Incident Response Evidence Collection \ Triage

Incident Response Evidence Collection \ Triage - John Meyers "Incident Response succeeds or fails at evidence collection. If you don't collect evidence properly or soon enough, you might not be able to determine the root cause of the incident. I will explain how and when to start your evidence collection process, verifying your evidence, hashing your evidence, and the concept of working copies to examine your evidence. Demonstration will include capturing disk image and device memory using FTK Imager and SIFT Workstation. Incident triage is the process reviewing gathered evidence in an expedient manner to answer important questions. Topics will include the usefulnesses of artifacts including Memory, MFT, Windows Registry and Browser History. Memory triage would cover basic usage of Volatility to find running processes, network connections and review other artifacts available in memory. Disk triage would cover locations of key artifacts including MFT, Registry, Browser History, etc. Log triage would explain how to review large log sets to find relevant evidence using grep. Includes real world example of using the strings command to find bad URLs in phishing PDF files from over 9k PDF files."