Forensic Chapter 2 - Post-Incident Activities

1. Terminology

Containment	Limiting the extent of the incident and preventing it from spreading or causing further damage to the organization. It’s about isolating affected systems to ensure the incident doesn’t escalate.
Eradication	The process of removing the threat from the organization’s environment. This includes identifying and eliminating the root cause of the incident.
Recovery	The process of restoring and returning affected systems and devices back to their fully operational states. It includes ensuring that no threats remain and verifying the integrity of the systems.

2. Containment Strategy

1. Potential damage
2. Need for evidence preservation
3. Service availability
4. Time and resource
5. Effectiveness of the strategy
6. Duration of the solution

Sample: Honey Pot

3. Evidence Gathering

1. Use Pre-defined templates
2. Keep incident response system isolated form affected network and system.
3. Reconcile the evidences
4. Identify missteps
5. Idnetify attacking hosts

4. Eradication

1. Undoing Threat actors’ actions
2. Restoring to known good state
3. Removing Threat actors’prsence & backdoors
4. Performing security testing
5. Dealing with unauthorised transactions
6. Revoking and renewing access credentials

5. Post-Incident Activity

Often most under-rated activity in the lifecycle

1. Identify lesson learnt
2. Data collection during incidents
3. Evidence retention
4. Incident handling checklist