.

Incident Handling - Resources, from start to finish

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Feb 23, 2009 5:02 pm

Incident Handling - Resources, from start to finish

I had a lot of people see EH's posts on IH as well as a few on my site and i wanted to put together a coherent list of links for IH/IR. Whether you are just starting a IR team, or are looking to refine your methods, there should be a few items for everyone. This is not all my information, some of it was gathered by me, some by gracious forum members. I will continually update it if you guys would like to add something! Please, please, please help me add to this =)

Level I - Incident Response / Incident Handling

These are very good top level (they don't stay that way for long) documents describing IH/IR.

NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)

SANS 6-Step Process

Computer and Network Security Task Force IR/IH page

Carnegie Mellon's Handbook for CSIRTs (creation and roles for a IR/IH Team)

Level II - Specifics

SANS offers a lot to the security community, so there it is really no surprise that their reading room and their instructors offer some of the best resources around.

SANS InfoSec Reading Room - Incident Handling

Initial Security Incident Questionnaire for Responders

Security Incident Survey Cheat Sheet for Server Administrators

Network DDoS Incident Response Cheat Sheet

Incident Reverse-Engineering Cheat Sheet

CERT Virtual Training related to IH/IR

tssci-security Web application security incident handling insights

SANS Intrusion Discovery Cheat Sheet: Linux

SANS Intrusion Discovery Cheat Sheet: Windows


Tools

MIR-ROR: Motile Incident Response – Respond Objectively, Remediate

This script outputs all useful IR windows commands, and some sysinternals Scripts into one place. Note it is meant to be used after you have taken the initial HD image. Great writeup on it here

Matt Churchill over at Binary Intelligence has put together a listing of tools for forensics.

FreeForensic Tools

In November I did a presentation at the monthly NebraskaCert Cyber Security Forum. Someone had suggested an overview of forensic tools. I put together a list of free tools in a couple different categories. Here is the list:

Imaging

FTK Imager
http://www.accessdata.com/downloads.html

Forensic Acquisition Utilities (FAU)
http://gmgsystemsinc.com/fau/

Carving

Winhex
http://www.x-ways.net/winhex/

PhotoRec
http://www.cgsecurity.org/wiki/PhotoRec

Scalpel
http://www.digitalforensicssolutions.com/Scalpel/

Analyze

ProDiscover Basic
http://www.techpathways.com/DesktopDefa ... 9&tabid=14

The Sleuthkit and Autopsy
http://www.sleuthkit.org/

PTK
http://ptk.dflabs.com/

WinHex
http://www.x-ways.net/winhex/

PyFlag
http://www.pyflag.net/cgi-bin/moin.cgi

FTK Demo (up to 5000 items)
http://www.accessdata.com/downloads.html

SANS SIFT Workstation (only available to portal members)
http://forensics.sans.org/community/downloads/

Memory Analysis

mdd
http://sourceforge.net/project/showfile ... _id=228865

win32dd
http://win32dd.msuiche.net/

Volatility
https://www.volatilesystems.com/default/volatility

Memoryze
http://www.mandiant.com/software/memoryze.htm

Virtualization

LiveView (launch image in VMWare)
http://liveview.sourceforge.net/

ProDiscover Basic (creates config files)
http://www.techpathways.com/DesktopDefa ... 9&tabid=14

VDKWin (edit config files)
http://petruska.stardock.net/Software/VMware.html

Live CDs

Helix
http://www.e-fense.com/helix/

Caine
http://www.caine-live.net/en/index.html

PlainSight
http://www.plainsight.info/download.html

BAckTrack (**will mount drives, but has forensic tools)
http://www.remote-exploit.org/backtrack.html

Misc.

RegRipper (excellent Registry parser)
http://regripper.net/

Forensic CaseNotes
http://www.qccis.com/?section=casenotes

NirSoft Tools
http://www.nirsoft.net/

Historian
http://www.mandiant.com/software/webhistorian.htm

Windows File Analyzer
http://www.mitec.cz/wfa.html

Websites

http://windowsir.blogspot.com

http://forensicir.blogspot.com

http://sansforensics.wordpress.com

www.ForensicFocus.com

www.E-Evidence.info

www.forensicswiki.org



Reporting

When it comes to Advanced Threats there is some argument on reporting, if you chose to The Internet Storm Center and Shadowserver Foundation are good places to start.

Certification

We all want ways to distinguish ourselves, right? Below are the ways to go for certification, albeit not always the cheapest options.

CERT®-Certified Computer Security Incident Handler

SANS/GIAC Certified Incident Handler


Resources

Incident Report Templates

Gideon T. Rasmussen's Incident Report Template
SANS Incident Identification Form
SANS Incident Survey Form
SANS Incident Containment Form
SANS Incident Eradication Form
SANS Incident Communication Log Form
Melissa Guenther's Incident Report Form
US-CERT Incident Reporting System
Last edited by Jhaddix on Thu Jun 11, 2009 12:44 pm, edited 1 time in total.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Mon Feb 23, 2009 5:32 pm

Re: Incident Handling - Resources, from start to finish

This look like a lot of good material you've racked up here. This'll definitely be one of the threads I'll be pointing people toward if they have questions about Incident Handling.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Mon Feb 23, 2009 10:30 pm

Re: Incident Handling - Resources, from start to finish

Great list



When writing IH procedures I have found NIST 800-61 to be tremendously useful. If you only had one resource this would be it.

I would recommend running through Appendix B-Incident Handling Scenarios. It is great for helping you work out any kinks you may have in your organization's IH procedure. It is also go to have a few trial runs at these situations so you are better able to handle them and think more clearly.
twitter.com/timmedin | http://blog.securitywhole.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Feb 24, 2009 7:52 am

Re: Incident Handling - Resources, from start to finish

Jhaddix, nice list :D

think I've got/read most of the links but I'll take a closer look at those I haven't. Plus, always nice to have everything in one place makes the bookmarks easier to manage.

Cheers,
RR
<<

coffeeking

Newbie
Newbie

Posts: 1

Joined: Mon May 11, 2009 2:00 pm

Post Tue May 26, 2009 11:36 pm

Re: Incident Handling - Resources, from start to finish

Jhaddix mate, this is awesome. thanks for taking time to put this together, very good information for people in field.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Jun 11, 2009 11:06 am

Re: Incident Handling - Resources, from start to finish

Updated 6/11- Added tools section with Matt C's tools list and MIR-ROR. Also added forensicswiki.org to list
Last edited by Jhaddix on Thu Jun 11, 2009 11:10 am, edited 1 time in total.
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Jun 11, 2009 11:15 am

Re: Incident Handling - Resources, from start to finish

Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.

Also, I think a good addition would be SANS cheat sheets by Ed Skoudis.  There is one for Windows (http://www.sans.org/resources/sec560/wi ... eet_v1.pdf), NetCat (http://www.sans.org/resources/sec560/ne ... eet_v1.pdf), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (http://www.sans.org/resources/sec560/mi ... eet_v1.pdf).  Ed has mentioned a UNIX cheat sheet, but I yet to find it.

Nice to see this is a "living document".
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Jun 11, 2009 12:45 pm

Re: Incident Handling - Resources, from start to finish

unsupported wrote:Under Resources the link to CERT/CC Incident Reporting Guidelines has been moved/removed.

Also, I think a good addition would be SANS cheat sheets by Ed Skoudis.  There is one for Windows (http://www.sans.org/resources/sec560/wi ... eet_v1.pdf), NetCat (http://www.sans.org/resources/sec560/ne ... eet_v1.pdf), and Misc tools aka Metasploit, Meterpreter, fqdump, and hping. (http://www.sans.org/resources/sec560/mi ... eet_v1.pdf).  Ed has mentioned a UNIX cheat sheet, but I yet to find it.

Nice to see this is a "living document".


Thanks =)

Cert has removed that page so i will look for something comparable. Also, those tools are more for pentesting and ethical hacking than IH/IR, i will make pentesting page soon when i get some free time =)

The unix and windows SANS discovery cheatsheets have been added now =)
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Jun 11, 2009 2:11 pm

Re: Incident Handling - Resources, from start to finish

When will you ever have time between world class interviewing, article writing, and your normal work? :)
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Jun 11, 2009 6:24 pm

Re: Incident Handling - Resources, from start to finish

unsupported wrote:When will you ever have time between world class interviewing, article writing, and your normal work? :)


Don't forget the baby!

=P
<<

KDPryor

Newbie
Newbie

Posts: 2

Joined: Mon Jul 13, 2009 10:07 am

Post Thu Aug 06, 2009 11:46 pm

Re: Incident Handling - Resources, from start to finish

Excellent list!  Here a couple of tools you may or may not want to add.  Both of these are free tools to mount a drive image as a new drive to your system and assign them a driver letter.  I use both of them.

1. Paraben P2eXplorer  This one is a little odd because, even though it's free, they still require you to enter a credit card number.  Other than that, it's great.  Oh, it doesn't work on a 64 bit system as I discovered.

2. IMDisk  Another excellent mounting utility.

KP
Last edited by KDPryor on Tue Jul 13, 2010 12:45 pm, edited 1 time in total.
GCFA
Graduate of SANS FOR 508 and FOR 526

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software