CHAPTER 12 Incident Analysis

Introduction

In the last chapter, we saw an overview of the incident handling process. We looked at the different phases:

• Preparation: Laying down the infrastructure to resolve an incident when it occurs.
• Analysis: Figuring out and documenting as much of the incident as possible.
• Containment: Given the results of the analysis, determine what is the best way to process and remove any lingering effects of the incident.
• Lessons learned: Apply the newfound knowledge to remediate any issues found during the process, going back to the preparation phase.

The cycle of incident handling never ends. As new vulnerabilities come about, new technologies are deployed, new challenges appear. If something is missed during the preparation phase, when the organization tries to be proactive about its vulnerabilities, it will inevitably lead to adverse events.

In this chapter, we take a closer look at phases 2 and 3, analysis and containment. We will:

• Look at sources of information within the Linux and Windows operating systems.
• Learn how to extract information from those systems specific to the event we are reviewing.
• Learn how to create timelines indicating the pattern of the event.
• Look at examples of evidence of attack on multiple applications.

Log analysis

Most software applications and operating systems provide some sort of logging mechanism to record status information. The purpose of logging the tasks on an application varies.

• Software developers use logging ...