Here I am collecting checklists that might be helpful when conducting an investigation.
First Response
Incident Response (SANS)
See the full checklist…
- π₯ Preparation
- π Compile a list of all your assets (servers, networks, applications etc.)
- π Rank them by the level of importance.
- π Monitor their traffic patterns and create baselines.
- π« Create a communication plan (who to contact, how, and when based on each incident type). Incident Handler Communications and Facilities (contacts, on-call info, reporting mechanism, issue tracking, smartphones, encryption soft, war room, secure storage).
- π§ Determine which security events and at what thresholds should be investigated.
- π Create one incident response plan and playbooks for each type of incident that are most likely to happen or can inflict the most damage.
- π Create an Incident Response Policy.
- Identification (π¬π§ͺ DF *)
- π¨ Discover. Discovery and classification (Where is the sensitive data?), Entitlements reporting (Who can access), Vulnerability Assessment (How to secure it?).
- π Investigate.
- β Harden. Reconfigure, mask, encrypt (How to protect sensitive data?)
- π π‘ Monitor and Protect. Activity monitoring, Blocking quarantine, dynamic data masking
- Repeat.
- Containment (π¬π§ͺ DF *)
- Eradication (π¬π§ͺ DF *)
- Recovery (π¬π§ͺ DF *)
- Lessons Learnt (π¬π§ͺ DF *)
π¬π§ͺ Digital Forensics process can take place at any stage of the incident response process.
Digital Forensics
See the full checklist…
- π€ Identification/Assessment (aka Preparation)
- Define scope
- Sterilise the target media (more here)
- π§Ή Collection
- ππΌ First response
- Sanitise the target disk that will be used to copy evidence to
- Prepare all the toolkits that will be needed.
- Start filling out the Chain of Custody form; each piece of evidence is assigned a unique ID (see below for examples).
- All photos were taken before touching the scene.
- Ensure that the Internet, Bluetooth, and AirDrop are all turned off on the machine used to acquire the image (* in case of physical acquisition).
- Connect the write blocker to the PC, and the evidence drive to the write blocker (power + data cables) or launch a software write blocker on the acquirer machine (see below for how-to) (* in case of physical acquisition).
- Calculate the hash of the evidence drive (pre-hash). Document it.
- Image the evidence.
- Calculate the hash of the original evidence again, validate the hash and document it.
- Calculate the **hash of the image taken (post-hash) and ensure it matches the above ones taken previously.
- π€πΌ Acquisition (live or dead).
- Physical storage. Mind the order of volatility, see RFC here.
- Cache, registers (CPU). π Debuggers (OllyDbg, gdb, x64dbg etc)
- ARoTa MeKSaPTa. ARP cache, routing table, memory, kernel statistics, process table. Mnemonics: ARoTa MeKSaPTa
- Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route β this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
- Windows
route print - UNIX
netstat -rn
- Windows
- ARP cache:
arp -a - Process table. The list of processes currently running + metadata.
- UNIX
ps - Windows. Task Manager (GUI) or
tasklist(->csv).
- UNIX
- Kernel stats. π RAMMap, part of the Sysinternals suite for Windows, and memmap in the Linux world. Tracks the page usage (physical RAM chunks), mappings of those pages.
- Routing tables. Contain the following info: destination IP addresses or networks; the gateway IP address, or interface name if a directly connected resource; the metric, or cost, associated with the route β this enables the most efficient route to be selected; the outgoing interface the machine will use when forwarding a packet.
- Temporary files. Malware likes these folders because it’s often already full of garbage.
- Linux
/tmp. - swap (UNIX)
- pagefile (Windows)
- Linux
- Disk.
- Logs. Monitoring data and remote logging pertaining to the computer in question. SIEMs and other log storages.
- Physical configurations, network topology.
- Archival media. CDs, backups, USBs.
- Logical backup
- Physical storage. Mind the order of volatility, see RFC here.
- π³ Evidence Preservation
- Copy original, operate on the copy.
- Calculate hashes at each stage (unless it’s cloud evidence)
- Use hardware write-blockers or software write-blockers
- Make sure min number of files is created.
- Register timestamps before opening files.
- π Documentation.
- ππΌ First response
- π¬π§ͺ Examination & Analysis
- π¦ Malicious Process
- Network
- Files
- Processes
- π₯ User
- Is there malicious user activity (account takeover, insider threat)?
- βοΈ OS Configs
- Are there mal configs (services enabled, disabled logging)?
- π Hardware
- Are there mal hardware changes (firmware, BIOS)?
- π¦ Malicious Process
Toolkit Assembly For Physical Acquisition
Expand …
- A PC technician’s toolkit π§° (screwdrivers πͺ, squeezers, scissorsβοΈ, portable batteries π, etc.) to be able to remove HDD, lockdown cables etc.) β
- Digital camera πΈ that embeds timestamps on the photos. π Take photos; the more, the better!
- Video camera πΉ. π Take a video; the longer, the better.
- For labelling and documenting (labels, markers, pens, π, evidence tape π§).
- They are transporting and managing evidence πΌ (Faraday bag, Anti-static bag, evidence log, large envelopes βοΈ, glovesπ§€, sanitiser).
- Documents (chain of custody, notes π, warrants/subpoenas).
- Digital forensics specifics (forensics software, write blockers, laptop π», sterilise target media, flash drives for live/dead acquisition, bootable, Apple USB Type-C wires).