Home
Calendar
Certifications
Columns
Features
Forum
Resources
Vitals
Latest Additions
April 2013 Free Giveaway Sponsor - eLearnSecurity
Human Intelligence to Navigate the Security Data Deluge
February 2013 Free Giveaway Winner of SANS CyberCon Training
Interview: Bugcrowd Founders on Herding Ninjas for Crowdsourced Bug Bounties
Network Forensics: The Tree in the Forest
March 2013 Free Giveaway Sponsor - Mile2
Book Review: Violent Python
February 2013 Free Giveaway Sponsor - SANS
Holiday 2012 Free Giveaway Winner of Metasploit Pro by Rapid7
Course Review: SANS FOR408 Computer Forensic Investigations – Windows In-Depth
The Security Consulting Sugar High
Tutorial: Fun with SMB on the Command Line
Interview: Ilia Kolochenko, CEO of High-Tech Bridge
October 2012 Free Giveaway Winner of LearningGate Training
The Broken: Assessing Corporate Security in 2012 to Make a Better 2013
EH-Net Login
Welcome Guest.
Username:
Password:
Remember me
Lost Password?
No account yet?
Register
Who's Online
We have 47 guests and 1 member online
Free Business and Tech Magazines and eBooks
You are here:
Home
Ethical Hacking Discussions and Related Certifications
Incident Response
Incident Handling - Resources, from start to finish
EH-Net
May 21, 2013, 04:43:29 PM
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
News
: Go back to The Ethical Hacker Network Online Magazine
Home Page
Home
Help
Calendar
Login
Register
EH-Net
>
Ethical Hacking Discussions and Related Certifications
>
Incident Response
(Moderator:
don
) >
Incident Handling - Resources, from start to finish
Pages: [
1
]
Go Down
« previous
next »
Print
Author
Topic: Incident Handling - Resources, from start to finish (Read 20476 times)
0 Members and 1 Guest are viewing this topic.
Jhaddix
Sr. Member
Offline
Posts: 317
Incident Handling - Resources, from start to finish
«
on:
February 23, 2009, 04:02:37 PM »
I had a lot of people see EH's posts on IH as well as a few on my site and i wanted to put together a coherent list of links for IH/IR. Whether you are just starting a IR team, or are looking to refine your methods, there should be a few items for everyone. This is not all my information, some of it was gathered by me, some by gracious forum members. I will continually update it if you guys would like to add something! Please, please, please help me add to this =)
Level I - Incident Response / Incident Handling
These are very good top level (they don't stay that way for long) documents describing IH/IR.
NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)
SANS 6-Step Process
Computer and Network Security Task Force IR/IH page
Carnegie Mellon's Handbook for CSIRTs (creation and roles for a IR/IH Team)
Level II - Specifics
SANS offers a lot to the security community, so there it is really no surprise that their reading room and their instructors offer some of the best resources around.
SANS InfoSec Reading Room - Incident Handling
Initial Security Incident Questionnaire for Responders
Security Incident Survey Cheat Sheet for Server Administrators
Network DDoS Incident Response Cheat Sheet
Incident Reverse-Engineering Cheat Sheet
CERT Virtual Training related to IH/IR
tssci-security Web application security incident handling insights
SANS Intrusion Discovery Cheat Sheet: Linux
SANS Intrusion Discovery Cheat Sheet: Windows
Tools
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate
This script outputs all useful IR windows commands, and some sysinternals Scripts into one place. Note it is meant to be used after you have taken the initial HD image. Great writeup on it
here
Quote
Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics.
FreeForensic Tools
In November I did a presentation at the monthly NebraskaCert Cyber Security Forum. Someone had suggested an overview of forensic tools. I put together a list of free tools in a couple different categories. Here is the list:
Imaging
FTK Imager
http://www.accessdata.com/downloads.html
Forensic Acquisition Utilities (FAU)
http://gmgsystemsinc.com/fau/
Carving
Winhex
http://www.x-ways.net/winhex/
PhotoRec
http://www.cgsecurity.org/wiki/PhotoRec
Scalpel
http://www.digitalforensicssolutions.com/Scalpel/
Analyze
ProDiscover Basic
http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14
The Sleuthkit and Autopsy
http://www.sleuthkit.org/
PTK
http://ptk.dflabs.com/
WinHex
http://www.x-ways.net/winhex/
PyFlag
http://www.pyflag.net/cgi-bin/moin.cgi
FTK Demo (up to 5000 items)
http://www.accessdata.com/downloads.html
SANS SIFT Workstation (only available to portal members)
http://forensics.sans.org/community/downloads/
Memory Analysis
mdd
http://sourceforge.net/project/showfiles.php?group_id=228865
win32dd
http://win32dd.msuiche.net/
Volatility
https://www.volatilesystems.com/default/volatility
Memoryze
http://www.mandiant.com/software/memoryze.htm
Virtualization
LiveView (launch image in VMWare)
http://liveview.sourceforge.net/
ProDiscover Basic (creates config files)
http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14
VDKWin (edit config files)
http://petruska.stardock.net/Software/VMware.html
Live CDs
Helix
http://www.e-fense.com/helix/
Caine
http://www.caine-live.net/en/index.html
PlainSight
http://www.plainsight.info/download.html
BAckTrack (**will mount drives, but has forensic tools)
http://www.remote-exploit.org/backtrack.html
Misc.
RegRipper (excellent Registry parser)
http://regripper.net/
Forensic CaseNotes
http://www.qccis.com/?section=casenotes
NirSoft Tools
http://www.nirsoft.net/
Historian
http://www.mandiant.com/software/webhistorian.htm
Windows File Analyzer
http://www.mitec.cz/wfa.html
Websites
http://windowsir.blogspot.com
http://forensicir.blogspot.com
http://sansforensics.wordpress.com
www.ForensicFocus.com
www.E-Evidence.info
www.forensicswiki.org
Reporting
When it comes to Advanced Threats there is some argument on reporting, if you chose to The
Internet Storm Center
and
Shadowserver Foundation
are good places to start.
Certification
We all want ways to distinguish ourselves, right? Below are the ways to go for certification, albeit not always the cheapest options.
CERT®-Certified Computer Security Incident Handler
SANS/GIAC Certified Incident Handler
Resources
Incident Report Templates
Gideon T. Rasmussen's Incident Report Template
SANS Incident Identification Form
SANS Incident Survey Form
SANS Incident Containment Form
SANS Incident Eradication Form
SANS Incident Communication Log Form
Melissa Guenther's Incident Report Form
US-CERT Incident Reporting System
«
Last Edit: June 11, 2009, 12:44:56 PM by Jhaddix
»
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester
http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
xXxKrisxXx
Hero Member
Offline
Posts: 512
Re: Incident Handling - Resources, from start to finish
«
Reply #1 on:
February 23, 2009, 04:32:50 PM »
This look like a lot of good material you've racked up here. This'll definitely be one of the threads I'll be pointing people toward if they have questions about Incident Handling.
Logged
eCPPT, GCIH, OSCP, OSWP
timmedin
Sr. Member
Offline
Posts: 469
Re: Incident Handling - Resources, from start to finish
«
Reply #2 on:
February 23, 2009, 09:30:44 PM »
Great list
Quote from: Jhaddix on February 23, 2009, 04:02:37 PM
NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)
When writing IH procedures I have found NIST 800-61 to be tremendously useful. If you only had one resource this would be it.
I would recommend running through Appendix B-Incident Handling Scenarios. It is great for helping you work out any kinks you may have in your organization's IH procedure. It is also go to have a few trial runs at these situations so you are better able to handle them and think more clearly.
Logged
twitter.com/timmedin |
http://blog.securitywhole.com
Andrew Waite
Hero Member
Offline
Posts: 928
Re: Incident Handling - Resources, from start to finish
«
Reply #3 on:
February 24, 2009, 06:52:05 AM »
Jhaddix, nice list
think I've got/read most of the links but I'll take a closer look at those I haven't. Plus, always nice to have everything in one place makes the bookmarks easier to manage.
Cheers,
RR
Logged
--
http://www.infosanity.co.uk
--
http://blog.infosanity.co.uk
coffeeking
Newbie
Offline
Posts: 1
Re: Incident Handling - Resources, from start to finish
«
Reply #4 on:
May 26, 2009, 11:36:48 PM »
Jhaddix mate, this is awesome. thanks for taking time to put this together, very good information for people in field.
Logged
Jhaddix
Sr. Member
Offline
Posts: 317
Re: Incident Handling - Resources, from start to finish
«
Reply #5 on:
June 11, 2009, 11:06:22 AM »
Updated 6/11- Added tools section with Matt C's tools list and MIR-ROR. Also added forensicswiki.org to list
«
Last Edit: June 11, 2009, 11:10:08 AM by Jhaddix
»
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester
http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
unsupported
Sr. Member
Offline
Posts: 318
Unofficial Newbie Moderator
Re: Incident Handling - Resources, from start to finish
«
Reply #6 on:
June 11, 2009, 11:15:24 AM »
Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.
Also, I think a good addition would be SANS cheat sheets by Ed Skoudis. There is one for Windows (
http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf
), NetCat (
http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf
), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf
). Ed has mentioned a UNIX cheat sheet, but I yet to find it.
Nice to see this is a "living document".
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Jhaddix
Sr. Member
Offline
Posts: 317
Re: Incident Handling - Resources, from start to finish
«
Reply #7 on:
June 11, 2009, 12:45:13 PM »
Quote from: unsupported on June 11, 2009, 11:15:24 AM
Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.
Also, I think a good addition would be SANS cheat sheets by Ed Skoudis. There is one for Windows (
http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf
), NetCat (
http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf
), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf
). Ed has mentioned a UNIX cheat sheet, but I yet to find it.
Nice to see this is a "living document".
Thanks =)
Cert has removed that page so i will look for something comparable. Also, those tools are more for pentesting and ethical hacking than IH/IR, i will make pentesting page soon when i get some free time =)
The unix and windows SANS discovery cheatsheets have been added now =)
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester
http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
unsupported
Sr. Member
Offline
Posts: 318
Unofficial Newbie Moderator
Re: Incident Handling - Resources, from start to finish
«
Reply #8 on:
June 11, 2009, 02:11:15 PM »
When will you ever have time between world class interviewing, article writing, and your normal work?
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Jhaddix
Sr. Member
Offline
Posts: 317
Re: Incident Handling - Resources, from start to finish
«
Reply #9 on:
June 11, 2009, 06:24:21 PM »
Quote from: unsupported on June 11, 2009, 02:11:15 PM
When will you ever have time between world class interviewing, article writing, and your normal work?
Don't forget the baby!
=P
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester
http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
KDPryor
Newbie
Offline
Posts: 2
Re: Incident Handling - Resources, from start to finish
«
Reply #10 on:
August 06, 2009, 11:46:31 PM »
Excellent list! Here a couple of tools you may or may not want to add. Both of these are free tools to mount a drive image as a new drive to your system and assign them a driver letter. I use both of them.
1.
Paraben P2eXplorer
This one is a little odd because, even though it's free, they still require you to enter a credit card number. Other than that, it's great. Oh, it doesn't work on a 64 bit system as I discovered.
2.
IMDisk
Another excellent mounting utility.
KP
«
Last Edit: July 13, 2010, 12:45:24 PM by KDPryor
»
Logged
GCFA
Graduate of SANS FOR 508 and FOR 526
Pages: [
1
]
Go Up
Print
« previous
next »
Jump to:
Please select a destination:
-----------------------------
EH-Net
-----------------------------
=> Calendar Of Events
===> ChicagoCon 2007
===> ChicagoCon 2008s
===> ChicagoCon 2008f
===> ChicagoCon 2009s
=> Ethical Hacktivism
=> News Items and General Discussion About EH-Net
===> Greetings
=> Special Events
-----------------------------
Ethical Hacking Discussions and Related Certifications
-----------------------------
=> General Certification
===> Networking
===> OS
===> Security
=> Compliance, Regulations & Standards
=> Control Systems
=> Cyber Warfare
=> Forensics
===> CCE / MCCE - (Master) Certified Computer Examiner
===> CHFI - Computer Hacking Forensic Investigator
===> EnCE - EnCase® Certified Examiner
===> GCFA - GIAC Certified Forensics Analyst
=> Hardware
=> Incident Response
===> CSIH - Computer Security Incident Handler
===> GCIH - GIAC Certified Incident Handler
=> Malware
===> Advisories
=> Mobile
=> Network Pen Testing
===> CEH - Certified Ethical Hacker
===> CPTC - Certified Penetration Testing Consultant
===> CPTE - Certified Penetration Testing Engineer
===> CSTA - Certified Security Testing Associate
===> eCPPT - eLearnSecurity Certified Professional Penetration Tester
===> ECSA - EC-Council Certified Security Analyst
===> GPEN - GIAC Certified Penetration Tester
===> OSCP - Offensive Security Certified Professional
=> Physical Security
=> Programming
=> Social Engineering
=> Web Applications
=> Wireless
===> CWNP Certs
===> GAWN - GIAC Assessing Wireless Networks
===> OSWP - Offensive Security Wireless Professional
=> Other
-----------------------------
Columns
-----------------------------
=> Editor-In-Chief
=> Andress
=> Gates
=> Haddix
=> Hadnagy
=> Heffner
=> Hoffman
=> Linn
=> RichM
=> Murray
=> J. Peltier
=> Weidman
=> Wilson
-----------------------------
Features
-----------------------------
=> /root
=> Book Reviews
=> Opinions
=> Skillz
===> Examples
===> May 06 - Star Hacks, Episode V: The Empire Hacks Back
===> July 06 - Hack Bill!
===> Sept 06 - Netcat in the Hat
===> Nov 06 - Hitch-Hackers Guide to the Galaxy
===> Dec 06 - A Christmas (Hacking) Story
===> Feb 07 - Charlottes Web Site
===> April 07 - Microsoft Office Space
===> June 07 - Serenity Hack
===> Oct 07 - Worst. Ethical. Hacker. Challenge. Ever.
===> Dec 07 - Frosty the Snow Crash
===> March 2008 - It Happened One Friday
===> Oct 2008 - Scooby Doo and the Crypto Caper
===> Dec 08 - Santa Claus Is Hacking to Town
===> Feb 2009 - Brady Bunch Boondoggle
===> July 2009 - Prison Break
===> October 2009 - SSHliders
===> December 2009 - Miracle on Thirty-Hack Street
===> December 2010 - The Nightmare Before Charlie Browns Christmas
-----------------------------
Resources
-----------------------------
=> Career Central
===> Looking For Work
===> Looking To Hire
=> Links to cool sites.
=> Mass Media
=> News from the Outside World
=> Tools
=> Tutorials
===> Tutorial Requests
Loading...
Exclusive Deal
SANSFIRE 2013
June 15 - 22
5% Off
w/ Code
:
EHN_5
SANS Deals 4 EH-Netters
5% OFF
Any
SANS Course
in Any Format!
Coupon Code:
EHN_5
Including
SANS Rocky Mountain 2013
&
SANS Boston 2013
Polls
Compared to this year, 2013 will be:
Great!
Better.
About the same.
Little worse.
FUBAR!
Recent Forum Topics
Programming
: Finished Python Course in Codecademy now what?
(13) by
securitian
Network Pen Testing
: Ruby on Rails Vulnerabilities/Attacks in BackTrack 5 r3
(0) by
SUdoctstudent
Network Pen Testing
: De-ICE 1.140 released!
(2) by
superkojiman
Network Pen Testing
: AIX Vulnerability Assessments
(1) by
3xban
General Certification
: CPT Practical Submission
(1) by
UNIX
OSCP - Offensive Security Certified Professional
: Failed my first attempt at the OSCP exam
(94) by
azmatt
Tools
: Social-Engineer Toolkit (SET) Version 5.0 “The Wild West” Released
(2) by
m0wgli
Malware
: EICAR?
(3) by
UKSecurityGuy
Advisories
: HTB23154: Multiple Vulnerabilities in Exponent CMS
(0) by
AndyP
Advisories
: HTB23153: Multiple Vulnerabilities in Jojo CMS
(0) by
AndyP
Advisories
: HTB23151: Cross-Site Request Forgery (CSRF) in UMI.CMS
(0) by
AndyP
Tutorials
: Need guidance
(8) by
r0ckm4n
OSCP - Offensive Security Certified Professional
: Class Scheduled 6/8 - Linux n00b
(7) by
Taemyks
OSCP - Offensive Security Certified Professional
: OSCP exam scheduled
(6) by
gbhat
Incident Response
: LinkedIn Forensics
(0) by
AFENTIS_Forensics
General Certification
: Red Team/Blue Team
(1) by
ajohnson
Career Central
: Starter cert?
(3) by
Grendel
Network Pen Testing
: Beginner Ethical Hacker
(1) by
m0wgli
Web Applications
: Nessus and Nikto
(4) by
Seen
Network Pen Testing
: Cracking salted MD5 hash
(4) by
n37sh@rk
CEH - Certified Ethical Hacker
: Passed my C|EH
(3) by
n37sh@rk
Mass Media
: EC-council hacked, irony at his best?
(0) by
j0rDy
Web Applications
: SQL Injection into an INSERT statement.
(6) by
eyenit0
Network Pen Testing
: Solution for sipXtapi INVITE Message CSeq Field Header Remote Overflow
(1) by
m0wgli
Web Applications
: dns
(2) by
H1t M0nk3y
Other
: BSides Boston
(0) by
3xban
Career Central
: InfoSec in Central, FL
(2) by
tturner
Web Applications
: Web vulnerability scanner
(4) by
H1t M0nk3y
EH-Net News Feeds
Latest Additions
Privacy Notice
for TDCC & All Properties
© 2013 The Ethical Hacker Network
Joomla!
is Free Software released under the GNU/GPL License.
Programming : Finished Python Course in Codecademy now what?
