. The original

IMG_3149.jpg file is 2,133 KB in size. The EaglesConcert.bmp file is also 35,722 KB in size and has been shifted 90 degrees to the left. The does not appear to have last any quality and useds more pixels also.

Figure 28

Comparison FAEFB35.jpg and TacoTonight.bmp

Figure 29

Comparison of IMG_3149.jpg and EaglesConcert.bmp

The analyst is then tasked with extracting the message using OpenStego. As shown in Figure 30 and Figure 31, for both pictures with hidden messages the analyst opened OpenStego, selected the “Extract Data” option on the left, entered the name of the OpenStego file created in the previous step, entered the previously created password, provided an output folder, and pressed “Extract Data”.

Figure 30

Extract Hidden Data fromTacoTonight.bmp

Figure

31

Extract Hidden Data from EaglesConcert.bmp

Figure 32 and Figure 33 demonstrate that OpenStego successfully extracted both hidden messages and created the files Message1.txt and Message2.txt in the correct directory.

Figure 32

Message1.txt

Figure 33

Message2.txt

HxD

In this section, the analyst is directed to use the https://www.javainuse.com/aesgenerator web site to encrypt a message utilizing AES, setting up a secret key and initialization vector, and use the HxD hex editor to modify the HiddenTxtPlay file, embedding a secret message. First the analyst starts by utilizing the https://www.javainuse.com/aesgenerator web site to encrypt the message, “!!!Meet me at the Cofee Shop!!!”, as shown in Figure 34 and Figure 35.

The encrypted output as shown in Figure 35 is

IO9P0BonqylBABHRAFn