Responding to an incident
From Jonsdocswiki
| Memory Stick Warning |
|
Never plug a memory stick, or other writeable media, into a compromised device.
|
An incident can be classed as:
- Viral outbreak on a machine.
- Malware outbreak on a machine.
- Data loss (e.g. memory stick problem or workstation issue).
- Forensic incident (in which case you'll likely need Trinity too).
Basically, anything that causes the workstation to act unexpectedly can be classed as an incident and it is important the rest of the network is not put at risk. As such, optical media is used to investigate as this is read only to the infected system.
Contents |
Requirements
- Post Incident Response Disk
- The device in question
- Ability to disable the device's network connection, preferably before Windows boots.
Step 1 - Determine the incident type
In order to troubleshoot the incident we first need to determine the incident type. It is possible that the incident falls into more than one category:
File recovery (data loss)
USB Memory Sticks
A common problem is that user's save their only copy of important documents onto a memory stick - if this is the case and the memory stick fails or the file "disappears" then the user has lost their only copy.
It's important to note at this point that this will likely require use of advanced data recovery techniques.
| Failed USB hardware |
|
If the memory stick has suffered an electrical failure (i.e. plugging it into a computer doesn't cause the device to be detected) or breakage (USB connector snapped off / chip cracked etc) then there is nothing you can do!
|
Hard disks
Users may find themselves unable to access data on their harddisks for a number of reasons:
- The operating system may fail to boot.
- See Fixing a failed OS.
- The drive may be failing.
- The file has been accidentally deleted.
It's possible you'll need to look into advanced data recovery techniques but it's worth noting that recovering data off a failed harddisk will take a long time!
Viral or Malware outbreak
If a computer starts to exhibit odd behaviour, such as pop ups, additional programs, slow response times then it's possible the OS has been infected with a virus, trojan or malware. For example, a computer may have been infected with scareware which invites the user to purchase bogus anti-virus protection (see image right).
See also
Forensic Incident
A forensic incident will involve more in-depth work. For example, a problem may occur where files are vandalised, data is sent off site illicitly, the machine is compromised by a targeted attack or worse, an employee has been accused of computer misuse. If this is the case, seek guidance from the Network Manager before proceeding.
Step 2 - Respond to the incident
Once you've determined the incident type (or types) it's important to follow the relevant procedure. Note: if you've got a combination of incident types that includes a forensic incident seek guidance from the network manager.
