Purpose of Incident Response in Business Environment - Research Paper Example

? Full Paper Purpose of Incident Response Plan Business environment is constantly changing in terms of technology, business or trends and almost every organization is now equipped with information systems. Similarly, threats, vulnerabilities and risks associated with these factors are also in parallel. As threats make their way from vulnerabilities, a mechanism is vital to monitor, eliminate and report these issues. Incident response plan (IRP) illustrates a security incident along with the related incident response phases. Likewise, the plan consists of documentation related to information channels. For instance, in what way the information has been passed to the applicable person, incident assessment, eliminating response strategy and damage, safeguarding information related to evidence and documentation (Incident response plan, n.d ). Moreover, the plan also defines roles and responsibilities and constructs procedures for addressing different security incidents. Wireless device Forensic Acquisition and Examination Personal data assistants and Palm based handheld devices are now more convenient for business users as compare to a cell phone with integrated camera and other multimedia features. For this reason, methods and procedures that were followed previously were enforced to be re-evaluated, re-examined and re- defined, in order to synchronize with the new technological revolution of these handheld data assistants. Likewise, in re-examining the methodologies and procedures, the most critical areas, in the context of wireless device forensics, are acquisition and authentication, as they are normally the part of any computer forensic methodologies. However, while considering PDA’s, these two areas weighted more than a normal computer forensic acquisition and authentication procedures. The reason behind the sensitivity and importance of these areas is due to the dependency of these PDA’s on transitional storage (Computer forensics. n.d). Likewise, a vital factor of these PDA’s is that the acquisition and analysis are processed in the memory located within the PDA i.e. both volatile and non-volatile memories, RAM and ROM. The data storage processes of a PDA along with the installed operating system do not stop even if the PDA is turned off (Computer forensics. n.d). This is because the battery of PDA keeps it alive for operational purposes. Therefore, conducting forensic analysis on PDA is complex and possesses several risk factors. Recommended Procedure PDA is an ‘always-on’ device that can also be called as a push messaging device. PDA receives information from its radio antenna anytime. In this process, PDA overwrites on previously deleted data. For instance, application that are involved in this procedure are email clients, chat messengers etc. this methodology of PDA makes the task complex for the investigators. In this scenario, recommended steps will be (Computer forensics. n.d): For reserving the PDA, radio will be turned off. During the process of acquisition, the PDA should be moved to a protected location for turning the PDA on and instantly shutting down the radio afore inspection. Moreover, investigators must ensure battery status to fully charged, as it will disrupt the investigation process. The next step will be to gather logs, as this will be a part of evidence collection. Logs can be achieved by unit control functions of the SDK tool. The next step will be imaging and profiling of the PDS’s operating system. After collecting the evidence, it will be reviewed by the investigators. After reviewing the evidence, files will be dumped at SDK simulator Wired device Forensic Acquisition and Examination Forensic investigators will construct a methodology that will monitor attacks from inbound and outbound wired networks. Recommended Procedure These three processes will be executed, in order to detect the cause and the source: pcap trace analysis that are initialized for server side attack pcap trace analysis that are initialized for client side attack netflow analysis initialized for network flow monitoring In order to capture attacks, forensic investigators will implement a vulnerable HTTP server. The server will acts as an original server and address every query related to HTTP. However, for processing a ‘POST’ request the server will initiate a separate thread that will encapsulate a shell incorporated by a port 12345. The replicated fake web server will process the shell code similarly to the original one. The tool that will be used for exploiting and capturing network traffic is ‘WireShark’(Cert Exercises Handbook – Scribd, n.d.). It is an open-source tool that is meant for capturing data packets and network traffic examination on wired and wireless networks (Wireshark Network Analysis n.d.). Similarly, this tool will capture and examine network traffic on the Ethernet interface connected to the fake web server. Apart from Wireshark, tftp server and tftp client will also be implemented. As the web server is equipped with Apache, one more tool named as exploit followed by the command (Cert Exercises Handbook – Scribd, n.d.): (/usr/share/exercises/07_NF/adds/exploit) Prior to start the replicated fake web server, there is a requirement for stopping Apache server services. The next step is to initialize the server type by executing the following command (Cert Exercises Handbook – Scribd, n.d.): (sudo /etc/init.d/http_server ) The next step is to initialized customized scripts named as interface_affected and interface_hacker. The pcap file will demonstrate the log files of the attacks that are initiated from an IP address that is dissimilar than the victim’s IP address. Comparison between Wired and Wireless device Procedures After through discussion of procedural steps for acquisition and examination, wireless devices are more difficult to investigate for data acquisition and examination. Likewise, the architecture of wireless devices is based on transitional storage and it is difficult for the investigators to retrieve data, as the device gets new information that overwrites deleted data. On the other hand, wired devices can be based on many platforms. Thus, there are several tools and methodologies are available for data acquisition, examination and secure storage. Conclusion The procedures for both wired and wireless devices have been demonstrated in this plan. These procedural steps will assist the digital investigators for acquiring data from any wired or wireless device. Moreover, digital investors can also use the procedural steps for examine wired and wireless devices. Likewise, there are numerous tools available in the market. The decision of purchasing FTK tools will be dependent on the hardware architecture that needs to be investigated. References Cert Exercises Handbook - Scribd. n.d. Retrieved from http://www.scribd.com/doc/35011748/Cert-Exercises-Handbook Wireshark Network Analysis. n.d. Retrieved from http://wiresharkbook.com/articlewireshark101.html Incident response plan, n.d Retrieved 10/8/2011, 2011, from http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html Computer forensics, n.d Retrieved 10/8/2011, 2011, from http://www.mandarino70.it/ Read More