{"id":4501,"date":"2025-03-17T10:01:59","date_gmt":"2025-03-17T09:01:59","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4501"},"modified":"2025-03-21T13:45:29","modified_gmt":"2025-03-21T12:45:29","slug":"incident-response-training-march-2025","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4501","title":{"rendered":"First steps after an incident"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">If the sys\u00adtem is pow\u00adered&nbsp;off:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cre\u00adate image of all stor\u00adage devices.&nbsp;<ul class=\"wp-block-list\">\n<li>If encrypt\u00aded: Try to get the (back\u00adup) encryp\u00adtion keys and make an image of the decrypt\u00aded image&nbsp;too.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If the sys\u00adtem is active:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Per\u00adform live analysis&nbsp;<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/PKRoma\/ProcessHacker\">Process Hack\u00ader&nbsp;2<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Per\u00adform <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=538\" data-type=\"post\" data-id=\"538\">mem\u00ado\u00adry dump<\/a>, if possible.<\/li>\n\n\n\n<li>Per\u00adform net\u00adwork analy\u00adsis, if possible.&nbsp;<ul class=\"wp-block-list\">\n<li>On anoth\u00ader net\u00adwork device.<\/li>\n\n\n\n<li>Or wire\u00adshark<\/li>\n\n\n\n<li>Or at least some net\u00adwork com\u00admands, e.g. <code>lsof -i<\/code>, <code>netstat<\/code>, \u2026<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Check if hard dri\u00adve can be analysed after shutdown.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If the sys\u00adtem is a&nbsp;<span class=\"caps\">VM<\/span>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deter\u00admine hypervisor<\/li>\n\n\n\n<li>Cre\u00adate snapshot&nbsp;<ul class=\"wp-block-list\">\n<li>of hard&nbsp;drive<\/li>\n\n\n\n<li>of <span class=\"caps\">RAM<\/span>\/memory, if possible<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Export data\/snapshots (not just the last&nbsp;one!)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Oth\u00ader systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If oth\u00ader net\u00adwork devices are log\u00adging some\u00adthing (fire\u00adwalls, prox\u00adies), store\/save\/lock it.<\/li>\n\n\n\n<li>If there is a <span class=\"caps\">SIEM<\/span>, store\/save\/lock data from&nbsp;it.<\/li>\n\n\n\n<li>If there is a cen\u00adtral log\u00adging serv\u00ader, store\/save\/lock the&nbsp;data.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Ques\u00adtions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How do I could con\u00adclude that there was no incident?<\/li>\n\n\n\n<li>How should I priotorize?<\/li>\n\n\n\n<li>What are indi\u00adca\u00adtors of com\u00adpro\u00admise (<span class=\"caps\">IOC<\/span>) for which I should look&nbsp;for?<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If the sys\u00adtem is pow\u00adered&nbsp;off: If the sys\u00adtem is active: If the sys\u00adtem is a&nbsp;<span class=\"caps\">VM<\/span>: Oth\u00ader sys\u00adtems: Questions:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[517,482,516],"tags":[514],"class_list":["post-4501","post","type-post","status-publish","format-standard","hentry","category-incident-response-training-march-2025","category-notes","category-trainings","tag-incident-response"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4501"}],"version-history":[{"count":14,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4501\/revisions"}],"predecessor-version":[{"id":4829,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4501\/revisions\/4829"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}