An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
When responding to an incident involving a critical server, the first priority is to collect the most volatile data because it can be lost if the system is powered down or changes state. The routing table is an example of highly volatile data that exists in system memory. This information can reveal important details about current network connections and activities, which are crucial for an immediate investigation. Collecting the routing table first ensures that ephemeral data is preserved before any further actions, such as isolating the server, are taken.
D) Routing table. It's the only volatile data. CompTIA certmaster Topic 8B: Performing Incident Response Activities "Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage. The ISOC best practice guide to evidence collection and archiving, published as tools.ietf.org/html/rfc3227, sets out the general order as follows: CPU registers and cache memory (including cache on disk controllers, GPUs, and so on) Contents of system memory (RAM), including the following: Routing table, ARP cache, process table, kernel statistics Temporary file systems/swap space/virtual memory Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space Remote logging and monitoring data Physical configuration and network topology Archival media"
Excuse me The "Guide to Collecting and Archiving Evidence" (RFC 3227) establishes the following order of volatility - registers, cache - routing table, arp cache, process table, kernel statistics, memory - temporary file systems - disk - remote logging and monitoring data that is relevant to the system in question - physical configuration, network topology - archival media References: https://www.ciberforensic.com/directrices-rfc-3227 https://www.ietf.org/rfc/rfc3227.txt https://resources.infosecinstitute.com/certifications/retired/security-plus-basic-forensic-procedures-sy0-401/#:~:text=The%20order%20of%20volatility%20is,the%20computer%20is%20turned%20off. https://www.computer-forensics-recruiter.com/order-of-volatility/
The priority in incident response is to collect the most volatile data that would be lost or altered if the system were powered down or rebooted. Malicious Files, while important, are non-volatile and will remain on the disk for later analysis.
Here we are talking about data on the critical server and not network routes. So the answer is C. The choice between collecting a routing table and malicious files depends on the nature of the incident and the order of volatility. In the case at hand, initial priority was given to malicious files due to prior identification of IoCs on the critical server, and because files are generally more volatile and crucial to investigating the incident. The order of priority may vary based on the specific circumstances of the incident.
The question states before isolating the server, what should be gathered first.
The Hard Disk contains all the data stored on the server, including system files, application files, and user data. It’s crucial to collect a bit-by-bit copy (also known as a forensic image) of the hard disk first because it preserves the state of the system at the time of the incident. This includes any potential indicators of compromise (IoCs) and can provide valuable evidence for the investigation. The other options, while they may contain useful information, are either subsets of the data on the hard disk (Primary Boot Partition, Malicious Files) or are dynamic data that would not typically be preserved in an incident response scenario (Routing Table, Static IP Address).
incident response follows the principle of data volatility, prioritizing collecting the most fleeting information first. In this case, malicious files directly tied to the suspected breach take precedence. Answer should be C
According to the NIST SP 800-611, a guide for incident response, the first step in evidence gathering and handling is to acquire a snapshot of the system as-is, before any changes are made by the incident responders or system administrators. This snapshot should include the hard disk of the affected system, as it contains the most comprehensive and valuable information for further analysis. Therefore, the correct answer is A. Hard disk
D. Routing table
Data that will be lost if the system is powered down is referred to as volatile data. Volatile data can be data in the CPU, routing table, or ARP cache.
According to the order of volatility the routing tables should be the best option here. So D it is!
ORDER OF VOLATILE DATA Registers, Cache Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology Archival Media
D. Routing table data stored in memory or caches is considered highly volatile, since it will be lost if the system is turned off, whereas data stored in printed form or as a backup is considered much less volatile.
Malicious files found on the critical server are key pieces of evidence that could provide insights into the nature of the security incident, the methods used by the attackers, and the potential impact on the system. Collecting these files first allows the incident response team to preserve crucial evidence before taking any actions that might disrupt the server or alter its state. Once the malicious files are collected, the incident response team can proceed with isolating the server and conducting further investigation to gather additional evidence, such as analyzing the hard disk, examining the primary boot partition, reviewing the routing table, and documenting the static IP address configuration. However, collecting the malicious files should be prioritized to ensure that critical evidence is preserved in its original state.
The answer is C. Malicious files.
Collecting malicious files is important because they can provide valuable information about the nature of the attack, the malware used, and potentially even the threat actor responsible. It allows for analysis without altering the system's state. Once the malicious files are collected, you can proceed with isolating the server and taking other steps to secure the environment.
routing table.
The VERY first thing I would do IRL is dump contents of memory. BUT since that's not a choice, I would make an offline copy of the disk, then boot that copy up in a sandbox to watch what it does. You wouldn't turn a machine off to isolate it. You would isolate its switchport into its own VLAN with no L3 routing, so it thinks it's still on a working network (just can't reach anything)