Incident Response and Computer Network Forensics
Two critical components of cybersecurity are incident response and network forensics. Incident response is the approach that organizations undertake to contain threats, minimize damage and restore systems to normal operations after security incidents such as data breaches or cyberattacks.
Computer Network Forensics refers to the monitoring of network traffic to detect unauthorized access, network intrusion or malware. It is used to implement preventative measures to avoid future incidents, reconstruct events and understand intentions of cyber attackers. Incident response teams use network forensics to understand the scope, impact, and entry points of attacks (Jayaraman, 2023). Together, both Incident Response and Computer Network Forensics aim to reduce the harm caused by cyber incidents.
Below is a copy of my Digital Forensic Report from my final class. It details the tools used for the investigation, how the chain of custody was preserved, the questions asked, the analysis and my conclusions.
References:
Jayaraman, S. (2023, September 20). What Is Network Forensics? Basics, Importance, And Tools. Retrieved from G2.com: https://www.g2.com/articles/network-forensics
Reflection
The biggest takeaway for me from this class was understanding the importance of the Chain of Custody and how it ensures evidence is appropriately handled, accurate, and unaltered. It explained and clarified why in some legal cases, evidence would be thrown out because the Chain of Custody was broken. The Chain of Custody legally confirms the integrity of evidence and prevents any kind of tampering, substitution or misidentification of evidence.
Another takeaway from CSOL 590 was the importance of having an incident response plan in place, conducting incident response drills and updating the plan. While most times we do not think about incidents until they occur, having incident response playbooks in place improve response speed, help teams work effectively together, and ensures compliance with industry specific obligations.
Working with ISO 27001, the standard requires the organization to have up to date incident response plans should there be any disruptive events such as security incidents or breaches. Our team of security professionals are required to keep these playbook current, by reviewing them, conducting table-top exercises and updating them with input from lessons learned events.
As a security professional, I am expected to communicate effectively with various stakeholders, being clear and concise in my reporting. I must also adhere and maintain the highest ethical standards and avoid conflicts of interest.