Investigative Response (1 or 2 Days)

Fred Avolio

 

Audience: the network and security administrator or IT security manager.

Computer Forensics is a high interest topic. But without the proper planning and preparation, forensic efforts often are fruitless. This course will help you handle your next security incident, by working through how a CSIRT is put together and how it operates under fire. You will draft a charter for your CSIRT as well as an Incident Response Plan. To allow for as complete a final product as possible, students will be asked to come prepared having filled out a pre-class information form. (This form will not be seen or used by anyone but the student.) This class is aimed at the network and security administrator or IT security manager.
 

In this course you will learn:

 

• the importance of an Incident Response Plan
• how to formulate and implement an Incident Response Plan
• how and when to escalate
• how to create a Computer Security Incident Response Team (CSIRT)
• how to secure a computer crime scene and preserve evidence
• how to gather evidence that can be used in court
• why “practice makes better” (and why there’s no such thing as “perfect”)

 

 

You Will Leave With:

 

• A checklist for responding to incidents
• A draft CSIRT charter
• A draft Incident Response Plan
• A list of next steps for implementing the plan.

 

This class is NOT about:

 

• How to track down attackers
• How to use investigative tools
• How to become a network forensics expert
• How to do police work

 

This course will help you handle your next security incident, by working through how a CSIRT is put together and how it operates under fire. You will draft a charter for your CSIRT as well as an Incident Response Plan. To allow for as complete a final product as possible, students will be asked to come prepared having filled out a pre-class information form. (This form will not be seen or used by anyone but the student.)

 

Outline:

 

• Introduction to Investigative Response
• Preparation
• Evidence you’ve been attacked
• What to do after an attack (and what NOT to do)
• Introduction to Computer and Network Forensics
• Securing the scene
• Incident response plan
• Review, Summarize, and Next Steps

 

There is a pre-class questionnaire to fill out and bring with you. Students will get templates for all forms in hard-copy and electronic form, so it will help, though is not necessary, for the student to come with a notebook PC with word processor to work through the exercises.