Network Forensics
CFIAR 20021115II01A ffdsfdgs dfsdfdfdfd Confidential: Business Use Only
[Class Number] [Date]
Forensic Analysis Investigative Report
Incident Report Number
YYYYMMDD-I-# [Year, Month, Day, Incident Number]
Report Name
Location Category
[internal, external, internet, extranet, etc.]
Reported Incident Date
Table of Contents
Executive Summary
3
1.0
Initial Incident Discovery
3
1.1
Summary
3
1.2
Action Items
3
1.3
Description of system(s) in question
3
1.4
Identified Computer System(s)
3
1.5
Security Mechanisms
3
1.6
Initial Forensic Discovery
3
1.7
Initial Corrective Action
3
1.8
Participants
3
1.9
Additional Information
3
2.0
Forensic Process
3
2.1
Tools
3
2.2
Logs
3
2.3
Methods
3
3.0
Results and Findings
3
3.1
Summary
3
3.2
Corrective Actions
3
3.3
Lessons Learned
3
4.0
Appendix
3
4.1
Attachment 1
3
4.2
Attachment 2
3
Executive Summary
[Provide a high-level overview of what occurred. Include potential impacts on the organization, side effects that may have occurred, remediation actions, and your recommendations for the next step. This is meant to be read by executives, so this is not the area to dive into technical jargon or specific technical details of the event. Keep it at a high overview level.]
1.0 Initial Incident Discovery
1.1 Summary
[Use this area to summarize the initial discovery process to include artifacts discovered. This is a summary area, so be sure to provide the supporting evidence items in the sections below.]
1.2 Action Items
[Use this section to create a list of items that will be performed for this incident response effort. This list might change as you are going through your process. Do not simply delete an entry: Explain why it was initially listed but not used, or why it was added later in the process.]
1.3 Description of system(s) in question
[Describe the functions that the victim system(s) provide for the network. Use a network diagram to indicate the location of the system(s) and which components these systems may have access to (trusted or mapped shares).]
1.4 Identified Computer System(s)
[List the systems in full technical detail. Include items such as versions, service packs if applicable, and installed software.]
1.5 Security Mechanisms
[Describe the security mechanisms that are in place, such as firewalls, intrusion detection/prevention systems, and antivirus software.]
1.6 Initial Forensic Discovery
[While conducting the initial discovery phase, what artifacts were discovered? These may include port scans, modified systems files, anomalous network traffic, and other relevant elements.]
1.7 Initial Corrective Action
[Determine what the initial corrective action is going to be prior to starting the investigation: removing the system from the network, moving applications to another system, establishing a sandbox environment, and so on.]
1.8 Participants
Name
Extension
Title
1.9 Additional Information
[Use this area to expand and provide additional details not covered in the basic framework above.]
2.0 Forensic Process
[List the steps used to perform this investigation. The section will vary according to the type of investigation. Add or delete sections as needed. Remember to update the table of contents each time changes are made.]
2.1 Tools
[List all tools that were used to conduct this investigation. Include make, model, version number, and other specifics.]
2.2 Logs
[This section should include any relevant logs or proof that the system was compromised. It may contain application log entries, system log entries, and others. Ensure that you correlate the log entry to an artifact of evidence.]
2.3 Methods
[Were any particular parameters or options used for specific tools? Be sure to include at least the MD5 hash value of evidence items in this section as well.]
3.0 Results and Findings
3.1 Summary
[This is where you will conduct your analysis and correlation, tie it all together, and—based on forensic evidence—explain what took place.]
3.2 Corrective Actions
[What do you recommend to correct the problem? This should be an extended version of what you have in the Executive Summary.]
3.3 Lessons Learned
[What can be learned from this analysis so that it doesn’t happen again? How can this information be used to protect other systems in the future?]
4.0 Appendix
4.1 Attachment 1
[Use this area to attach items such as screenshots, relevant output from a tool or utility, or reports generated from other programs. If you attach something as an appendix in this section, it must be referenced in the document, with an explanation of its relevance.]
4.2 Attachment 2
dfsdfddd fgdfgdfgfg dfgfgfgsdfgf: fgdfggff Use Only 1 of 3
Created by: [Name] 1 of 5
Template adapted from Steve J. Scott, superhac.com. Retrieved January 2014 from http://superhac.com/wp-content/uploads/2008/01/cfiar
Final Lab Project Instructions
The lab requires you to finalize the report based on the material provided in week 7.
You must have an executive summary that provides an overview of what happened and describes recommended courses of action.
Answer all the components required in the report template. Include supporting documents—such as screenshots, malware analysis, or reports generated by tools you have used—as appendices to the report. If you include an appendix item, it must be referenced somewhere in your report.
Do not provide a data dump and expect your instructor to parse your results. Provide a clear, concise report of findings supported by tool usage and, most important, your analysis of the events and how they will affect—or already have affected—the organization.
Submission requirements
· Font: Calibri
· 12-point
· Double-spaced
Introduction
Understanding the impact on the organization is a key trait for a forensic analyst. Digital forensics is not just data dumping; it’s the analysis piece that is crucial to the discovery of second- and third-order effects within the organization’s network.
Week 7 is the beginning of the hands-on practical application portion of your final exam, which will continue in week 8. Given a variety of evidence and indicators, you must successfully perform, determine, and derive a mitigation strategy based on an intrusion that took place. Download the case material as indicated by your instructor. Be sure to check the MD5 hash file with your corresponding evidence. This is the point at which all the pieces and components come together: processing the evidence, generating a report, and recommending mitigation strategies.
Readings
1. The documents listed in the links below are examples of Incident Response Plans that, once filled in, could become a viable starting point for your organization.
a.
https://cdt.ca.gov/wp-content/uploads/2017/03/templates_incident_response_plan
b.
http://cdn.ttgtmedia.com/searchDisasterRecovery/downloads/SearchDisasterRecovery_Incident_Response_Plan_Template
These lab reports are samples. Please use the Forensic Investigative Analysis Report template provided in the Course Documents folder to structure your assignment.
2. Use this guideline from Berkeley Security to assist you in getting started with the Incident Response Plan should an incident occur.
a.
https://security.berkeley.edu/content/incident-response-planning-guideline
3. You already looked at portions of this NIST guide; now use chapters 1–8 to provide guidance as you make your way through the case evidence for relevant reporting points.
a.
Computer Security Incident Handling Guide
Readings
- The documents listed in the links below are examples of Incident Response Plans that, once filled in, could become a viable starting point for your organization.
https://cdt.ca.gov/wp-content/uploads/2017/03/templates_incident_response_plan
http://cdn.ttgtmedia.com/searchDisasterRecovery/downloads/SearchDisasterRecovery_Incident_Response_Plan_Template
These lab reports are samples. Please use the Forensic Investigative Analysis Report template provided in the Course Documents folder to structure your assignment.
- Use this guideline from Berkeley Security to assist you in getting started with the Incident Response Plan should an incident occur.
https://security.berkeley.edu/content/incident-response-planning-guideline
- You already looked at portions of this NIST guide; now use chapters 1–8 to provide guidance as you make your way through the case evidence for relevant reporting points.
Computer Security Incident Handling Guide
Sample Intrusion Detection Incident Response Plan
Incident Response Plan Example
This document discusses the steps taken during an incident response plan. To create the plan, the steps in the following example should be replaced with contact information and specific courses of action for your organization.
1) The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
a) Helpdesk
b) Intrusion detection monitoring personnel
c) A system administrator
d) A firewall administrator
e) A business partner
f) A manager
g) The security department or a security person.
h) An outside source.
List all sources and check off whether they have contact information and procedures. Usually each source would contact one 24/7 reachable entity such as a grounds security office. Those in the IT department may have different contact procedures than those outside the IT department.
2) If the person discovering the incident is a member of the IT department or affected department, they will proceed to step 5.
3) If the person discovering the incident is not a member of the IT department or affected department, they will call the 24/7 reachable grounds security department at xxx-xxx.
4) The grounds security office will refer to the IT emergency contact list or effected department contact list and call the designated numbers in order on the list. The grounds security office will log:
a) The name of the caller.
b) Time of the call.
c) Contact information about the caller.
d) The nature of the incident.
e) What equipment or persons were involved?
f) Location of equipment or persons involved.
g) How the incident was detected.
h) When the event was first noticed that supported the idea that the incident occurred.
5) The IT staff member or affected department staff member who receives the call (or discovered the incident) will refer to their contact list for both management personnel to be contacted and incident response members to be contacted. The staff member will call those designated on the list. The staff member will contact the incident response manager using both email and phone messages while being sure other appropriate and backup personnel and designated managers are contacted. The staff member will log the information received in the same format as the grounds security office in the previous step. The staff member could possibly add the following:
a) Is the equipment affected business critical?
b) What is the severity of the potential impact?
c) Name of system being targeted, along with operating system, IP address, and location.
d) IP address and any information about the origin of the attack.
6) Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy.
a) Is the incident real or perceived?
b) Is the incident still in progress?
c) What data or property is threatened and how critical is it?
d) What is the impact on the business should the attack succeed? Minimal, serious, or critical?
e) What system or systems are targeted, where are they located physically and on the network?
f) Is the incident inside the trusted network?
g) Is the response urgent?
h) Can the incident be quickly contained?
i) Will the response alert the attacker and do we care?
j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
7) An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
a) Category one – A threat to public safety or life.
b) Category two – A threat to sensitive data
c) Category three – A threat to computer systems
d) Category four – A disruption of services
8) Team members will establish and follow one of the following procedures basing their response on the incident assessment:
a) Worm response procedure
b) Virus response procedure
c) System failure procedure
d) Active intrusion response procedure – Is critical data at risk?
e) Inactive Intrusion response procedure
f) System abuse procedure
g) Property theft response procedure
h) Website denial of service response procedure
i) Database or file denial of service response procedure
j) Spyware response procedure.
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
9) Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
10) Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.
11) Upon management approval, the changes will be implemented.
12) Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
a) Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
b) Make users change passwords if passwords may have been sniffed.
c) Be sure the system has been hardened by turning off or uninstalling unused services.
d) Be sure the system is fully patched.
e) Be sure real time virus protection and intrusion detection is running.
f) Be sure the system is logging the correct events and to the proper level.
13) Documentation—the following shall be documented:
a) How the incident was discovered.
b) The category of the incident.
c) How the incident occurred, whether through email, firewall, etc.
d) Where the attack came from, such as IP addresses and other related information about the attacker.
e) What the response plan was.
f) What was done in response?
g) Whether the response was effective.
14) Evidence Preservation—make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
15) Notify proper external agencies—notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies and contact numbers here.
16) Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
17) Review response and update policies—plan and take preventative steps so the intrusion can’t happen again.
a) Consider whether an additional policy could have prevented the intrusion.
b) Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
c) Was the incident response appropriate? How could it be improved?
d) Was every appropriate party informed in a timely manner?
e) Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
f) Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
g) Have changes been made to prevent a new and similar infection?
h) Should any security policies be updated?
i) What lessons have been learned from this experience?
Planning
Section
Description: This team is
responsible for developing the
Incident Action Plan (IAP) which
is used to manage the incident.
They are also responsible for the
collection, evaluation,
dissemination, and use of
information regarding the
development of the incident and
the status of resources.
Section Chief:
Members:
Human Resources
Corporate Travel
Medical
Finance and
Administration Section
Description: This team accounts
for incident-related costs,
purchasing, and facilitates
reimbursements. It also
provides a timekeeping function.
Section Chief:
Members:
Corporate Finance – CFO
Enterprise Risk Management
Purchasing
Insurance
Incident Command
Description: This team assumes overall responsibility for all phases of the
> incident management and recovery effort, from declaration through demobilization. The Incident Command function consists of the following key company leaders and will direct incident managment and recovery plans from the designated Command Center. Incident Manager: Members: Information Officer Safety Officer Liaison Officer Logistics Section Description: This team supports services to all incident management and recovery teams and is responsible for but not limited to the following specific functions: Facilities/ Security, Legal, Shipping/ Receiving, Mail Center and Records, Treasury, Human Resources, Food, Lodging and Transportation. Section Chief: Business Unit Leaders Legal Information Technology Facilities Corporate Communications Operations Section Description: This team is responsible for carrying out the response and recovery activities as outlined in the Incident Action Plan (IAP) developed by the Planning Section. The Operations Chief reports to the Incident Manager and detemrines the required resources and organization structure within the Operations Team. Section Chief: Infomation Technology Facilities
Planning Section
Description: This team is management and recovery effort, from declaration through demobilization. The Incident Command function consists of the following key company leaders and will direct incident managment and recovery plans from
Logistics Section
Description: This team supports
Operations Section
Description: This team is >Incident Response Plan
By Paul Kirvan, CISA, CSSP, FBCI, CBCP
Revision 0.0
Date
Revision History
Revision date
Items revised
Author
Table of contents 4
Members:
Members:
Business Unit Leaders
responsible for developing the
Incident Action Plan (IAP) which
is used to manage the incident.
They are also responsible for the
collection, evaluation,
dissemination, and use of
information regarding the
development of the incident and
the status of resources.
Section Chief:
Members:
Human Resources
Corporate Travel
Medical
Finance and
Administration Section
Description: This team accounts
for incident-related costs,
purchasing, and facilitates
reimbursements. It also
provides a timekeeping function.
Section Chief:
Members:
Corporate Finance – CFO
Enterprise Risk Management
Purchasing
Insurance
Incident Command
Description: This team assumes overall responsibility for all phases of the
the designated Command Center.
Incident Manager: Members:
Information Officer
Safety Officer
Liaison Officer
services to all incident
management and recovery
teams and is responsible for but
not limited to the following
specific functions: Facilities/
Security, Legal, Shipping/
Receiving, Mail Center and
Records, Treasury, Human
Resources, Food, Lodging and
Transportation.
Section Chief:
Members:
Business Unit Leaders
Legal
Information Technology
Facilities
Corporate Communications
responsible for carrying out the
response and recovery activities
as outlined in the Incident Action
Plan (IAP) developed by the
Planning Section. The
Operations Chief reports to the
Incident Manager and
detemrines the required
resources and organization
structure within the Operations
Team.
Section Chief:
Members:
Business Unit Leaders
Infomation Technology
Facilities
Section One – Plan Body
1
.1
Introduction
1.2
Incident Management Plan Overview
4
1.
3
Scope
5
1.4
Exclusions
5
1.5
Planning Scenarios
5
1.5.1
Limited or No Access to the Building
1.5.2
Loss of Data Communications, e.g., WAN, Routers
1.5.3
Loss of Technology, e.g., Computer Room, Network Services
6
1.5.4
Loss of People, e.g., Illness, Death
6
1.6
Recovery Objectives
7
1.7
Assumptions
7
Section Two – Incident Response and Management
8
2.1
Logical Sequence of Events
8
2.2
Local Incident Management Teams
9
2.2.1
General Information
2.2.2
Team Overview
10
2.2.3
Local Incident Management Team
10
2.2.4
Damage Assessment Team
10
2.2.5
Regional Incident Management Team
11
2.2.6
Threat Assessment Center
11
2.3
Incident Management Team Activities
11
2.3.1
Local IM Team Activities
11
2.3.2
Regional Incident Manager Activities
12
2.3.3
Regional IM Executive Activities
12
Section Three – Notification, Escalation, and Declaration
13
3.1
Introduction
13
3.2
Notification Process Overview
13
3.2.1
Initial Notification
13
3.3
Notification Process (Emergencies only)
14
3.3.1 Local IMT Notification and Notification of External Client, Vendor and
14
Business Partner
14
3.4
Incident Response Assembly Locations
14
3.5
Escalation Process (Emergencies only)
16
3.6
Plan Authorization and Declaration
17
3.7
Declaration Process (Emergency Only)
17
Section Four – Incident Response Checklists
18
4.1
Key Personnel Contact List
18
4.2
Key Vendor Contact List
21
4.3
Initial Incident Response Checklist
22
4.4
Local Incident Management Team Task Checklist
23
4.4.1
Local Incident Management Team Meeting
24
4.5
Local Incident Manager Task Checklist
25
4.5.1
Incident Response Recommended Actions
26
4.5.2
Actions Following a Disaster Declaration
27
4.6
Local EOC Command Staff Task Checklist
28
4.7
Local EOC Operations Staff Task Checklist
29
4.8
Pre-Incident Preparations
30
4.8.1
Actions Following an Incident and Prior to a Disaster Declaration Being Made
30
4.8.3
Support for Local Incident Management Team Meeting
30
4.8.4
Actions During and After the Disaster
31
4.8.5
Post-Event Maintenance Activities
31
Section Five – Appendixes
32
5.1
Incident Management Forms
32
Section One – Plan Body
1.1 Introduction
General information
This manual was developed for “
BUSINESS NAME
,” herein referred to as “BUSINESS NAME,” and it is classified as the confidential property of that entity. Due to the sensitive nature of the information contained herein, this manual is available only to those persons who have been designated as members of one or more incident management teams, or who otherwise play a direct role in the incident response and recovery processes.
Unless otherwise instructed, each plan recipient will receive and maintain two copies of the plan, stored as follows:
· One copy at the plan recipient’s office
· One copy at the plan recipient’s home
For additional copies, contact XXXXXXX
The following teams will appear throughout this plan:
· Threat Assessment Center
· Regional Incident Management Team
· Damage Assessment Team
· Local Incident Management Team
The incident management planning effort for BUSINESS NAME recognizes and affirms the importance of people, processes, and technology to the corporation.
It is the responsibility of each BUSINESS NAME manager and employee to safeguard and keep confidential all corporate assets.
1.2
Incident response plan overview
Overview and objectives
This incident management plan establishes the recommended organization, actions, and procedures needed to
· Recognize and respond to an incident;
· Assess the situation quickly and effectively;
· Notify the appropriate individuals and organizations about the incident;
· Organize the company’s response activities, including activating a command center;
· Escalate the company’s response efforts based on the severity of the incident; and
· Support the business recovery efforts being made in the aftermath of the incident.
Existing incident management plans should conform to the Incident Management Policy statement found in Section 6.2 of the Appendix.
This plan is designed to minimize operational and financial impacts of such a disaster, and will be activated when a local Incident Manager (or, in his/her absence, one of his/her alternates) determines that a disaster has occurred.
Specific details on incident response and subsequent business recovery actions and activities are included within the respective local recovery team plans.
1.3
Scope
This incident management plan includes initial actions and procedures to respond to events that could impact critical business activities at BUSINESS NAME AND LOCATION. This plan is designed to minimize the operational and financial impacts of disasters.
The BUSINESS NAME Incident Response Plan is designed to provide an initial response to any unplanned business interruption, such as a loss of utility service or an avian influenza outbreak, or a catastrophic event such as a major fire or flood. This document defines the requirements, strategies and proposed actions needed to respond to such an event.
1.4
Exclusions
This plan specifically excludes the following from its scope:
· Facilities not located at the BUSINESS NAME AND LOCATION
1.5 Planning scenarios
This plan was developed to respond to an incident that could render the BUSINESS NAME AND LOCATION out of service or inaccessible. In addition, it is designed to respond to situations other than the above scenarios, e.g., an avian flu outbreak. The plan is designed to respond to scenarios such as the following:
1. No access to buildings or floors at the specific location
2. Loss of data communications and the network infrastructure
3. Loss of technology
4. Loss of professional staff (e.g., via a flu outbreak)
1.5.1
Limited or no access to the building
Any incident that renders the BUSINESS NAME AND LOCATION either totally inaccessible/unusable or partially accessible to the tenants
This scenario could produce one or more of the following impacts:
· Loss of the business facility or the facility is rendered inaccessible
· Loss of access to selected work space areas, such as building floors affected by a localized event, e.g., a fire
· New equipment/facilities must be acquired
· Incident management and recovery actions must be implemented
· Event causes business interruption or closing
1.5.2
Loss of data communications, e.g., WAN, routers
Any incident that disables or destroys the WAN router infrastructure and its communication capabilities located at BUSINESS NAME AND LOCATION, with a potentially disruptive effect on business operations.
This scenario could produce one or more of the following impacts:
· Loss of access to the WAN
· Loss of access to the Internet and intranet
· Incident is declared and incident recovery actions are implemented
· Use of recovery strategies, commercial hot site, reciprocal agreements, and manual operations as a temporary measure
· Business shutdown
· Need for new facilities/equipment
1.5.3
Loss of technology, e.g., computer room, network services
Any incident that disables or destroys the entire computer room facility or its processing capacity located at BUSINESS NAME AND LOCATION, with a potentially disruptive effect on business operations.
This scenario could produce one or more of the following impacts:
· Loss of use of the computer room facility
· Loss of voice/data communications services
· Incident is declared and incident recovery actions are implemented
· Use of recovery strategies, commercial hot site, reciprocal agreements, and manual operations as a temporary measure
· Business shutdown
· Need for new facilities/equipment
1.5.4
Loss of people, e.g., illness, death
Any incident that disables or renders the professional staff at BUSINESS NAME AND LOCATION unable to perform normal business functions, with a commensurate negative effect on business operations.
This scenario could produce one or more of the following impacts:
· No impact to building access or technology infrastructure
· Insufficient professional staff to perform minimal business operations
· Lack of suitably cross-trained staff
· Business shutdown
· Need for temporary staff
1.6
Recovery objectives
This incident management plan has been developed to meet the following objectives:
1. Provide an organized and consolidated approach to managing initial response and recovery activities following an unplanned incident or business interruption, avoiding confusion and reducing exposure to error.
2. Provide prompt and appropriate response to unplanned incidents, thereby reducing the impacts resulting from short-term business interruptions.
3. Notify appropriate management, operational staff and their families, customers, and public sector organizations of the incident.
4. Recover essential business operations in a timely manner, increasing the ability of the company to recover from a damaging loss at LOCATION.
1.7
Assumptions
This plan has been developed and is to be maintained on the basis of the following assumptions:
· A complete interruption of the BUSINESS NAME AND LOCATION office and associated facilities has occurred, and there is no access to the office, critical equipment or business data.
· A partial or total loss of professional staff at BUSINESS NAME AND LOCATION has occurred due to employee illness resulting from a disaster, whether natural or man-made, including avian flu or a similar outbreak, and only a limited number of healthy employees are available to continue normal business operations.
· Recovery from anything less than complete interruption will be achieved by using appropriate portions of this plan.
· Sufficient staff with adequate knowledge will be available to facilitate recovery.
Section Two – Incident response and management
2.1
Logical sequence of events
The following high-level checklist describes the recommended emergency response:
INITIAL INCIDENT RESPONSE CHECKLIST
|
Incident occurs . |
FORMCHECKBOX |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
First person to observe incident at LOCATION follows local emergency procedures and notifies the local Damage Assessment Team (DAT) and/or building security of incident. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The local DAT assembles, investigates the incident using a checklist, and determines if the local Incident Management Team (IMT) needs to be activated. If it is necessary, the DAT also notifies public authorities and/or dials 911. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
If needed, the DAT will notify and activate the local Incident Management Team (IMT). The IMT designates a point of contact (POC) for the incident. The POC launches a notification process. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
If life and safety are at immediate risk – the IMT Leader and his/her staff shall act first to ensure their own survival as well as the survival of all staff, and then communicate when feasible. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
As soon as possible, the IMT POC notifies the Regional Incident Manager (phone number) and the Threat Assessment Center (TAC) (phone number) of the incident. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The TAC establishes local incident coordination with the IMT point of contact, assesses the incident; and notifies senior management of the incident. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The Regional Incident Manager notifies the Regional IM Team of the incident. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
TAC determines if the situation requires escalation, based on inputs from the Damage Assessment Team and IMT. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Assuming the situation warrants escalation, the IMT reviews the situation, briefs the TAC and Regional Incident Manager, and initiates the disaster declaration process. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
If a disaster is not declared, IMT POC advises TAC and Regional Incident Manager. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
If a disaster is declared, the local IMT 1. Notifies the TAC and Regional Incident Manager 2. Activates the Emergency Operations Center (EOC) 3. Activates the BC-IM plan 4. Launches emergency response procedures |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The Regional Incident Manager consults with the TAC on the incident. Feedback from the TAC is relayed to local IM Team point of contact. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
All BUSINESS NAME staff is notified of the incident and of operational status. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The incident management and business continuity plans continue until the incident has been resolved. |
2.2
Local incident management teams
2.2.1
General information
A successful recovery from a disaster can only occur with total coordination of all incident management and recovery activities. In a crisis, each team has specific functions that contribute to the success of the recovery. The following diagram depicts the structure of a local incident management team, particularly in the aftermath of an incident. It is based on the Incident Command System (ICS).
2.2.2
Team Overview
To implement the recovery strategies, the following teams are defined:
· Local Incident Management Team (IMT)
· Damage Assessment Team (DAT)
· Regional Incident Management Team (RIMT)
· Threat Assessment Center (TAC)
2.2.3
Local Incident Management Team
The local IMT assesses the physical and operational status of the LOCATION immediately following an incident; determines the need for personnel evacuations; reviews the situation with building security and building management as needed; reviews the situation with local public sector agencies (e.g., police, fire, EMT) as needed; provides input to the process for declaring a crisis or emergency as needed; and organizes and deploys an Emergency Operations Center (EOC) to manage all planning and operational aspects of the incident. The local IMT also makes an effort to reduce and control the impact of the incident to the LOCATION.
Members:
Name
Office
2.2.4
Damage Assessment Team
The DAT assesses the physical condition of the LOCATION immediately following an incident; evaluates the damage and/or destruction to physical and technology assets to determine if an evacuation is indicated and what the prospects for recovery may be; reviews the situation with building security and building management, as well as local public sector agencies (e.g., police, fire, EMT) as needed; and provides input to and/or recommends a disaster declaration if necessary.
Members:
|
Name |
2.2.5
Regional Incident Management Team
Comprised of regional company executives and the Regional Incident Manager, the RIMT provides coordination and oversight during a regional incident that may affect an individual office or multiple offices in a geographic area.
Members:
2.2.6
Threat Assessment Center
The Threat Assessment Center provides a centralized and standardized means of validating and assessing threats and other incidents. Using information obtained from multiple sources, including local IMTs and Regional Incident Managers, the TAC provides single-source reporting to senior management and other stakeholders so that preemptive measures can be determined and implemented on a timely basis.
Members:
Name
Office
2.3
Incident Management Team activities
This plan provides detailed action steps for each member in the Incident Management Team structure.
2.3.1
Local IMT activities
Detailed checklists that summarize recommended local Incident Management Team and team leader activities can be found in Sections 5.4 and 5.5.
2.3.2
Regional incident manager activities
Detailed checklists that summarize recommended Regional Incident Manager activities can be found in Section 5.8.
2.3.3
Regional IM executive activities
Detailed checklists that summarize recommended Regional Incident Management Team executive activities can be found in Section 5.9.
Section Three – Notification, escalation and declaration
3.1
Introduction
During any business interruption, personnel safety is the primary concern. Managers should periodically review emergency response and evacuation procedures with their staff to ensure familiarity with safety procedures.
Employees should notify their manager of any operational disruption or emergency situation. In the event of an emergency, BUSINESS NAME managers NAME(s) are authorized to declare a disaster on behalf of the LOCATION office.
The notification plan is designed for use in mobilizing the Incident Management Team. If partial mobilization is needed, the appropriate portion of the plan can be executed accordingly. When primary IMT members cannot be reached for their part in the notification plan, their alternates will be contacted.
3.2
Notification process overview
3.2.1
Initial notification
Telephone notification process:
During normal business hours, contact personnel at the following numbers in the order listed:
· Office telephone (If unavailable, leave a voicemail message)
· Cellular
· Pager
· Text page (if available)
· Home telephone
· Any other number the person has listed in the employee’s list.
During non-business hours, contact personnel at the following numbers in the order listed until someone is reached:
· Home phone
· Office (leave voicemail if no answer)
· Cellular
· Pager
· Text page (if available)
· Any other number the person has listed in the disaster recovery documentation.
Automated notification process:
When using an automated notification system during normal business hours, contact personnel at the following numbers in the order listed:
· Office telephone (If unavailable, leave a voicemail message)
· Cellular
· Pager
· Text page (if available)
· Home telephone
· Any other number the person has listed in the employee’s list.
When using an automated notification system during non-business hours, contact personnel at the following numbers in the order listed until someone is reached:
· Home phone
· Office (leave voicemail if no answer)
· Cellular
· Pager
· Text page (if available)
· Any other number the person has listed in the DR documentation.
3.3
Notification process (emergencies only)
Communication during a crisis is critical. As such, follow local notification protocols in an emergency.
3.3.1 Local IMT notification and notification of external client, vendor and
business partner
Should an incident occur, the following call tree will be utilized at LOCATION
|
Temporary staff |
|||||||||||||
| Name |
Office phone |
Home phone |
mobile/Pager |
Location |
|||||||||
3.4
Incident response assembly locations
Primary assembly area
Name
Address
Address
City/State/Zip
Phone/Fax
Secondary assembly area
Name
Address
Address
City/State/Zip
Phone/Fax
Tertiary assembly area
Name
Address
Address
City/State/Zip
Phone/Fax
Email
3.5
Escalation process (emergencies only)
The process for escalating an incident at BUSINESS NAME is as follows:
Step 1: Follow local established emergency escalation and life/safety protocols. If these are not available, the first BUSINESS NAME employee to become aware of an incident should immediately report it to local management, who will escalate the information to the local Incident Management Team Leader (NAME) or his/her designated alternate (NAME).
Step 2: Follow local established emergency escalation and life/safety protocols. If these are not available, the Damage Assessment Team should conduct an assessment of the situation. If the severity of the incident warrants, the IMT Leader or point of contact will inform the Regional Incident Manager, Threat Assessment Center, Business Continuity Management and BUSINESS NAME management of the situation.
Step 3: Follow local established emergency escalation and life/safety protocols. If these are not available, based on the results of the local IMT assessment, and if the severity of the incident warrants, the Regional Incident Manager will coordinate with Regional Incident Management Team executives on the situation as soon as feasible by phone, email, teleconference or MessageOne.
Step 4: Follow local established emergency escalation and life/safety protocols. If these are not available, based on the results of the TAC assessment, and if the severity of the incident warrants, the TAC will notify designated senior management as deemed necessary to manage the situation; this can be done by phone, email, teleconference or MessageOne.
Step 5: Continue to follow local established emergency escalation and life/safety protocols. If these are not available, based on the results of local, regional and TAC discussions (via conference bridge and/or MessageOne technology), a decision will be made on declaring a disaster:
a. IF a disaster IS NOT declared, the IMT Leader or Incident Manager will coordinate with other local management and Corporate Services staff to restore normal business operations accordingly.
b. IF a disaster IS declared, the IMT Leader or Incident Manager, in coordination with the BC Team, will invoke the BC-IM plan.
Step 6:
IF a declaration is made, the IM point of contact will update the TAC, the Regional Incident Management Team and BUSINESS NAME management in LOCATION as soon as possible.
3.6
Plan authorization and declaration
When the Incident Management Team is notified of the event, they will immediately contact the local business leadership on the incident, asking them to remain on standby. The IMT will report to the scene of the event, or where directed, and coordinate additional activities with local building management and the Damage Assessment Team. The call tree notification process begins after the authorization has been given to declare a disaster. Alternatively, if an automated notification system or service is available, launch that process as soon as possible.
3.7
Declaration process (emergencies only)
The disaster declaration process at BUSINESS NAME in LOCATION is as follows:
1. ONLY the management team in charge of BUSINESS NAME (NAME) or his/her appointed alternate has the authority to declare a disaster at BUSINESS NAME.
2. A disaster declaration at BUSINESS NAME MUST
generally meet one or more of the following criteria:
A. The incident is a major, prolonged or indefinite disruption to business as usual.
B. The incident is of sufficient magnitude (casualties/fatalities/property and/or facility damages/business disruptions, etc) and warrants the enacting of emergency response and incident management measures to ensure continuity of operations at BUSINESS NAME.
C. The incident has met and/or exceeded the threshold of disaster declaration criteria for appropriate major public sector entities on a local, regional, national or international level.
D. Not declaring the incident a “disaster” poses a direct threat to the viability of BUSINESS NAME as a business.
Section Four – Incident response checklists
4.1
Key personnel contact list
|
Incident Management Team |
||||||||||||||||||||||||||||||||||||||||||||
|
Last name |
First name |
Title |
Department/Location |
Work phone |
Alternate phone |
Pager/Cell phone |
||||||||||||||||||||||||||||||||||||||
|
Executive Management Team |
|
Finance / Administration Section |
4.2
Key vendor contact list
|
Vendor name |
Cell phone |
Fax number |
4.3
Initial incident response checklist
The task checklists in the following pages should be followed in the event of an incident at the BUSINESS NAME & LOCATION office or surrounding area. Follow the recommended sequence of actions below during the initial minutes after the occurrence of an incident.
INITIAL INCIDENT RESPONSE CHECKLIST
| Incident occurs |
|
First person to observe incident at LOCATION follows local emergency procedures and notifies the local Damage Assessment Team and/or building security of incident. |
|
The local Damage Assessment Team assembles, investigates the incident using a checklist, and determines if the local Incident Management Team needs to be activated. If it is necessary, the DAT also notifies public authorities and/or dials 911. |
|
If needed, the DAT will notify and activate the local Incident Management Team. The IMT designates a point of contact (POC) for the incident. The POC launches a notification process. |
|
If life and safety are at immediate risk – the IMT Leader and his/her staff should act first to ensure their own survival as well as the survival of all staff, and then communicate when feasible. |
|
As soon as possible, the IMT POC notifies the Regional Incident Manager (phone number) and the Threat Assessment Center |
|
If a disaster is not declared, IM POC advises TAC and Regional Incident Manager. |
|
If a disaster is declared, the local IMT 1. Notifies the TAC and Regional Incident Manager 2. Activates the Emergency Operations Center (EOC) 3. Activates the BC-IM plan 4. Launches emergency response procedures |
4.4
Local IMT task checklist
The following recommended sequence of actions should be facilitated after completion of the Initial Response checklist in Section 4.3.
LOCAL INCIDENT MANAGEMENT TEAM TASK CHECKLIST
|
Gather information about the incident from first-hand contact, available first responders, employees, and others; relays to Incident Manager. |
||||||
|
Account for all staff/guests on (and if applicable off) premises. |
||||||
|
Administer first aid and/or ensures life/safety measures as appropriate. |
||||||
|
Inform building security and the property management firm if they are not already aware of the incident: · Building security: xxx – xxx – xxxx · Property management firm: xxx – xxx – xxxx |
||||||
|
Inform security of the situation as soon as possible: · Security: xxx – xxx – xxxx |
||||||
|
Inform the Incident Manager as soon as possible: · IM Team Leader: xxx – xxx – xxxx |
||||||
|
Conduct an initial assessment of the incident’s likely impact on local operations; coordinate with DAT. |
||||||
|
Disseminate information to local employees on the incident. |
||||||
|
Provide information about the incident to first responder organizations. |
||||||
|
Establish and maintain communications with Regional Incident Manager, Threat Assessment Center, and the appropriate business unit. |
||||||
|
Provide input as directed to the disaster declaration process. |
||||||
|
If disaster is declared, support the IM plan response. |
||||||
|
If a disaster is not declared, support recovery from the incident and restore operations accordingly. |
||||||
|
Support launch of Emergency Operations Center (EOC) according to IM plan. |
||||||
|
Provide ongoing review and analysis of incident(s) with dissemination of information to staff, Regional Incident Manager, and TAC as needed. |
||||||
|
Coordinate with counterparts in other regions as part of ongoing incident analysis. |
||||||
|
Coordinate with Operations Section leadership as well as third-party organizations to ensure that required resources are in place and ready for delivery to affected venue. |
||||||
|
Support Public Information Officer, Safety Officer and Liaison Officer roles. |
||||||
|
Support management of the incident and restores operations accordingly. |
||||||
|
Support post-event demobilization plan as needed. |
||||||
|
Assist IMT and Incident Manager as directed. |
||||||
|
Provide post-event report of activities. |
4.4.1
Local IMT meeting
|
Contact local IMT leader to ensure that the IMT has set an initial meeting and venue. Ensure that the presence of IMT members is recorded using the EXHIBIT 4 – RECOVERY TEAMS PERSONNEL ASSIGNMENT FORM found in the Recovery Forms section of this document. |
|
|
Ensure that any missing IMT members, their alternates and any additional personnel are notified of the meeting. See the KEY CONTACTS section of this guide for a complete list of IMT members and alternates, and their contact information. |
|
|
Obtain a current situation report from the IMT and Damage Assessment Team. Address the following key issues: 1. Type of event (fire, tornado, terrorism, power outage, telecomm outage, etc.) 2. Specific location of event, if known (building, floor, side of floor, etc.) 3. Magnitude of the event 4. Time of event 5. Suspected cause 6. Emergency/evacuation procedures status 7. Police and fire departments notified 8. Injuries and fatalities 9. Building access status (current access, near-term potential access) 10. Immediate impact to business operations 11. Potential for news media attention |
|
|
Establish schedule of updates for Threat Assessment Center to monitor ongoing emergency response procedures. Commence providing TAC updates. |
|
|
Ensure that a member of the local IMT documents, in chronological order, incident milestones and actions taken using the EXHIBIT 1 – BUSINESS INTERRUPTION REPORT template in the Recovery Forms section of this guide. This form will be used as a tool to update the IMT, TAC and/or other senior management. |
|
|
If required, provide advice to local senior management whether employees should be sent home. Local senior management will develop a statement, determine method of communicating updates and communicate to employees. |
|
|
Follow up to ensure that local management has decided whether or not to intercept 800# phone lines with a customized emergency voice recording. |
|
|
Follow up to ensure that local management has decided to launch/not launch the MessageOne emergency notification service, in addition to/in lieu of 800# service arrangements. |
4.5
Local IMT checklist
The following recommended sequence of actions should be provided by the local incident team leader and/or incident manager after completing the Initial Response checklist in Section 5.3.
LOCAL INCIDENT MANAGER TASK CHECKLIST
|
Assumes overall leadership of all incident management activities. |
|
Receives information about the incident from IMT, first responders, employees, and others; contacts the Damage Assessment Team. |
|
Delegates the accounting for of all staff/guests on (and if applicable off) premises. |
|
Ensures that first aid is being provided; ensure that life/safety measures are being delivered. |
|
Informs local Business Continuity Management Team of situation as soon as possible: · Business Continuity Management Team: xxx – xxx – xxxx |
|
In coordination with Damage Assessment Team, assesses the incident’s likely impact on local operations. |
|
If assessment of the incident suggests a serious event that could adversely impact operations, advises Threat Assessment Center (TAC) as soon as possible. |
|
Provides input as directed to the disaster declaration process. |
|
Based on input from Regional Incident Manager and Threat Assessment Center, determines if/when to declare a disaster. |
|
If a disaster is declared, facilitates activation of IM plan; informs others (TAC, Regional Incident Manager); launches call notification via MessageOne or calling tree. |
|
If a disaster is not declared, manages recovery from the incident and restore operations accordingly. |
|
Leads the launch of Emergency Operations Center according to IM plan; assumes role of Incident Manager. |
|
Leads the launch of Public Information Officer, Safety Officer and Liaison Officer. |
|
Ensures that Public Information Officer establishes regularly updated communications with Incident Manager and other units, e.g., Regional Incident Manager, as needed. |
|
Manages the incident and restores operations accordingly. |
4.5.1
Incident response recommended actions
|
Incident Management Team leader will develop recommendations for senior management on what overall response strategies should be implemented to facilitate the recovery of business operations in the most timely, efficient and cost-effective manner. |
|
Consider information gathered in earlier incident and damage assessments including, but not limited to, the following: · The area(s) affected by the disaster; · Anticipated duration of incident; · Availability of required employees; · Any special timing issues such as relationship to month-end, quarter-end, etc.; · Any special business issues (e.g., unusual business volume or backlog, unusual contractual obligations); · Regulatory obligations; · Salvageable equipment and supplies (as documented in the ASSESSMENT & EVALUATION FORMS); · Availability of equipment and supplies at potential alternate or off-site locations; · Salvageable records required for recovery activities; and · Records which require intensive reconstruction activities. |
|
Develop critical business function recovery priority lists for the following periods: · 8 hours · 12 hours · 24 hours · 72 hours or longer |
|
Recommend to the Executive Management Team and Threat Assessment Center the location(s) where critical business functions and IT operations can be recovered based upon the following priority: · Return to building · Local sites · Other sites · Vendor location |
4.5.2
Actions following a disaster declaration
|
Based on responses from the Threat Assessment Center, and input from local management and public sector organizations, the IMT leader will launch an incident management plan that facilitates a safe and rapid evacuation of staff and locates the safest venue to activate an Emergency Operations Center based on the following priority list: 1. LOCATION 2. LOCATION |
|
If not already identified locally, IMT leader should identify and communicate the recommended assembly site(s) to local IMT members, local management, local public sector organizations, and the Business Recovery Team. |
|
Ensure that the local IMT convenes a meeting to review response and recovery options, Emergency Operations Center setup procedures, and other related activities, as specified in the incident management plan. |
|
Relay the current situation report from the Threat Assessment Center and/or the Regional Incident Management Team. General points to be covered include the following: 1. Type of event (fire, tornado, terrorism, power outage, telecomm outage, etc.) 7. Police and fire departments notified 8. Injuries and fatalities 9. Building access (current access, near-term potential access) 10. Immediate impact to business operations 11. Potential for media (e.g., television, radio) attention |
|
Establish a schedule for updates to regional IM team(s). |
|
Assign an IMT member responsibility to document, in chronological order, incident milestones and actions taken using the EXHIBIT 1 – BUSINESS INTERRUPTION REPORT template in the Recovery Forms section of this guide. This form will be used as a tool to update the Threat Assessment Center and other senior management. |
|
Provide input to the Threat Assessment Center and/or Executive Management Team whether employees should be sent home. The EMT will develop a statement, determine method of communication for further updates and communicate to employees, e.g., using MessageOne or other approved service. |
|
The IMT leader will decide whether or not to intercept 800# phone lines with a customized emergency voice recording. Main Message in the first 24 hours: “Welcome to BUSINESS NAME. We’re sorry, but our normal business operations have been interrupted due to XXXXX. Please be patient as we are making every effort to recover operations as soon as possible. We expect to resume normal operations on or about XXXX.” The following persons are authorized to implement this message: Name: XXXX Name: XXXX Work: XXXX Work: XXXX Home: XXXX Home: XXXX Cell: XXXX Cell: XXXX |
|
Support local Incident Managers as required. |
|
Assist with acquisition of resources as needed. |
|
Provide regular incident updates to TAC. |
|
Provide regular regional incident updates to IMTs and points of contact (POC). |
|
Establish communications process/ timeline for RIMT. |
|
Coordinate phone calls, conference calls for RIMT. |
4.6
Local EOC command staff task checklist
Assuming an Emergency Operations Center is established by the local IMT Leader or Incident Manager, the following recommended sequences of actions should be facilitated by individuals assigned to the specific positions defined below.
IM TEAM PUBLIC INFORMATION OFFICER TASK CHECKLIST
|
When activated, establishes communications with organizations as indicated in incident management plan, e.g., Incident Manager, local management, Regional Incident Manager, and Threat Assessment Center . |
|
Establish regular time frames for reporting incident and recovery status to designated organizations. |
|
Process incoming messages from and external organizations, including police/fire/EMS and the media. |
|
Coordinate activities with Liaison Officer. |
|
Distribute approved messages to designated parties when directed. |
|
Assists IMT and Incident Manager as directed. |
IM TEAM SAFETY OFFICER TASK CHECKLIST
|
When activated, monitor and manages physical safety conditions. |
|
|
Develop measures to ensure safety of personnel. |
|
|
Assist in the administering of first aid and/or ensure life/safety measures as needed. |
|
|
Monitor Emergency Operations Center (EOC) personnel for stress, etc. |
|
|
Assist Incident Manager as directed. |
|
|
Provide post-event report of activities. |
IM TEAM LIAISON OFFICER TASK CHECKLIST
|
When activated, interface with any/all public sector entities as appropriate, e.g., police, fire, EMS, OEM, government agencies. |
||||
|
Disseminate information and messages to appropriate departments and individuals. |
||||
|
Coordinate activities with Public Information Officer. |
||||
| Assist Incident Manager as directed. |
4.7
Local EOC operations staff task checklist
Assuming an Emergency Operations Center is established by the local IMT Leader or Incident Manager, the following recommended sequences of actions should be facilitated by individuals assigned to the specific positions defined below.
PLANNING TEAM LEADER TASK CHECKLIST
|
When activated, prepare Incident Action Plan (IAP). |
|
Maintain situation and resource status. |
|
Coordinate BCM activities. |
|
Coordinate the preparation and dissemination of incident documentation. |
|
Provide location for subject matter and technical expertise. |
|
Prepare demobilization plan as needed. |
LOGISTICS TEAM LEADER TASK CHECKLIST
|
When activated, organize and coordinates the provision of services (HR, communications, medical, food, transportation and housing) and support (supplies, facilities and ground support) to the incident. |
OPERATIONS TEAM LEADER TASK CHECKLIST
|
When activated, direct and coordinates all tactical operations associated with the incident. |
FINANCE TEAM LEADER TASK CHECKLIST
|
When activated, facilitate various administration and financial activities. |
|
Monitor incident costs and maintains financial records. |
|
Address insurance and workmen’s compensation issues. |
|
Facilitate procurement activities, e.g., contracts. |
|
Monitor timekeeping and related activities. |
4.8
Pre-incident preparations
|
Establish regional response plans and procedures for dealing with incidents. |
|
Establish communications process for disseminating information about an incident to the RIMT. |
|
Point of contact for compiling information on incidents and reporting to TAC and senior management. |
|
Train alternate(s) assigned as backup to Regional Incident Manager. |
4.8.1
Actions following an incident and prior to a disaster declaration being made
|
Gather input from the local Incident Management Team, Damage Assessment Team, and local senior management. |
|
Analyze the input and complete an initial assessment of the situation. Attempt to determine the potential for an evacuation or other activity that would negatively impact operations at the site. |
|
Forward the assessment results and any other intelligence to the Threat Assessment Center for analysis and action. |
|
Coordinate incident analysis with regional peers. |
4.8.3
Support for Local Incident Management Team meeting
|
Contact local IMT leader via Public Information Officer to ensure that the IMT has set an initial meeting and venue. |
|
Obtain a current situation report from the IMT and Damage Assessment Team. Key talking points include the following: 1. Type of event (fire, tornado, terrorism, power outage, telecomm outage, etc.) |
|
Ensure creation of a schedule of updates for Threat Assessment Center to monitor ongoing emergency response procedures. Commence providing TAC updates. |
|
Ensure that local management has decided whether or not to intercept 800# phone lines with a customized emergency voice recording. |
|
Ensure that local management has decided to launch/not launch the MessageOne emergency notification service, in addition to/in lieu of 800# service arrangements. |
4.8.4
Actions during and after the disaster
|
Ensure that InfoExchange xxx – xxx – xxxx is updated as follows: BUSINESS NAME Regional Incident Manager: VP: Office: Office: |
|
Provide a brief situation report including: · Nature of the incident (e.g., physical damage, life safety issues) · Potential impact to business units · Actions taken by local IMT and DAT · Actions taken by local management · Actions taken by employees · Actions taken by others · Estimated time to return to normal operations |
|
Identify local EOC location and contact information. |
|
Continue updates on agreed-upon schedule. |
|
Follow up to ensure that BUSINESS NAME team leaders have notified their respective recovery team members. Document notifications in the EXHIBIT 1 – PERSONNEL NOTIFICATION CONTROL LOG found in the Recovery Forms section of this guide. |
|
Notify any other BUSINESS NAME contacts and third parties as deemed necessary. See the KEY CONTACTS section of this guide for contact information. |
|
Follow up to ensure that information regarding the status of the incident and the company’s response to it is regularly communicated to the appropriate individuals and organizations. |
|
Be available to answer questions and provide input to other organizations as they enter the incident response/recovery process |
|
Be available to answer questions and provide input to other organizations as they enter the post-incident recovery and evaluation process. |
4.8.5
Post-event maintenance activities
|
Assess regional incident management readiness. |
|
Assess avian influenza readiness in region. |
|
Maintain IM program through quarterly team training and updating of IM plan documentation and checklists. |
Section Five – Appendixes
5.1
Incident Management forms
Exhibit 1:
Incident report
| Date |
Nature of incident |
Time/Details |
Action taken |
Directive |
Exhibit 2:
Incident objectives and strategy form
|
Date/Time: |
||||||||||||||||||||
|
Incident name: |
||||||||||||||||||||
|
Expected duration: |
||||||||||||||||||||
|
Completed by: |
||||||||||||||||||||
|
Objectives/strategies to be completed in the first 3 hours: |
||||||||||||||||||||
|
Objectives/Strategies |
IMT Leader |
Assigned Date/Time |
Status |
Completed Date/Time |
||||||||||||||||
|
Objectives/strategies to be completed in the first 8 hours: |
||||||||||||||||||||
|
Objectives/strategies to be completed in the first 15 hours: |
||||||||||||||||||||
|
Objectives/strategies to be completed in the first 24 hours & after: |
Exhibit 3:
Personnel notification control log
|
Location assignment |
Phone number |
Work from |
Work to |
Exhibit 4:
IMT personnel assignment form
|
Recovery team: |
|||
|
# |
Recovery title/Role |
Date/Time |
|
| 1 | |||
| 2 | |||
| 3 | |||
| 7 | |||
| 8 | |||
| 13 |
Exhibit 5:
Critical equipment assessment and evaluation form
|
Condition key: |
|||
|
OK – Undamaged |
|||
|
DBU – Damaged but usable |
|||
|
DS – Damaged; needs salvage before use |
|||
|
D – Destroyed |
|||
|
Equipment (Itemize) |
Condition |
Time to salvage |
Comments |
� EMBED Visio.Drawing.6 ���
1
All Rights Reserved, 2010, TechTarget
17
All Rights Reserved, 2010, TechTarget
_1353154142.vsd
Lab 4 CMIT 460 Network Forensics
Table of Contents
…………………………………………………………………………………………………………………………. 2
……………………………………………………………………………………………………… 3
…………………………………………………………………………………………………………………. 9
……………………………………………………………………………………………………………… 20
Hard Disk Analysis with
EnCase
………………………………………………………………………………………………… 29
…………………………………………………………………………………………………………………… 38
Introduction
Lab Description:
Network Forensics involves examining digital evidence collected by examiners. Some of the common
artifacts that are examined are:
• disk image files
• images of memory (RAM)
• volatile data collection
• PCAP files
Using all of the artifacts, you are trying to build a case and determine what happened, when it
happened, and who did it. When you are able to correlate events from more than one artifact, you build
a strong case.
Learning Outcomes:
The goal is to implement various techniques that are used in forensic investigations in response to
network intrusions to collect and analyze information from computer networks.
After completing this course, you should be able to:
• evaluate the network security posture of an organization by performing risk assessments
• analyze the data or indicators from networks and systems to detect intrusions
• evaluate and prioritize the risk, threat level, or business impact of a confirmed network security
incident
• develop and execute a network security incident response strategy in order to mitigate effects
on an organization
Location of Lab 3 and 4 Files
1. After connecting to https://vdi.umuc.edu, allocating the CMIT 460 lab, and using the Lab Broker
to connect to the back end Windows 10 Workstation. (Username: StudentFirst, PW: Cyb3rl@b)
2. You should start on the Windows 10 Desktop. Double click on the Lab Resources folder on
the Desktop.
Lab
Resources Folder
https://vdi.umuc.edu/
3. Click the link to resources link.
Resources Folder
4. View the folders for the lab three and lab four files.
Lab Resources Folder
5. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
6. Drag the CMIT_460_Lab_3-4.vmem file to the Local Disk C:
vmem file
7. You should now see CMIT_460_Lab_3-4.vmem file on Local Disk C:
Analyzing Memory
1. Ri ght cl ick on the Wi ndows i con i n the l eft hand corner of the des ktop and go to run.
run
2. Type the following command to open the command prompt
cmd
cmd
3. Type the following command to go to the root of the c: drive.
C:\Us ers \StudentFi rs t\>cd \
cmd
4. Type the following command to view the available switches for the
volatility
command:
C:\vola.exe -h
volatility
The full output of the command is listed below:
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=.volatilityrc
User based configuration file
-d, –debug Debug
volatility
–plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
–info Print information about all registered objects
–cache-directory=C:\Users\jesse/.cache\volatility
Directory where cache files are stored
–cache Use caching
–tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, –filename=FILENAME
Filename to use when opening an image
–profile=WinXPSP2x86
Name of the profile to load (use –info to see a list
of supported profiles)
-l LOCATION, –location=LOCATION
A URN location from which to load an address space
-w, –write Enable write support
–dtb=DTB DTB Address
–shift=SHIFT Mac KASLR shift address
–output=text Output in this format (support is module specific, see
the Module Output Options below)
–output-file=OUTPUT_FILE
Write output in this file
-v, –verbose Verbose information
-g KDBG, –kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
–force Force utilization of suspect profile
–cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, –kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY
verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
– –
In order to get the needed information, you will need to use the correct options from above.
An example will be provided in the step below.
When you run the tool, you need to type vola.exe and provide the location of the image file.
First, let’s get the information from the RAM image.
5. Type the following command to view the information about the RAM image:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
volatility
6. Type the following command to get the IP Address and Connection information:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem –profile=Win2003SP2x86 connscan
volatility
We now have an IP Address of 10.10.5.69 that needs to be examined. Look at connecting IP’s.
Analyzing PCAP Files
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the link to resources link.
Resources Folder
3. View the folders for the lab three and lab four files.
Lab Resources Folder
4. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
5. Double click on the CMIT_460_Lab_3-4.pcap file to open it with Wireshark, the protocol
analyzer.
CMIT 460 lab3-4 pcap file
6. View the file within Wireshark, the protocol analyzer.
Wireshark
7. You have a relevant IP Address. You can filter on it by using by typing the following:
ip.addr == 10.10.5.69
Wireshark
8. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
9. Double click the applications folder
Applications Folder
10. Double click on
Network Miner
Network Miner
11. Drag the CMIT_460_Lab_3-4.pcap file into the Network Miner Window
Network Miner
12. View information about the intrusion in Network Miner
Network Miner
Hard Disk Analysis with
EnCase
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the applications folder
Applications Folder
3. Right click on the link to EnCase v 8.0.9 and select Run as administrator
EnCase
4. Click New Case unless you already have a Lab3-4 case, in which case you can click it and skip to
step 10.
EnCase
5. Type Lab3-4 for the Name and click OK. Click yes to the 3 different warnings if they appear.
EnCase
6. Click Add Evidence.
EnCase
7. Click Add Raw Image.
EnCase
8. Right click in the white space and select new
EnCase
9. Double Click on Desktop. Click on the Lab Resources folder. Double Click on the resources
folder. Double click on the, CMIT_460_Lab_3-4_HDD. Highlight the first 5 files and click open.
EnCase
10. Double Click on the Disk Image to view the files and folders on the Hard Drive.
EnCase
11. View the files and folders from the disk/
EnCase
Lab 4 Directions
Submit all items via the instructor’s directions.
• Using the data from week 3 with regard to the volatile data, PCAP files, and
RAM image, correlate the data to successfully locate and extract artifacts left
behind on the HDD image.
• Explain why components were extracted, and the method used to locate
artifacts.
• Complete the initial findings report and the intrusion picture with information
correlated among the PCAP file, volatile data collected, the RAM image, and
the HDD image. Include findings of additional analysis conducted on the
extraction of suspected malicious software, and explain why its extraction was
important to the case.
- Introduction
- Hard Disk Analysis with EnCase
Lab Description:
Learning Outcomes:
Location of Lab 3 and 4 Files
Analyzing Memory
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
Analyzing PCAP Files
Lab 4 Directions
Submit all items via the instructor’s directions.
Using the data from week 3 with regard to the volatile data, PCAP files, and RAM image, correlate the data to successfully locate and extract artifacts left behind on the HDD image.
Explain why components were extracted, and the method used to locate artifacts.
Complete the initial findings report and the intrusion picture with information correlated among the PCAP file, volatile data collected, the RAM image, and the HDD image. Include findings of additional analysis conducted on the extraction of suspect…
Lab 3 CMIT 460 Network Forensics
Table of Contents
……………………………………………………………………………………………………………………………………………. 2
……………………………………………………………………………………………………………………… 3
…………………………………………………………………………………………………………………………………… 9
………………………………………………………………………………………………………………………………. 20
Hard Disk Analysis with
EnCase
……………………………………………………………………………………………………………….. 29
…………………………………………………………………………………………………………………………………….. 38
Introduction
Lab Description:
Network Forensics involves examining digital evidence collected by examiners. Some of the common
artifacts that are examined are:
• disk image files
• images of memory (RAM)
• volatile data collection
• PCAP files
Using all of the artifacts, you are trying to build a case and determine what happened, when it
happened, and who did it. When you are able to correlate events from more than one artifact, you build
a strong case.
Learning Outcomes:
The goal is to implement various techniques that are used in forensic investigations in response to
network intrusions to collect and analyze information from computer networks.
After completing this course, you should be able to:
• evaluate the network security posture of an organization by performing risk assessments
• analyze the data or indicators from networks and systems to detect intrusions
• evaluate and prioritize the risk, threat level, or business impact of a confirmed network security
incident
• develop and execute a network security incident response strategy in order to mitigate effects
on an organization
Location of Lab 3 and 4 Files
1. After connecting to https://vdi.umuc.edu, allocating the CMIT 460 lab, and using the Lab Broker
to connect to the back end Windows 10 Workstation. (Username: StudentFirst, PW: Cyb3rl@b)
2. You should start on the Windows 10 Desktop. Double click on the Lab Resources folder on
the Desktop.
Lab
Resources Folder
https://vdi.umuc.edu/
3. Click the link to resources link.
Resources Folder
4. View the folders for the lab three and lab four files.
Lab Resources Folder
5. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
6. Drag the CMIT_460_Lab_3-4.vmem file to the Local Disk C:
vmem file
7. You should now see CMIT_460_Lab_3-4.vmem file on Local Disk C:
Memory file
Analyzing Memory
1. Right click on the Windows icon in the left hand corner of the desktop and go to run.
run
2. Type the following command to open the command prompt
cmd
cmd
3. Type the following command to go to the root of the c: drive.
C:\Users\StudentFirst\>cd \
cmd
4. Type the following command to view the available switches for the
volatility
command:
C:\vola.exe -h
volatility
The full output of the command is listed below:
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=.volatilityrc
User based configuration file
-d, –debug Debug volatility
–plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
–info Print information about all registered objects
–cache-directory=C:\Users\jesse/.cache\volatility
Directory where cache files are stored
–cache Use caching
–tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, –filename=FILENAME
Filename to use when opening an image
–profile=WinXPSP2x86
Name of the profile to load (use –info to see a list
of supported profiles)
-l LOCATION, –location=LOCATION
A URN location from which to load an address space
-w, –write Enable write support
–dtb=DTB DTB Address
–shift=SHIFT Mac KASLR shift address
–output=text Output in this format (support is module specific, see
the Module Output Options below)
–output-file=OUTPUT_FILE
Write output in this file
-v, –verbose Verbose information
-g KDBG, –kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
–force Force utilization of suspect profile
–cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, –kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY
verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
– –
In order to get the needed information, you will need to use the correct options from above.
An example will be provided in the step below.
When you run the tool, you need to type vola.exe and provide the location of the image file.
First, let’s get the information from the RAM image.
5. Type the following command to view the information about the RAM image:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
volatility
6. Type the following command to get the IP Address and Connection information:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem –profile=Win2003SP2x86 connscan
volatility
We now have an IP Address of 10.10.5.69 that needs to be examined. Look at connecting IP’s.
Analyzing PCAP Files
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the link to resources link.
Resources Folder
3. View the folders for the lab three and lab four files.
Lab Resources Folder
4. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
5. Double click on the CMIT_460_Lab_3-4.pcap file to open it with Wireshark, the protocol
analyzer.
CMIT 460 lab3-4 pcap file
6. View the file within Wireshark, the protocol analyzer.
Wireshark
7. You have a relevant IP Address. You can filter on it by using by typing the following:
ip.addr == 10.10.5.69
Wireshark
8. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
9. Double click the applications folder
Applications Folder
10. Double click on
Network Miner
Network Miner
11. Drag the CMIT_460_Lab_3-4.pcap file into the Network Miner Window
Network Miner
12. View information about the intrusion in Network Miner
Network Miner
Hard Disk Analysis with
EnCase
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the applications folder
Applications Folder
3. Right click on the link to EnCase v 8.0.9 and select Run as administrator
EnCase
4. Click New Case
EnCase
5. Type Lab3-4 for the Name and click OK. Click yes to the 3 different warnings if they appear.
EnCase
6. Click Add Evidence.
EnCase
7. Click Add Raw Image.
EnCase
8. Right click in the white space and select new
EnCase
9. Double Click on Desktop. Click on the Lab Resources folder. Double Click on the resources
folder. Double click on the, CMIT_460_Lab_3-4_HDD. Highlight the first 5 files and click open.
EnCase
10. Double Click on the Disk Image to view the files and folders on the Hard Drive.
EnCase
11. View the files and folders from the disk/
EnCase
Lab 3 Directions
Submit all items via the instructor’s directions.
• Parse through the PCAP file and look for IP addresses of interest. Discuss why
they are of interest.
• Is there anything in the PCAP file that would suggest suspicious activity has
taken place against the system provided for this case?
• Gather volatile data components from the RAM image and verify the findings
against your volatile data provided. Are there any disparities? If so, what would
cause the differences or lack of findings in one compared to the other?
• Create an initial findings report on the information correlated between the
PCAP file, the volatile data collected, and the RAM image as it pertains to a
potential intrusion. Also include any interesting IP addresses or information
that traversed your network within the PCAP file.
- Introduction
- Hard Disk Analysis with EnCase
Lab Description:
Learning Outcomes:
Location of Lab 3 and 4 Files
Analyzing Memory
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
Analyzing PCAP Files
Lab 3 Directions
Submit all items via the instructor’s directions.
Parse through the PCAP file and look for IP addresses of interest. Discuss why they are of interest.
Is there anything in the PCAP file that would suggest suspicious activity has taken place against the system provided for this case?
Gather volatile data components from the RAM image and verify the findings against your volatile data provided. Are there any disparities? If so, what would cause the differences or lack of findings in one compared to the other?
Create an initial findings report on the information correlated between the PCAP file, the volatile data collected, and the RAM image as it pertains to a potential intrusion. Also include any interesting IP addresses or information that traversed yo…
CFIAR 20021115II01A ffdsfdgs dfsdfdfdfd Confidential: Business Use Only
[2192] [Feb 19, 2019]
Forensic Analysis Investigative Report
Incident Report Number
20190219-I-001
Report Name
CMIT460 Final Project
Location Category
[Internal]
Reported Incident Date
20131022
Table of Contents
Executive Summary
3
1.0
Initial Incident Discovery
4
1.1
Summary
4
1.2
Action Items
4
1.3
Description of system(s) in question
4
1.4
Identified Computer System(s)
4
1.5
Security Mechanisms
5
1.6
Initial Forensic Discovery
5
1.7
Initial Corrective Action
6
1.8
Participants
7
1.9
Additional Information
7
2.0
Forensic Process
7
2.1
Tools
7
2.2
Logs
8
2.3
Methods
8
3.0
Results and Findings
9
3.1
Summary
9
3.2
Corrective Actions
9
3.3
Lessons Learned
10
4.0
Appendix
10
4.1
Reference
1
10
4.2
Reference
2
10
4.3 Reference 3 11
4.4 Reference 4 11
Executive Summary
On October 22, 2013 at approximately 13:27PM, company asset with the internal IP of 192.168.40.10 was compromised. The host was redirected to a malicious domain and proceeded to download and install various strains of malware. The infected host then began to beacon back to the malware Command and Control servers. The biggest potential risk to the organization is that asset could have been exfiltrating data from the host machine; the beacon traffic was encrypted so our team was unable to determine for sure. For remediation, we suggest the machine be disconnected from the network immediately, and then reimaged from a safe backup. After doing so, it can be reconnected and be up for business use again.
1.0 Initial Incident Discovery
1.1 Summary
The only evidence our team was able to acquire was a PCAP to perform this investigation. The following will be a summary of what we were able to determine during our initial assessment of the event.
1.2 Action Items
· Disconnect the system from the network
· Reimage the machine from a safe backup.
· Apply patches to the system.
· Configuration changes (NoScript browser extension, antivirus, etc.)
· Place system back into operations.
1.3 Description of system(s) in question
The system is located internally on the network (due to the addressing scheme) and was likely a user workstation. We are unable to determine which shares this system would have been able to access.
1.4 Identified Computer System(s)
System:
· Hostname: Unable to determine
· IP Address: 192.168.40.10
· MAC Address: 00:20:18:eb:ca:28
· Operating system: Unable to determine
· Browser: Mozilla/4.0REF1
1.5 Security Mechanisms
It is unlikely that there were any security mechanisms in place due to the routine nature of this compromise. Most antivirus systems, firewalls, or IPS would have prevented the download/installation of known malicious files. Sophos Antivirus immediately flagged the malware samples carved from the PCAP, thus they are known signatures/behaviors.
1.6 Initial Forensic Discovery
A script geolocates the IP of the host (from domain j[.]maxmind[.]com.
A beacon (POST) request to malicious domain uocquimscisqaic[.]org.
Then encrypted communication with the following IPs:
· 72.24.235.141
· 201.1.171.89
· 85.28.144.49
Followed by UDP traffic with the following likely malicious IPs:
· 111.119.186.150
· 24.142.33.67
· 118.107.222.161
· 95.180.241.120
· 5.102.206.178
· 84.202.148.220
· 190.206.224.248
· 185.12.43.63
· 27.109.17.227
· 37.49.224.148
· 187.245.116.205
· 202.29.179.251
· 27.109.17.227
· 37.49.224.148
· 187.245.116.205
· 202.29.179.251
· 75.75.125.203
· 182.160.5.97
· 203.81.69.155
ICMP pings from:
· 202.87.216.190
· 37.243.218.70
· 212.85.174.80
· 31.169.11.208
Malicious files flagged as:
· Generic-S
· Generic-R
· Exp-JS
1.7 Initial Corrective Action
· The system must be removed from the network/logically isolated to begin our investigation.
· A write-blocker should be applied to the system to prevent any contamination.
· A forensic image will be taken to perform analysis on.
· We will carve the malware samples out into a VM and observe their behavior.
1.8 Participants
Name
Extension
Title
Cameron Woody
ext702
Incident Response Analyst
1.9 Additional Information
Our team is working with limited resources in this specific case, as we only have a PCAP to work with. Ideally, there would be logs, IDS alerts, a network map, a drive image, etc. to work with.
2.0 Forensic Process
2.1 Tools
· Wireshark
· Version: 2.6.3
· Virustotal
· URL: https://www.virustotal.com
· Sophos Endpoint
· Version 10.8.3
· Domain Tools
· URL: https://www.domaintools.com/
2.2 Logs
The primary indication of the compromise of this system is all of the beaconing activity. The asset beaconed to numerous likely malicious IP addresses including some Domain Generation Algorithm domains.
2.3 Methods
· Wireshark:
· Ip.addr == 192.168.40.10
· Ip.addr == 192.168.40.10 && tcp.port == 80
· tcp.stream eq #
· Virustotal:
· Submitted the malicious files to the Virustotal website.
· Sophos:
· Scanned malicious files with Sophos Endpoint protection
· Domain Tools:
· Queried malicious IPs in Domain Tools to locate their geographic area.
MD5 Hashes of files:
· b05817f297aadba445fc04ffa840e5e2 mal1.exe
· 630c7509c75b961afbe54720d606a6dd mal2.exe
· 5d74f02594fc345f003c16c5d6c90b3a mal3_unknown
· 146740484b2965609b789f43108c91b4 mal4.exe
· 2ddb6e7cf1707f8adec71a228b5a52b4 mal5.exe
· fc04ff7f5c763b943f5ac06521586dff mal6.exe
· fdd6323ff4ea92102311da9213a29ac2 swf_file.swf
3.0 Results and Findings
3.1 Summary
User was browsing the internet and encountered a compromised site aes[.]whichdigitalphoto.co[.]uk, which redirected the user to the malicious domain zivvgmyrwy.3razbave[.]info. A script was then downloaded from this domain R
E
F
2. This script triggered a further download of an executable REF
3. This was followed by the download of 3 more executables, one of which launched a script to geo-locate the compromised system REF
4. One more executable is downloaded and then beacon activity begins: various post to malicious domains via various TCP and UDP ports. Our team has no visibility into what was contained in this traffic, but it could be data exfiltration.
3.2 Corrective Actions
· The machine be reimaged with the most recent reliable backup.
· Once it is successfully reimaging, the system should have all relevant patches applied to it.
· After this, any mitigations should be applied
· Anti-virus
· No-script
· IDS
· Bring the system back into the live production environment.
3.3 Lessons Learned
Users should be more careful of which sites they browse to, especially at work. Do not browse to anything even remotely untrustworthy with a company workstation. Second, the user should install a browser extension such as NoScript which will prevent browsers from executing any scripts or downloads without explicit permission. Any suspicious activity or slowdown on the workstation (have no way of knowing if this was noticeable at all) should be immediately reported.
4.0 Appendix
4.1 Reference 1 (REF1)
Screenshot of the requesting host (compromised internal machine)’s web browser info.
4.2 Reference 2 (REF2)
Screenshot of the script download to the compromised machine.
4.3 Reference 3 (REF3)
Screenshot of the first executable download by the compromised machine.
4.4 Reference 4 (REF4)
Screenshot of the geo-location script run on the compromised machine.
dfsdfddd fgdfgdfgfg dfgfgfgsdfgf: fgdfggff Use Only 1 of 3
Created by: [Cameron Woody] 1 of 5
Template adapted from Steve J. Scott, superhac.com. Retrieved January 2014 from http://superhac.com/wp-content/uploads/2008/01/cfiar
Lab 3 CMIT 460 Network Forensics
Table of Contents
……………………………………………………………………………………………………………………………………………. 2
……………………………………………………………………………………………………………………… 3
…………………………………………………………………………………………………………………………………… 9
………………………………………………………………………………………………………………………………. 20
Hard Disk Analysis with
EnCase
……………………………………………………………………………………………………………….. 29
…………………………………………………………………………………………………………………………………….. 38
Introduction
Lab Description:
Network Forensics involves examining digital evidence collected by examiners. Some of the common
artifacts that are examined are:
• disk image files
• images of memory (RAM)
• volatile data collection
• PCAP files
Using all of the artifacts, you are trying to build a case and determine what happened, when it
happened, and who did it. When you are able to correlate events from more than one artifact, you build
a strong case.
Learning Outcomes:
The goal is to implement various techniques that are used in forensic investigations in response to
network intrusions to collect and analyze information from computer networks.
After completing this course, you should be able to:
• evaluate the network security posture of an organization by performing risk assessments
• analyze the data or indicators from networks and systems to detect intrusions
• evaluate and prioritize the risk, threat level, or business impact of a confirmed network security
incident
• develop and execute a network security incident response strategy in order to mitigate effects
on an organization
Location of Lab 3 and 4 Files
1. After connecting to https://vdi.umuc.edu, allocating the CMIT 460 lab, and using the Lab Broker
to connect to the back end Windows 10 Workstation. (Username: StudentFirst, PW: Cyb3rl@b)
2. You should start on the Windows 10 Desktop. Double click on the Lab Resources folder on
the Desktop.
Lab
Resources Folder
https://vdi.umuc.edu/
3. Click the link to resources link.
Resources Folder
4. View the folders for the lab three and lab four files.
Lab Resources Folder
5. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
6. Drag the CMIT_460_Lab_3-4.vmem file to the Local Disk C:
vmem file
7. You should now see CMIT_460_Lab_3-4.vmem file on Local Disk C:
Memory file
Analyzing Memory
1. Right click on the Windows icon in the left hand corner of the desktop and go to run.
run
2. Type the following command to open the command prompt
cmd
cmd
3. Type the following command to go to the root of the c: drive.
C:\Users\StudentFirst\>cd \
cmd
4. Type the following command to view the available switches for the
volatility
command:
C:\vola.exe -h
volatility
The full output of the command is listed below:
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=.volatilityrc
User based configuration file
-d, –debug Debug volatility
–plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
–info Print information about all registered objects
–cache-directory=C:\Users\jesse/.cache\volatility
Directory where cache files are stored
–cache Use caching
–tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, –filename=FILENAME
Filename to use when opening an image
–profile=WinXPSP2x86
Name of the profile to load (use –info to see a list
of supported profiles)
-l LOCATION, –location=LOCATION
A URN location from which to load an address space
-w, –write Enable write support
–dtb=DTB DTB Address
–shift=SHIFT Mac KASLR shift address
–output=text Output in this format (support is module specific, see
the Module Output Options below)
–output-file=OUTPUT_FILE
Write output in this file
-v, –verbose Verbose information
-g KDBG, –kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
–force Force utilization of suspect profile
–cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, –kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY
verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
– –
In order to get the needed information, you will need to use the correct options from above.
An example will be provided in the step below.
When you run the tool, you need to type vola.exe and provide the location of the image file.
First, let’s get the information from the RAM image.
5. Type the following command to view the information about the RAM image:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
volatility
6. Type the following command to get the IP Address and Connection information:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem –profile=Win2003SP2x86 connscan
volatility
We now have an IP Address of 10.10.5.69 that needs to be examined. Look at connecting IP’s.
Analyzing PCAP Files
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the link to resources link.
Resources Folder
3. View the folders for the lab three and lab four files.
Lab Resources Folder
4. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
5. Double click on the CMIT_460_Lab_3-4.pcap file to open it with Wireshark, the protocol
analyzer.
CMIT 460 lab3-4 pcap file
6. View the file within Wireshark, the protocol analyzer.
Wireshark
7. You have a relevant IP Address. You can filter on it by using by typing the following:
ip.addr == 10.10.5.69
Wireshark
8. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
9. Double click the applications folder
Applications Folder
10. Double click on
Network Miner
Network Miner
11. Drag the CMIT_460_Lab_3-4.pcap file into the Network Miner Window
Network Miner
12. View information about the intrusion in Network Miner
Network Miner
Hard Disk Analysis with
EnCase
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the applications folder
Applications Folder
3. Right click on the link to EnCase v 8.0.9 and select Run as administrator
EnCase
4. Click New Case
EnCase
5. Type Lab3-4 for the Name and click OK. Click yes to the 3 different warnings if they appear.
EnCase
6. Click Add Evidence.
EnCase
7. Click Add Raw Image.
EnCase
8. Right click in the white space and select new
EnCase
9. Double Click on Desktop. Click on the Lab Resources folder. Double Click on the resources
folder. Double click on the, CMIT_460_Lab_3-4_HDD. Highlight the first 5 files and click open.
EnCase
10. Double Click on the Disk Image to view the files and folders on the Hard Drive.
EnCase
11. View the files and folders from the disk/
EnCase
Lab 3 Directions
Submit all items via the instructor’s directions.
• Parse through the PCAP file and look for IP addresses of interest. Discuss why
they are of interest.
• Is there anything in the PCAP file that would suggest suspicious activity has
taken place against the system provided for this case?
• Gather volatile data components from the RAM image and verify the findings
against your volatile data provided. Are there any disparities? If so, what would
cause the differences or lack of findings in one compared to the other?
• Create an initial findings report on the information correlated between the
PCAP file, the volatile data collected, and the RAM image as it pertains to a
potential intrusion. Also include any interesting IP addresses or information
that traversed your network within the PCAP file.
- Introduction
- Hard Disk Analysis with EnCase
Lab Description:
Learning Outcomes:
Location of Lab 3 and 4 Files
Analyzing Memory
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
Analyzing PCAP Files
Lab 3 Directions
Submit all items via the instructor’s directions.
Parse through the PCAP file and look for IP addresses of interest. Discuss why they are of interest.
Is there anything in the PCAP file that would suggest suspicious activity has taken place against the system provided for this case?
Gather volatile data components from the RAM image and verify the findings against your volatile data provided. Are there any disparities? If so, what would cause the differences or lack of findings in one compared to the other?
Create an initial findings report on the information correlated between the PCAP file, the volatile data collected, and the RAM image as it pertains to a potential intrusion. Also include any interesting IP addresses or information that traversed yo…
Lab 4 CMIT 460 Network Forensics
Table of Contents
…………………………………………………………………………………………………………………………. 2
……………………………………………………………………………………………………… 3
…………………………………………………………………………………………………………………. 9
……………………………………………………………………………………………………………… 20
Hard Disk Analysis with
EnCase
………………………………………………………………………………………………… 29
…………………………………………………………………………………………………………………… 38
Introduction
Lab Description:
Network Forensics involves examining digital evidence collected by examiners. Some of the common
artifacts that are examined are:
• disk image files
• images of memory (RAM)
• volatile data collection
• PCAP files
Using all of the artifacts, you are trying to build a case and determine what happened, when it
happened, and who did it. When you are able to correlate events from more than one artifact, you build
a strong case.
Learning Outcomes:
The goal is to implement various techniques that are used in forensic investigations in response to
network intrusions to collect and analyze information from computer networks.
After completing this course, you should be able to:
• evaluate the network security posture of an organization by performing risk assessments
• analyze the data or indicators from networks and systems to detect intrusions
• evaluate and prioritize the risk, threat level, or business impact of a confirmed network security
incident
• develop and execute a network security incident response strategy in order to mitigate effects
on an organization
Location of Lab 3 and 4 Files
1. After connecting to https://vdi.umuc.edu, allocating the CMIT 460 lab, and using the Lab Broker
to connect to the back end Windows 10 Workstation. (Username: StudentFirst, PW: Cyb3rl@b)
2. You should start on the Windows 10 Desktop. Double click on the Lab Resources folder on
the Desktop.
Lab
Resources Folder
https://vdi.umuc.edu/
3. Click the link to resources link.
Resources Folder
4. View the folders for the lab three and lab four files.
Lab Resources Folder
5. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
6. Drag the CMIT_460_Lab_3-4.vmem file to the Local Disk C:
vmem file
7. You should now see CMIT_460_Lab_3-4.vmem file on Local Disk C:
Analyzing Memory
1. Ri ght cl ick on the Wi ndows i con i n the l eft hand corner of the des ktop and go to run.
run
2. Type the following command to open the command prompt
cmd
cmd
3. Type the following command to go to the root of the c: drive.
C:\Us ers \StudentFi rs t\>cd \
cmd
4. Type the following command to view the available switches for the
volatility
command:
C:\vola.exe -h
volatility
The full output of the command is listed below:
Usage: Volatility – A memory forensics analysis platform.
Options:
-h, –help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
–conf-file=.volatilityrc
User based configuration file
-d, –debug Debug
volatility
–plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
–info Print information about all registered objects
–cache-directory=C:\Users\jesse/.cache\volatility
Directory where cache files are stored
–cache Use caching
–tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, –filename=FILENAME
Filename to use when opening an image
–profile=WinXPSP2x86
Name of the profile to load (use –info to see a list
of supported profiles)
-l LOCATION, –location=LOCATION
A URN location from which to load an address space
-w, –write Enable write support
–dtb=DTB DTB Address
–shift=SHIFT Mac KASLR shift address
–output=text Output in this format (support is module specific, see
the Module Output Options below)
–output-file=OUTPUT_FILE
Write output in this file
-v, –verbose Verbose information
-g KDBG, –kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
–force Force utilization of suspect profile
–cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
-k KPCR, –kpcr=KPCR Specify a specific KPCR address
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Displays information about Edit controls. (Listbox experimental.)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY
verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
– –
In order to get the needed information, you will need to use the correct options from above.
An example will be provided in the step below.
When you run the tool, you need to type vola.exe and provide the location of the image file.
First, let’s get the information from the RAM image.
5. Type the following command to view the information about the RAM image:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
volatility
6. Type the following command to get the IP Address and Connection information:
C:\vola.exe –f CMIT_460_Lab_3-4.vmem –profile=Win2003SP2x86 connscan
volatility
We now have an IP Address of 10.10.5.69 that needs to be examined. Look at connecting IP’s.
Analyzing PCAP Files
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the link to resources link.
Resources Folder
3. View the folders for the lab three and lab four files.
Lab Resources Folder
4. Double click on the CMIT_460_Lab3-4_VMEM-PCAP folder
Lab Resources Folder
5. Double click on the CMIT_460_Lab_3-4.pcap file to open it with Wireshark, the protocol
analyzer.
CMIT 460 lab3-4 pcap file
6. View the file within Wireshark, the protocol analyzer.
Wireshark
7. You have a relevant IP Address. You can filter on it by using by typing the following:
ip.addr == 10.10.5.69
Wireshark
8. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
9. Double click the applications folder
Applications Folder
10. Double click on
Network Miner
Network Miner
11. Drag the CMIT_460_Lab_3-4.pcap file into the Network Miner Window
Network Miner
12. View information about the intrusion in Network Miner
Network Miner
Hard Disk Analysis with
EnCase
1. Double click on the Lab Resources folder on the Desktop.
Lab Resources Folder
2. Click the applications folder
Applications Folder
3. Right click on the link to EnCase v 8.0.9 and select Run as administrator
EnCase
4. Click New Case unless you already have a Lab3-4 case, in which case you can click it and skip to
step 10.
EnCase
5. Type Lab3-4 for the Name and click OK. Click yes to the 3 different warnings if they appear.
EnCase
6. Click Add Evidence.
EnCase
7. Click Add Raw Image.
EnCase
8. Right click in the white space and select new
EnCase
9. Double Click on Desktop. Click on the Lab Resources folder. Double Click on the resources
folder. Double click on the, CMIT_460_Lab_3-4_HDD. Highlight the first 5 files and click open.
EnCase
10. Double Click on the Disk Image to view the files and folders on the Hard Drive.
EnCase
11. View the files and folders from the disk/
EnCase
Lab 4 Directions
Submit all items via the instructor’s directions.
• Using the data from week 3 with regard to the volatile data, PCAP files, and
RAM image, correlate the data to successfully locate and extract artifacts left
behind on the HDD image.
• Explain why components were extracted, and the method used to locate
artifacts.
• Complete the initial findings report and the intrusion picture with information
correlated among the PCAP file, volatile data collected, the RAM image, and
the HDD image. Include findings of additional analysis conducted on the
extraction of suspected malicious software, and explain why its extraction was
important to the case.
- Introduction
- Hard Disk Analysis with EnCase
Lab Description:
Learning Outcomes:
Location of Lab 3 and 4 Files
Analyzing Memory
C:\vola.exe –f CMIT_460_Lab_3-4.vmem imageinfo
Analyzing PCAP Files
Lab 4 Directions
Submit all items via the instructor’s directions.
Using the data from week 3 with regard to the volatile data, PCAP files, and RAM image, correlate the data to successfully locate and extract artifacts left behind on the HDD image.
Explain why components were extracted, and the method used to locate artifacts.
Complete the initial findings report and the intrusion picture with information correlated among the PCAP file, volatile data collected, the RAM image, and the HDD image. Include findings of additional analysis conducted on the extraction of suspect…
William Stevenson
September 25, 2020
Lab 5
CMIT 460-6380
Professor Bill Wary
Executive Summary
On December 16, 2013 at approximately 0929 hours, a malicious actor identified as IP 10.10.5.199 began attempting port scanning on an organizational asset at IP 10.10.5.69. The port scan found vulnerable ports and was able to take malicious actions on the asset. These actions included accessing and utilizing the Metasploit framework on the asset, numerous SQL injection attacks utilizing admin credentials on the asset, the passing of several executable files that are likely to contain malware, and the establishment and utilization of a Netcat session on the asset from the malicious actor to execute one such executable.
Containment
The first step should be to isolate the affected asset physically or logically on the organizational network. Without fully understanding how these malicious executables may have affected other machines on the network, it would not be wise to unplug (power off) the asset before determining if there exists a better course of action. Assuming a honeypot does not already exist on this network, dumping the asset into a black hole VLAN can suffice, although the attacker is likely to recognize this and potentially start covering his or her tracks.
If the organization has an interest in possible prosecution of the malicious actor, then proper evidence preservation techniques need to be followed. This would involve disconnecting the attacker and obtaining a forensic image of the affected asset for analysis. Otherwise, to prevent further harm to the asset, it would be advisable to fully disconnect the asset to ensure the attacker no longer is able to access it. This prevents the attacker from causing further harm and/or covering his or her tracks any further.
After the asset is isolated and prevented from causing further harm on the network, the organization needs to put resources into tracing any and all potentially malicious traffic from the asset to other assets on the network as a result of the malicious executables. If such traffic is found to exist, these same containment strategies should be applied to all affected assets unless the scope of damage is clearly and unambiguously understood to not necessitate this.
Eradication
Given the unknown extent of the damage that the malicious executables could have caused to the asset, a full reimage is the safest bet for full eradication of the effects of the attack. If there is interest in a forensic investigation, no action should be taken until the investigation is complete and any litigation is finished. If there is no interest in litigation, but the organization would like to study the methodology and effects of the attack for their own edification, then it is vital that any and all studying be performed off the network, as the effects of the attack are unknown at this time. The attacker could have installed a backdoor, trojan, or rootkit type of malware that would not be detectable by any commercial or enterprise antivirus software, meaning a reimage is the safest and easiest route to take.
Recovery
If the asset is considered mission-critical and/or a backup exists, the backup should be brought online immediately to restore business operations. This would be defined in the business continuity plan for the organization. For restoring the affected asset, a full reimage should be performed to the last known good image. If a known good image does not exist or is unobtainable, restoring to factory default settings will achieve the desired effect for the eradication step, but will require significantly more work to restore the asset to mission capability. During this process, the asset should be verified to have all available patches installed and all relevant security configurations applied as appropriate before being brought back online. The asset should remain isolated from the organizational network until it is confirmed to be fully operational and secure, to include verifying that the vulnerable ports that were exploited are no longer available as an avenue of attack.
In this specific instance, firewall configurations should be checked to ensure that this was not a failure of a border firewall or global ACL configuration that may leave other assets vulnerable. Final remediation steps would include adding the malicious IP to the block list and reevaluating the organizational security policy that allowed this breach to occur. Consideration should be given to firewall configuration and implementation as well as the addition or modification of an intrusion prevention architecture, either host-based or at the network border. A cost-benefit analysis of this breach could prove invaluable as a real-world example for determining the efficacy of these devices for this specific organization.
William Stevenson
October 2, 2020
Lab 6
CMIT 460-6380
Professor Bill Wary
Mitigation
Without knowing the specifics about what caused the vulnerability on the asset 10.10.5.69 and left it open to be attacked and exploited, it is difficult to tailor mitigation techniques to this specific instance. However, several catch-all approaches can be broadly applied that will likely patch out most avenues of attack.
The easiest and most important step is to keep any and all software and operating systems up to date with the latest patches and firmware. As exploits are discovered by or brought to the attention of vendors, security patches are rolled out to resolve the issues. Not installing these updates in a timely manner leaves any system using the software open to attack. While not all of these patches will resolve issues specific to avenues of attack that are likely to affect every organization, the best practice is to either automatically install updates, or to have a nightly patch period where services are shut down for a short amount of time to install patches. Making these patch windows nightly will ensure that the organization is never behind on critical patches when they are rolled out.
Installing and maintaining up-to-date antivirus and antimalware software on all systems is also a cost-effective and easily implemented mitigation solution. These software packages usually auto-update to include all known virus signatures as they become available and can be configured to automatically act in the event of detecting malware. The ability to automatically quarantine the malware without relying on external actions is extremely useful and helps eliminate human error in the response process. Human review of all automated actions would be highly recommended to catch and rectify false positives.
Maintaining regular backups for critical infrastructure and services is highly recommended. Full software backups of all assets would be best if economically practical, as would redundant hardware backups for critical systems. Last known working images, or clean images, stored on a server that is isolated from the main network would be useful to maintain in the event that an asset is fully compromised and no backup exists, or in the event that backups are corrupted as well, and would be very cost effective to implement.
Implementing multi-factor authentication for access to all assets and strictly enforcing the principle of least privilege would be extremely cost-effective mitigation solutions, as well as basic input validation and checking for passwords. In the case of this attack, the malicious actor attempting multiple SQL injection attacks on the admin account. Backend input checking and validation would immediately discard these SQL statements from the input and render the attack useless. Additionally, multifactor authentication would mean that even if the attacker is successful in obtaining the admin credentials, they still will not be able to log in without a second layer of authentication such as a physical token or biometric validation. Finally, the principle of least privilege will ensure that the attacker is limited in the number of accounts that have access to admin rights, meaning focus can be given to these specific accounts for tighter security policies and monitoring. Narrowing the target pool that the attacker would reasonably be interested in and limiting who has valid access to these accounts makes it easier to identify attacks and to defend against them.
Network segregation and active monitoring are more expensive but much more effective mitigation techniques. Utilizing a network DMZ for public-facing assets, such as web and application servers, and segregating critical internal infrastructure to the extent reasonably possible behind strict ACLs and inbound firewall policies are industry best practice. This would mean that the most vulnerable assets would be separated from internal assets by increasingly strict security policies for inbound traffic, making it more difficult for a malicious actor to laterally hop from a less-secure web server to an internal host and beyond. Active network monitoring in the form of intrusion prevention and detection systems will enable automatic blocking and reporting of anomalous traffic, as well as giving network administrators the tools to monitor system performance and user behavior for anything out of the ordinary. It is essential to incorporate human review of traffic analysis reports as malicious actors become better and better at hiding malicious traffic within legitimate traffic, which can fool automated detection and prevention systems.
Organizational Changes
The first organizational change I would recommend would be a full review and revision of the firewall policies, particularly the inbound traffic rules on the asset that was compromised. The attack was able to happen because port scanning on the asset revealed open and vulnerable ports. Several open ports were found and at least one was able to be exploited, meaning that the firewall rules are not configured correctly for at least that one port. To be safe, I would recommend a full review of the inbound and outbound firewall rules for the asset, as well as any internal network firewalls should the asset be in a DMZ. It is more likely that there are lax firewall policies among all firewalls if the external firewall is misconfigured.
After plugging any holes in the firewalls, a system-wide review of all software and operating systems should be conducted to ensure that all relevant security patches and firmware updates are in place, as well as ensuring proper enterprise antimalware is installed and configured correctly on all devices. Once everything is verified to be up to date, an organizational policy should be established to institute a nightly maintenance window during which network or system admins can install vendor patches. If the network is sufficiently redundant, this can be accomplished without taking services offline. It is key to install patches as soon as possible because malicious actors will take advantage of patch notes from vendors that detail the vulnerabilities that the patch fixes, which describes exactly how to attack organizations that do not install these patches in a timely fashion.
Creating a unified organizational policy regarding the creation, storage, and administration of backups can greatly assist in recovery efforts for little overhead investment. A unified policy is essential to ensure compliance and a predictable action plan should a security event occur. The most robust solution would be inline hardware redundancy for all critical infrastructure and full backups of all infrastructure. A more economical solution would be full backups of critical infrastructure only. Either way, clean images of all devices on the network should be maintained for reimaging.
The most expensive organizational changes would be related to network segregation and monitoring. Network monitoring solutions are a significant investment, but prove extremely valuable. Automated monitoring for anomalous network activity, traffic reports and analysis, and active threat monitoring can pick up the slack for any other mitigation techniques not implemented fully or correctly, or that are subject to human error. Virtualized or physical intrusion prevention systems can stop attacks dead in their tracks before damage can be done, well before even the most diligent human would be able to identify it. If the organization has not implemented a robust active network monitoring solution, one should immediately be procured and implemented with input from technical leadership in shaping the network traffic rules.
Implementing a DMZ if one does not exist should be the next step after active monitoring, as this would prevent malicious actors from reaching internal network resources. The asset that was attacked is likely a web or application server, making it more vulnerable to attack. Segregating this asset would contain the intrusion if another were to happen. Similar to the least privilege policy, critical infrastructure should be segregated behind the most restrictive firewall possible without disrupting service. Limiting the number of individuals and devices that can access this infrastructure limits the ability of an attack to successfully reach them and disrupt critical services.
Finally, the organization should immediately roll out a multifactor authentication policy. Multifactor authentication is the single most effective tool against access-based attacks both internal and external. This includes phishing and other social engineering attacks, which are shown to be highly successful, even in high-security environments. Biometrics are recommended above physical tokens as the second authentication method, as they are significantly harder to spoof/steal and are nearly impossible to lose, but this is the more expensive solution. Should the organization opt for a physical token authentication solution, they would need to implement a parallel policy regarding the administration, tracking, and replacement of physical tokens to prevent misuse and abuse. Multifactor authentication should be used to access any and all organizational resources but are of particular importance for critical infrastructure and high-level privileged accounts. While this may not have mitigated this specific attack, it is a simple and very cost-effective way to harden a network against its most vulnerable components being compromised: users.