INCIDENT RESPONSE AND DIGITAL FORENSICS 1

Incident Response and Digital Forensics

Capella University

IAS5220 – Network Security Controls and Testing.

Feb 21, 2019

INCIDENT RESPONSE AND DIGITAL FORENSICS 2

Abstract

From retrieved network system digital contents by an investigator who have done digital

forensics on the network system by identification and investigation of cyber attacks. Since the

abundance of devices which are connected to the Internet of Things and connected network system

devices have attracted an increased volume of cyber attacks. Which requires the immediate

incident response to cyber attack case to get the understanding of attackers cyberattacks actions

and by the digital forensics’ investigation of the network traffic packets.

This paper evaluates the “differences within the incident response and digital or network

forensics. Deliberating the paper is the effect of the prevailing network system security controls

on digital or network forensics. This paper will review the tools used for quality network forensics

investigations and its basic methodologies used in network forensics” (Capella, 2019, 20-22).

Keywords: digital or network forensic investigations, network system security controls,

incident response, digital forensics.

INCIDENT RESPONSE AND DIGITAL FORENSICS 3

Table of Content

 Cover Page,

 Abstract.

 Table of Content.

 Introduction/ Body

 Conclusion

 References
INCIDENT RESPONSE AND DIGITAL FORENSICS 4

U07V1 Toolwire Lab 3

INCIDENT RESPONSE AND DIGITAL FORENSICS 5

Unit 07 Tool wire Lab 3 beginning

Unit 7 Virtual Lab 1 Ending

INCIDENT RESPONSE AND DIGITAL FORENSICS 6

Beginning

Mid Way Lab

INCIDENT RESPONSE AND DIGITAL FORENSICS 7

Ending Lab Test

Introduction

Digital forensic investigations capture, document and examine the network system traffic

activities in good plan for discovery of evidence of data about the identification of cyber attacks

for prosecution by law. Using a quality digital or network forensic tools such as eMailTrackerPro

SANS (2015) to find the source of the cyber attacker physical location for malicious sending. By

network forensic, we oversee and examine the network system traffic for the aim of a collection

of any legal evidence and data from cyberattack activities, or network system intrusion detection.

With network forensic, it deals with volatile and dynamic data for the proactive network system

investigation. The digital forensic is the regaining and investigation of digital media devices for

legal evidence which was done by computer cybercrime. Which is also the same as computer

forensics. Looking at cyber forensic which relates a certain aspect of the network and computer
INCIDENT RESPONSE AND DIGITAL FORENSICS 8

forensics, also, when it comes to eDiscovery it relates to the method of collection, gathering of

legal evidence of electronic data capture of audio data, calendar data, images, emails or database

excel sheets in a criminal case (Zawoad, Hasan, 2012, p 72 -78).

SANS (2013) Incident responding procedure states what in the organization information

security governance of what happens, or the actions of organization employees take for network

system security events as define information security policy consist of what are the contacts access

point for reporting any network system security incident. What is the employee’s responsibility

for security incident course of action? What is the asset importance when an organization network

system should be taken offline at the time of security incident? Which outsider parties such as law

enforcement, network system security experts, is our point of contact in case of a security incident?

What the organization permanent or virtual or hybrid incident response team. Since organization

incident response is the CSIRT which is the computer security incident response team with the

inclusion of the information security officer or IT system analyst. The variation of incident

response team and network forensic team which are defined by their organizational goals, IR goal

is the quick response to security incident in real time, for the network forensic is the gathering and

understanding of the security incidents, risk, and network system impacts. Their information

requirements of IR is short term data foundations is needed and network forensic needs the long

term system logs and data files for investigation (Khan, Shiraz, Wahab, Gani, Han, & Rahman,

2014, para 22-28).

With network controls effects on the network forensic we look at the network system traffic

packets behavior to investigate the network and transport layer of network system attacks SANS

(2015). Since the network forensic evaluate the data and physical layer for intrusion of network

system for eavesdropping, also they used tools and network system protocols such as Wireshark
INCIDENT RESPONSE AND DIGITAL FORENSICS 9

or tcpdump, ARP to discovery and sniffing of the network packets data on NIC, also filtering the

network system packet traffic or malicious reconstruction of packet data transmitted over the

organization network system. Network forensic also investigate the reverse routing and data

tracking, network system devices logs reconstruct security attack incident (SANS, 2015 para 7-

`13).

There are also tools and protocols used by network forensic for the quality of network

security control such as extracting system files- nex, dsniff, Firesheep, ssldump, snort. For any

intrusion detection of transport and network layer, matching regular session of the network system

activities audits, the extraction of SSL, emails and the reconstructions of network system packets

(Kim, Park, Lee, 2012, p182-184).

The basic methodologies of the network forensic are how to gather the best possible

evidence bee it the original, minimal disruption, intrusion or force, transparency and chain of

custody. Focusing on every aspect of mission investigation and documentation of everything.

Since the methodologic consist of identification of the source of a security incident, by persevering

the evidence not to be destroyed. The collection, evaluation and examination/ presentation of the

legal evidence (Khan, Shiraz, Wahab, Gani, Han, & Rahman, 2014, para 32-38).
INCIDENT RESPONSE AND DIGITAL FORENSICS 10

References

Capella University, 2019, Course room, unit 7, Incident Response and Digital Forensics, Date

retrieved 02/21/2019,

https://courserooma.capella.edu/webapps/blackboard/content/listContent.jsp?course_id=_

162482_1&content_id=_7268977_1&mode=reset

SANS, (2015), Advanced Network Forensics and Analysis Date retrieved 02/21/2019,

https://www.sans.org/vlive/details/38357
INCIDENT RESPONSE AND DIGITAL FORENSICS 11

Khan, S., Shiraz, M., Wahab, A. W., Gani, A., Han, Q., & Rahman, Z. B. (2014). A

comprehensive review on adaptability of network forensics frameworks for mobile cloud

computing. TheScientificWorldJournal, 2014, 547062.

Zawoad S, Hasan R. I have the proof: providing proofs of past data possession in cloud

forensics. Proceedings of the ASE International Conference on Cyber Security

(CyberSecurity '12); December 2012; Alexandria, Va, USA. pp. 75–82.

Kim AC, Park WH, Lee DH. A study on the live forensic techniques for anomaly detection in

user terminals. International Journal of Security and Its Applications. 2013;7(1):181–188.

INCIDENT RESPONSE AND DIGITAL FORENSICS 12
INCIDENT RESPONSE AND DIGITAL FORENSICS 13