Incident Response Report #2
This assignment is similar to the last incident response report. You will take the framework you
developed for your report, with corrections that I suggested as feedback, then develop a new
report for this incident. The grading rubrics will be the same, but the grading will be stricter
being this is your 2nd time developing an incident response report.
The incident scenario this time is that an employee was installing a new computer. They were
in the process of installing software when they noticed abnormal mouse activity on the
computer. At that point, they walked away from the computer and called you for help. Treat
this like an incident at a corporation, although the computer is not joined to a domain.
I am expecting that at a minimum you are able to tell the story of what happened during the
incident. What was the initial infection vector, what happened next? Are there any persistence
mechanisms in play? Are there any IP addresses associated with the attacker? And if so, what
are they?
Instead of a 22 page document with evidence, you will be working with evidence that has been
extracted from the computer in its raw form just like an incident responder would see if they
were working on the workstation. The evidence totals about 7 gigs with the memory image.
Some of the evidence collected may overlap evidence that was collected in another method.
Some of the included evidence is from:
• Netstat
• Complete directory / file structure listing for the entire C drive
• Services
• Several Kape collections – These will provide a rich set of evidence but take a little bit to
get used to the way Kape provides the collected evidence
• Browser information
• Prefetch
• Scheduled Tasks
• Users
• Windows Event Logs
• Forensic RAM image
The evidence can be downloaded from a Google Drive link I’ll post on D2L.
Not every piece of evidence collected will yield results. It is your job to comb through the
evidence to put together the pieces of what happened to develop your report. You can
successfully respond to the incident without doing the memory forensics, but it may provide
some easier insights if you want to give it a shot. The memory image is around 5.4 gigs in size.
I split the evidence into different folders to make it easier to download and work with if you don’t
have the full 7 gigs of free space on your drive.
Start by forming your investigative questions, then going searching for evidence that proves
your questions. Your IOCs this time will be generated based on actual evidence you find that
can be used to search other computers to determine if they are in scope of the incident as well.
I will be providing the VM as an optional way to investigate the incident. The VM is provided as
is without any additional support from me. It is a VMWare image. Some of the evidence will still
be in the VM, but it will be provided post attack after that attacker is already gone.
To produce your report, analyze the evidence, then summarize and present it using the
guidelines from the chapter 16 lecture, chapter 16 from the textbook, and guidance from the
“ICS-487 incident report what to include” in the sticky section of D2L.
The report should be at least 5 not counting any pictures utilized and the mandatory coverpage.
There will be a point penalty if the report is less than 5 pages. Do not turn in a 50-page report
for this assignment. The objective is to be concise as you tell the who what when where and
how story.
As previously stated, the raw evidence for this report has already been collected for you. You
will need to comb through it to find useful artifacts to fill in the pieces for the report. This
means making up a company that was hacked, the name of your company that is responding,
etc. Basic remediation steps will also need to be described as partof this assignment. For the
lessons learned section, describe in a paragraph or two items that you learned about incident
response that you will apply to future investigations based on theevidence that was
provided to you this time.
You should list 5 Indicators of Compromise that you gleaned from the evidence that are worth
searching for enterprise wide to make sure no other systems are infected. These will be best
displayed in a table for the IOC section. These IOCs will be developed when you find
artifacts related to the investigation. A timeline should also be put into the report like last
time.
You will also need to develop 10 investigative questions that you would ask during the course of
this investigation.
Keep in mind that for this project this evidence is manually collected from a single computer.
This is a normal amount of evidence one would collect in the course of Incident Response. This
is why we are teaching the method of developing investigative leads, turning those leads into
IOCs, then searching for those IOCs. This type of manual collection does not scale across more
than one or two systems in an incident. The next Incident Response report will involve you
collecting the evidence, and then reporting on that evidence you collect.
Make sure you start this assignment early. This is a 400-level class and will require some critical
thought to complete this assignment along with utilizing the skills that have been taught up to
this point. A quality report will take time to produce especially when it comes to selecting
which pieces of evidence to use that will tell the story but not provide unnecessary detail.
Also keep in mind the responses I provided to your previous report.
A common mistake is making the executive summary and findings section too
technical. This should be written in language that an 80 year old grandma who doesn’t
have an IT background can understand.
Because this is an academic environment, anytime you use someone else’s ideas you must cite
it in IEEE format. It is assumed that most of your content will be coming from the provided
evidence document. You don’t have to cite general information you take from that document.
Make sure that you are re-telling the story. It is ok to use a sentence or two once in a while.
Do not just copy an entire paragraph from the evidence document and turn that in as your
work.
Grading Rubric
Requirement Possible
Score
Coversheet meets specifications including affected organization, incident number
or name, date published, name of the organization that performed the
investigation, and “Privileged and Confidential”
2
Table of contents 2
Report is at least 5 pages long not including cover sheet and any pictures used as
part of the report 3
Good grammar, style, and use of IEEE citations if applicable 10
Formatted according to specifications and style suggestions in Chapter 16 and
reporting lecture 10
10 quality investigative questions based on evidence provided 10
5 Indicators of Compromise based on evidence provided 5
1 – 2 paragraphs of lessons learned describing items that you learned from this
investigation that you will apply to future investigations 7
Remediation describes exact steps taken to expel malicious actors from the
network 5
Who what where when why is told to the best of the author’s ability with the
evidence provided throughout the documents without making the reader piece
any parts of the puzzle together
8
Executive summary containing how the incident was discovered, the type of
incident this is what the response was, the goal of the investigation, duration of
the work, start and stop date, and who sponsored the work
10
Findings section addresses the goals of the investigation by summarizing the
information found in the investigative questions, systems involved, IOC, evidence
collected and remediation sections in a manner that is written with nontechnical
executives in mind. No more than a page long.
5
Systems involved are described and information that is known based on the
limited evidence provided is recorded.
3
Evidence collected section contains detailed account of the evidence that was
utilized for the report, how it was collected, what facts it is providing to back up
the rest of the report. Any procedures have to be documented in such a way that
a third party could replicate the results of the analysis. You may have to do a little
googling here to come up with any missing parts of the analysis and collection.
15
Recommendations section describes fixing the holes that caused this incident and
any larger suggestions for the company as a whole to improve their overall
security posture
5
This report has a total of 25 grading points available. Each individual item will be scored as a
percentage adding to a total of 100% for the assignment. Your total percentage will be what
percent of the 25 points you get on the assignment. For example, I produce a report that
scores a total of 85 of the 100 available percentage points. 85% of 25 is 21.25 so I will get 21.25
points on the assignment.