Reporting and Documentation
Reporting phase must begin immediately upon detection of malicious activity.
There are two types of reporting focuses here: Technical and Non-technical reporting.
The prerequisite for having a technical report is that the incident handling teams must report the technical details of the incident as they begin the incident handling process
Non-technical stakeholders including business and mission owners must be notified immediately of any serious incident and also kept up to date as the incident handling process progresses.
More formal reporting begins just before the recovery phase, where staff prepares to recover affected systems and place them back into production.
An investigation’s report is usually includes the following:
- Incident investigators. (It must including their qualifications and contact information)
- Names of parties interviewed. (it must including their role, involvement, and contact information)
- List of all evidence collected, including chain(s) of custody.
- Tools used to examine or process evidence, including versions.
- Samples and sampling methodologies used, if applicable.
- Computers used to examine, process, or store evidence.
- Root-cause analysis of incident, if applicable.
- Conclusions and opinions of investigators.
- Hearings or proceedings.
- Parties to whom the report is delivered.
These are the techniques used to find out the causes of incidents.
This process is also known as the root cause analysis. A root cause analysis requires in-depth examination to determine what happened, how it happened, and how to prevent the same thing from happening again.
An example for root cause: A user clicked on a malicious link in an email.
In all cases, proper evidence collection and handling is essential. Often, teams are formed to determine the root cause of the incident.
Also, you should be familiar with the general steps of the investigative process:
- Detect and contain an incident
- Notify management
- Conduct a preliminary investigation
- Determine whether the organization should disclose that the crime occurred.
- Conduct the investigation (This include three activities: Identify potential suspects, Identify potential witnesses, and Prepare for search and seizure)
- Report your findings
Digital Forensics Tactics, and Procedures
A primary goal of Digital forensics is to prevent unintentional modification of the system. Digital forensic medicine must investigate a computer accident to determine exactly what happened, and who is responsible for it. Therefore, acceptable legal evidence must be collected to be used in subsequent legal proceedings, such as criminal investigations, domestic investigations, or lawsuits.
Proper digital forensic analysis and investigation requires in-depth knowledge of hardware, operating systems (including computer mobile and each device which has operating system), applications, databases, and software programming languages, as well as knowledge and experience using sophisticated forensics tools and toolkits.
The types of forensic data-gathering techniques include
- Hard drive forensics: It include Last known state of the computer, History of attempts by the user to remove evidence, History of files accessed, History of web sites visited by a browser, History of files created, History of programs executed, and History of files deleted)
- Live forensics: It include running processes, Communications traffic in/out of the computer, currently open files, Keystrokes, and Contents of RAM)
Forensic investigators use a scientific method that involves
- Determining the characteristics of the evidence (For each piece of evidence, it must be determined whether it is a primary evidence or a secondary evidence). Evidence must also be used that is reliable and stable.
- Comparing evidence from different sources to determine a chronology of events.
- Event reconstruction, including the recovery of deleted files and other activity on the system.