Peter Stephenson

Conducting Incident Post Mortems

Abstract We were scheduled to discuss back tracing this month but events since I wrote the last column have persuaded me to put that topic on hold briefly in favour of an important, but often overlooked, use of the digital investigative process: incident post mortems. Within the last couple of months we saw yet another massive worm infection on the Internet. Organizations that should have been prepared weren’t and the effects on some were, however temporarily, catastrophic. Many of those organizations had suffered under Code Red, Nimda, Love Letter and other global infections.

Analysis and Correlation

Abstract ‘Getting the Whole Picture’ is a series dedicated to end-to-end digital forensics and is relevant to anyone who is regularly or occasionally involved in cyber-investigations during their career. This series is important whether you are an information security specialist, an auditor, a fraud examiner, a member of law enforcement or have a general interest in cybercrime, and the use of computer forensics to detect such crimes.

Applying DIPL to an Incident Post Mortem

Abstract Last month we introduced you to the Digital Investigation Process Language (DIPL). This is a process language derived, loosely, from LISP. There are several applications for DIPL when conducting digital investigations, but my favourite one is digital incident post mortems.

End-to-End Digital Forensics

Abstract ‘Getting the Whole Picture’ is a new series relevant to anyone who is regularly or occasionally involved in cyber-investigations during their career. You could be an information security specialist, an auditor, a fraud examiner or a member of law enforcment or have an interest in cybercrime, and the use of computer forensics to detect such crimes.

The Forensic Investigation Steps

Abstract In our last column we introduced the notion of end-to-end forensics and explored the attacker’s approach to a penetration attempt. In this column we will begin the process of understanding the forensics involved and dig more deeply into the end-to-end concept.

Completing the Post Mortem Investigation

Abstract Over the past two months we have got a good start on our digital post mortem. The techniques we are using follow the End-to-End Digital Investigation (EEDI) process and are consistent with the Digital Forensics Research Work Shop (DFRWS) 1 framework for digital investigations.

Applying forensic techniques to information system risk management – first steps

Abstract Over the past 15 months we have been discussing End-to-End Digital Investigation (EEDI) and how we can use structured approaches to system modeling to help solve security incidents and perform incident post mortems. Our next task is to apply some of these techniques to information security and risk management.

Incident analysis and recovery

We have been discussing the management process for information security incidents. While we have emphasized that these incidents may, often, be prevented by taking a series of proactive steps such as risk management, inevitably those steps will fail and there will be an incident. When that happens, your proactive measures as well as solid preparation should help minimize the severity of the incident. It is axiomatic that our preparatory measures must be planned and executed to minimize the number and severity of such incidents.

Applying impact and vulnerability analysis to risk management

Abstract Last month we looked closely at the notions of threat analysis and policy domain identification as components of the FARES (Forensic Analysis of Risks in Enterprise Systems) process. This month we move on to impact and vulnerability analysis. These two areas are among the toughest elements of the FARES process for very different reasons.

Countermeasures and a closer look at domains

Abstract As we have noted in previous columns, we are viewing the risk management and assessment process from the perspective of the classic risk model of threats, vulnerabilities, impacts and countermeasures. Last month we addressed impacts and vulnerabilities. This month we will begin to look at the process of applying countermeasures. However, before we can apply countermeasures, we need to take a closer look at the notion of security policy domains as they apply to identifying vulnerabilities. Arguably, this is the most critical step in a FARES analysis: defining the security policy domains. We begin with a review of some basic information security models.