HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 61 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow Incident Handling - Resources, from start to finish
EH-Net
May 24, 2013, 05:55:50 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Incident Handling - Resources, from start to finish  (Read 20494 times)
0 Members and 1 Guest are viewing this topic.
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« on: February 23, 2009, 04:02:37 PM »
I had a lot of people see EH's posts on IH as well as a few on my site and i wanted to put together a coherent list of links for IH/IR. Whether you are just starting a IR team, or are looking to refine your methods, there should be a few items for everyone. This is not all my information, some of it was gathered by me, some by gracious forum members. I will continually update it if you guys would like to add something! Please, please, please help me add to this =)

Level I - Incident Response / Incident Handling

These are very good top level (they don't stay that way for long) documents describing IH/IR.

NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)

SANS 6-Step Process

Computer and Network Security Task Force IR/IH page

Carnegie Mellon's Handbook for CSIRTs (creation and roles for a IR/IH Team)

Level II - Specifics

SANS offers a lot to the security community, so there it is really no surprise that their reading room and their instructors offer some of the best resources around.

SANS InfoSec Reading Room - Incident Handling

Initial Security Incident Questionnaire for Responders

Security Incident Survey Cheat Sheet for Server Administrators

Network DDoS Incident Response Cheat Sheet

Incident Reverse-Engineering Cheat Sheet

CERT Virtual Training related to IH/IR

tssci-security Web application security incident handling insights

SANS Intrusion Discovery Cheat Sheet: Linux

SANS Intrusion Discovery Cheat Sheet: Windows


Tools

MIR-ROR: Motile Incident Response – Respond Objectively, Remediate

This script outputs all useful IR windows commands, and some sysinternals Scripts into one place. Note it is meant to be used after you have taken the initial HD image. Great writeup on it here

Quote
Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics.

FreeForensic Tools

In November I did a presentation at the monthly NebraskaCert Cyber Security Forum. Someone had suggested an overview of forensic tools. I put together a list of free tools in a couple different categories. Here is the list:

Imaging

FTK Imager
http://www.accessdata.com/downloads.html

Forensic Acquisition Utilities (FAU)
http://gmgsystemsinc.com/fau/

Carving

Winhex
http://www.x-ways.net/winhex/

PhotoRec
http://www.cgsecurity.org/wiki/PhotoRec

Scalpel
http://www.digitalforensicssolutions.com/Scalpel/

Analyze

ProDiscover Basic
http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14

The Sleuthkit and Autopsy
http://www.sleuthkit.org/

PTK
http://ptk.dflabs.com/

WinHex
http://www.x-ways.net/winhex/

PyFlag
http://www.pyflag.net/cgi-bin/moin.cgi

FTK Demo (up to 5000 items)
http://www.accessdata.com/downloads.html

SANS SIFT Workstation (only available to portal members)
http://forensics.sans.org/community/downloads/

Memory Analysis

mdd
http://sourceforge.net/project/showfiles.php?group_id=228865

win32dd
http://win32dd.msuiche.net/

Volatility
https://www.volatilesystems.com/default/volatility

Memoryze
http://www.mandiant.com/software/memoryze.htm

Virtualization

LiveView (launch image in VMWare)
http://liveview.sourceforge.net/

ProDiscover Basic (creates config files)
http://www.techpathways.com/DesktopDefault.aspx?tabindex=9&tabid=14

VDKWin (edit config files)
http://petruska.stardock.net/Software/VMware.html

Live CDs

Helix
http://www.e-fense.com/helix/

Caine
http://www.caine-live.net/en/index.html

PlainSight
http://www.plainsight.info/download.html

BAckTrack (**will mount drives, but has forensic tools)
http://www.remote-exploit.org/backtrack.html

Misc.

RegRipper (excellent Registry parser)
http://regripper.net/

Forensic CaseNotes
http://www.qccis.com/?section=casenotes

NirSoft Tools
http://www.nirsoft.net/

Historian
http://www.mandiant.com/software/webhistorian.htm

Windows File Analyzer
http://www.mitec.cz/wfa.html

Websites

http://windowsir.blogspot.com

http://forensicir.blogspot.com

http://sansforensics.wordpress.com

www.ForensicFocus.com

www.E-Evidence.info

www.forensicswiki.org


Reporting

When it comes to Advanced Threats there is some argument on reporting, if you chose to The Internet Storm Center and Shadowserver Foundation are good places to start.

Certification

We all want ways to distinguish ourselves, right? Below are the ways to go for certification, albeit not always the cheapest options.

CERT®-Certified Computer Security Incident Handler

SANS/GIAC Certified Incident Handler


Resources

Incident Report Templates

Gideon T. Rasmussen's Incident Report Template
SANS Incident Identification Form
SANS Incident Survey Form
SANS Incident Containment Form
SANS Incident Eradication Form
SANS Incident Communication Log Form
Melissa Guenther's Incident Report Form
US-CERT Incident Reporting System
« Last Edit: June 11, 2009, 12:44:56 PM by Jhaddix » Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
xXxKrisxXx
Hero Member
*****
Offline Offline

Posts: 512



View Profile
« Reply #1 on: February 23, 2009, 04:32:50 PM »
This look like a lot of good material you've racked up here. This'll definitely be one of the threads I'll be pointing people toward if they have questions about Incident Handling.
Logged
eCPPT, GCIH, OSCP, OSWP
timmedin
Sr. Member
****
Offline Offline

Posts: 469



View Profile WWW
« Reply #2 on: February 23, 2009, 09:30:44 PM »
Great list

Quote from: Jhaddix on February 23, 2009, 04:02:37 PM
NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)

When writing IH procedures I have found NIST 800-61 to be tremendously useful. If you only had one resource this would be it.

I would recommend running through Appendix B-Incident Handling Scenarios. It is great for helping you work out any kinks you may have in your organization's IH procedure. It is also go to have a few trial runs at these situations so you are better able to handle them and think more clearly.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 928



View Profile WWW
« Reply #3 on: February 24, 2009, 06:52:05 AM »
Jhaddix, nice list Cheesy

think I've got/read most of the links but I'll take a closer look at those I haven't. Plus, always nice to have everything in one place makes the bookmarks easier to manage.

Cheers,
RR
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
coffeeking
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #4 on: May 26, 2009, 11:36:48 PM »
Jhaddix mate, this is awesome. thanks for taking time to put this together, very good information for people in field.
Logged
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #5 on: June 11, 2009, 11:06:22 AM »
Updated 6/11- Added tools section with Matt C's tools list and MIR-ROR. Also added forensicswiki.org to list
« Last Edit: June 11, 2009, 11:10:08 AM by Jhaddix » Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
unsupported
Sr. Member
****
Offline Offline

Posts: 318


Unofficial Newbie Moderator


View Profile
« Reply #6 on: June 11, 2009, 11:15:24 AM »
Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.

Also, I think a good addition would be SANS cheat sheets by Ed Skoudis.  There is one for Windows (http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf), NetCat (http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf).  Ed has mentioned a UNIX cheat sheet, but I yet to find it.

Nice to see this is a "living document".
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #7 on: June 11, 2009, 12:45:13 PM »
Quote from: unsupported on June 11, 2009, 11:15:24 AM
Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.

Also, I think a good addition would be SANS cheat sheets by Ed Skoudis.  There is one for Windows (http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf), NetCat (http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf).  Ed has mentioned a UNIX cheat sheet, but I yet to find it.

Nice to see this is a "living document".

Thanks =)

Cert has removed that page so i will look for something comparable. Also, those tools are more for pentesting and ethical hacking than IH/IR, i will make pentesting page soon when i get some free time =)

The unix and windows SANS discovery cheatsheets have been added now =)
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
unsupported
Sr. Member
****
Offline Offline

Posts: 318


Unofficial Newbie Moderator


View Profile
« Reply #8 on: June 11, 2009, 02:11:15 PM »
When will you ever have time between world class interviewing, article writing, and your normal work? Smiley
Logged
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
Jhaddix
Sr. Member
****
Offline Offline

Posts: 317



View Profile WWW
« Reply #9 on: June 11, 2009, 06:24:21 PM »
Quote from: unsupported on June 11, 2009, 02:11:15 PM
When will you ever have time between world class interviewing, article writing, and your normal work? Smiley

Don't forget the baby!

=P
Logged
GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/
KDPryor
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #10 on: August 06, 2009, 11:46:31 PM »
Excellent list!  Here a couple of tools you may or may not want to add.  Both of these are free tools to mount a drive image as a new drive to your system and assign them a driver letter.  I use both of them.

1. Paraben P2eXplorer  This one is a little odd because, even though it's free, they still require you to enter a credit card number.  Other than that, it's great.  Oh, it doesn't work on a 64 bit system as I discovered.

2. IMDisk  Another excellent mounting utility.

KP
« Last Edit: July 13, 2010, 12:45:24 PM by KDPryor » Logged
GCFA
Graduate of SANS FOR 508 and FOR 526
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.106 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.