adverse events

with negative consequences

malicious intent to harm

all of the above

The victim’s needs

Provide rapid detection and containment

The severity of incident

Escalate privileges

Initial compromise

Establish foothold

Maintain presence

Guidance Software EnCase

Ubuntu

AccessData FTK Imager

Kali Linux

live image will make minor modifications to the system, but you

will be able to get an image

the system may be an extremely business-critical system that cannot be

taken down except during very short maintenance windows

no hardware write blocker preventing you from

destroying evidence

system or backup system restrictions

create an infrastructure that provides rapid answers to the questions you will have after an incident occurs

Identify your corporate risk

Create a response toolkit for use by the CSIRT

prepare the host for the incident

Corporate reputation

Confidential business information

Nonpublic personally identifiable information

business information