Network Forensics

[Provide a high-level overview of what occurred. Include potential impacts on the organization, side effects that may have occurred, remediation actions, and your recommendations for the next step. This is meant to be read by executives, so this is not the area to dive into technical jargon or specific technical details of the event. Keep it at a high overview level.]

[Use this area to summarize the initial discovery process to include artifacts discovered. This is a summary area, so be sure to provide the supporting evidence items in the sections below.]

[Use this section to create a list of items that will be performed for this incident response effort. This list might change as you are going through your process. Do not simply delete an entry: Explain why it was initially listed but not used, or why it was added later in the process.]

[Describe the functions that the victim system(s) provide for the network. Use a network diagram to indicate the location of the system(s) and which components these systems may have access to (trusted or mapped shares).]

[List the systems in full technical detail. Include items such as versions, service packs if applicable, and installed software.]

[Describe the security mechanisms that are in place, such as firewalls, intrusion detection/prevention systems, and antivirus software.]

[While conducting the initial discovery phase, what artifacts were discovered? These may include port scans, modified systems files, anomalous network traffic, and other relevant elements.]

[Determine what the initial corrective action is going to be prior to starting the investigation: removing the system from the network, moving applications to another system, establishing a sandbox environment, and so on.]

[Use this area to expand and provide additional details not covered in the basic framework above.]

[List the steps used to perform this investigation. The section will vary according to the type of investigation. Add or delete sections as needed. Remember to update the table of contents each time changes are made.]

[List all tools that were used to conduct this investigation. Include make, model, version number, and other specifics.]

[This section should include any relevant logs or proof that the system was compromised. It may contain application log entries, system log entries, and others. Ensure that you correlate the log entry to an artifact of evidence.]

[Were any particular parameters or options used for specific tools? Be sure to include at least the MD5 hash value of evidence items in this section as well.]

[This is where you will conduct your analysis and correlation, tie it all together, and—based on forensic evidence—explain what took place.]

[What do you recommend to correct the problem? This should be an extended version of what you have in the Executive Summary.]

[What can be learned from this analysis so that it doesn’t happen again? How can this information be used to protect other systems in the future?]

[Use this area to attach items such as screenshots, relevant output from a tool or utility, or reports generated from other programs. If you attach something as an appendix in this section, it must be referenced in the document, with an explanation of its relevance.]

dfsdfddd fgdfgdfgfg dfgfgfgsdfgf: fgdfggff Use Only 1 of 3

Created by: [Name] 1 of 5

Template adapted from Steve J. Scott, superhac.com. Retrieved January 2014 from http://superhac.com/wp-content/uploads/2008/01/cfiar.doc