Hardware and software

- [Instructor] The next area to consider in your preparation phase is to decide what type of hardware and software you're going to need in your incident response toolkits in order for you to be effective during an incident response. Now, it's important for us to figure this out during the preparation stage because your organization needs to purchase all these items, configure all these items, and train your teams on how to use all these items, all before the incident is detected and you're actually going to go on a response. Now, the first thing you're going to need in your incident response arsenal is a good digital forensic workstation and some backup devices. These are going to be used to make disk images, capture logs, and save other information during evidence collection within an incident. A forensic workstation will also be used to conduct analysis of any disk images that you capture as part of your incident response efforts. Now, these forensic workstations are going to rely on some specialized software, things like FTK, the Forensic Toolkit, EnCase, or the Sleuth Toolkit. These software packages can be quite expensive and they can run 5 to $10,000 or more in the case of FTK and Encase. Now, the Sleuth toolkit, on the other hand, is a free and open source product but it doesn't have nearly as much capability and it is a little bit harder to use. Now, these tools all are going to require the proper training to be able to use them effectively. So it's important for you to budget not just for the annual licensing costs, but also for the training costs as part of your preparation phase to ensure your team is ready to use it when the time comes. Now, beyond your basic digital forensic workstation you also need to have a number of laptops that are available for use by your teams. These laptops are going to be used to analyze data, conduct packet sniffing on the network, writing out reports, and lots of other things that you need to do during your incident response efforts. Again, these laptops have to be budgeted for, procured, set up, secured, and ready to use before your incident actually happens. In addition to these laptops, you may also need to have some spare workstations, spare servers, and spare networking devices that are ready to use as part of your response efforts, especially during the containment, eradication, and recovery phase. For example, let's say you have a web server that's been hacked and you now need to hand that over to law enforcement as part of their evidence collection to be able to put the bad actor behind bars. Well, in this case, they're going to hold onto that server for a while, and you're going to now need a spare server in order to restore a known good backup onto that new server and keep your daily operations up and running. If you haven't already purchased this equipment during your preparation phase, you could be waiting days, weeks, or even months in some organizations to receive that new server that you need to buy during the later stages of the response. This is because a lot of organizations have very long budgeting and procurement cycles. Now, because of this it's always better to have a ready spare available and that these spares are purchased back during your preparation phase so you can make sure they're working and you know where they are. Now, another important item to have in your toolkit is removable media. Now, removable media is things like USB drives, DVDs, CDs, hard drives, solid state drives, tape backups, and things like that. Now, your toolkit should have some bootable USB thumb drives or some DVDs with trusted versions of any software you may need to use when gathering evidence from a suspicious system. Also, you should have some additional blank removal media available, such as blank hard drives, CDs, DVDs, and other things in order to copy evidence onto for further analysis by your local or remote incident response teams. Now, when your team is a flyaway team, there's going to be a lot of travel to various locations when you need to conduct an incident response and so it's really important that they are self-sufficient and they have everything they need in one kit. This includes having the ability to print out documents while they're out working in the field. So to accomplish this, I like to have a small laser printer that I take with us during incident responses too. This allows us to print out our log files, our reports, and our presentations while we're on the road and this has come in real handy over the years, many, many times for me. Finally, you need to consider exactly what types of software you're going to need to bring with you from your Definitive Media Library. Now, a Definitive Media Library or DML is a term used in IT service management and essentially it's a big catalog of all of the different things that we use inside of our network. Now, this Definitive Media Library can have things like copies of different operating systems like Windows Desktop and server operating systems or Linux server installations. We also will have things like our forensic software tools and lots of other utilities that we might carry around with us. Now, all of these are going to be part of this Definitive Media Library, and we know that these are good copies of programs that we can use because we've checked them before as we put 'em in our toolkit, and we've created a hash value of them. Now, when we get to our incident response location we can check the hash value and as long as it hasn't changed, we know that media is still the trusted media we expect it to be and we can then use it. Other things you might find in your Definitive Media Library are different types of collection tools that you might need. Things like Snort for setting up an intrusion detection or prevention system, Wireshark for conducting network packet capture and analysis and numerous other command line tools that you're going to use to conduct live forensics on a Windows or Linux system. Now, the actual use of all these tools is way beyond the scope of this course but if you're an incident response professional you are going to want to become familiar with all these different types of tools and how they're going to be used to collect evidence before you need to deploy them to a remote location to conduct an incident response. Remember, the time to learn is during the preparation phase not during the detection analysis phase, or the containment, eradication, and recovery phases. The final things that are going to go into our toolkit really don't cleanly fit into hardware or software, but they're still important things to consider and have as part of your deployment kit. This includes things like notebooks, chain of custody forms, evidence collection bags, rolls of tape, digital cameras, voice recorders, and of course pens and highlighters. All these are important items to take with you and you don't want to get to some remote location and then have to go run to the store to find pens and pencils and highlighters and paper and all that kind of stuff. It's always better to have all of that in your kit ready to go, so when the incident response is called off, you can grab your kit, jump on a plane, and go. As you begin to conduct your incident response you're going to need all these type of things to help document the scene when you arrive, to take notes and conduct interviews with assistant administrators and users, and gather all that information into a place that you can review it and then use it. So remember, when it comes to preparation there are lots of things we're going to consider but one of the most important is your incident response kits and all the hardware, software, and other materials that are going to go into them. Take the time during your preparation phase to build out a good kit and make sure you have all the hardware and software you need all in one place where you and your team members know where it is so you can quickly grab it when you're being activated and deployed. (electronic music)