{"id":4522,"date":"2025-03-17T10:44:42","date_gmt":"2025-03-17T09:44:42","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4522"},"modified":"2025-03-19T11:01:45","modified_gmt":"2025-03-19T10:01:45","slug":"notes-from-the-incident-response-training-march-2025","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4522","title":{"rendered":"Notes from the Incident Response Training March&nbsp;2025"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Since Win\u00addows 11, hard dri\u00adve encryp\u00adtion can be applied auto\u00admat\u00adi\u00adcal\u00adly if Win\u00addows detects that the require\u00adments are met. Users could not be aware that their stor\u00adage may be encrypted.<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4505\" data-type=\"post\" data-id=\"4505\"><span class=\"caps\">CAINE<\/span> <\/a>can be used for first analysis<\/li>\n\n\n\n<li>Schr\u00f6dinger\u2019s Inci\u00addent \u2014 we know if it is an inci\u00addent now before we\u2019ve looked into&nbsp;it.<\/li>\n\n\n\n<li>Ter\u00admi\u00adnol\u00ado\u00adgy:\n<ul class=\"wp-block-list\">\n<li>Inci\u00addent Analysis&nbsp;<ul class=\"wp-block-list\">\n<li>Impact analy\u00adsis<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Inci\u00addent Response&nbsp;<ul class=\"wp-block-list\">\n<li>Imme\u00addi\u00adate reactions<\/li>\n\n\n\n<li>Man\u00addia et al. 2003 and \u201cThe inves\u00adtiga\u00adtive process\u201d by Casey, 2004<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Inci\u00addent Handling&nbsp;<ul class=\"wp-block-list\">\n<li>Controlling\/Management<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">FPC<\/span> Full Pack\u00adet Captures<\/li>\n\n\n\n<li><span class=\"caps\">PSTR<\/span> Pack\u00adet Strings (Log only from strings of net\u00adwork packets)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Chain of cus\u00adtody \u2014 doc\u00adu\u00admen\u00adta\u00adtion of all steps and insights and where and how they were retrieved. Impor\u00adtant when it goes to&nbsp;court.<\/li>\n\n\n\n<li>Types of&nbsp;data&nbsp;<ul class=\"wp-block-list\">\n<li>Per\u00adsis\u00adtent&nbsp;data<\/li>\n\n\n\n<li>Volatile Data<\/li>\n\n\n\n<li>Very Volatile Data<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>(!) After pacht\u00ading for a zero day, you should also check if the sys\u00adtems were already compromised.<\/li>\n\n\n\n<li>Spe\u00adcial\u00adized mal\u00adware&nbsp;types:&nbsp;<ul class=\"wp-block-list\">\n<li>Scare\u00adware \u2014 Mal\u00adi\u00adcous soft\u00adware which threat\u00adens a user. For exam\u00adple, it is claim\u00ading an infec\u00adtion, the relase of sen\u00adsi\u00adble data, \u2026 And it offers a path to pay some\u00adthing to not real\u00adize the threat.<\/li>\n\n\n\n<li>Adware \u2014 Mal\u00adi\u00adcous soft\u00adware which loads adver\u00adtise\u00adment so that ad plat\u00adforms reg\u00adis\u00adter traffic.<\/li>\n\n\n\n<li>Spy\u00adware \u2014 Mali\u00adcious soft\u00adware which only col\u00adlects and dis\u00adtrib\u00adutes sen\u00adsi\u00adtive&nbsp;data.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Time\u00adzones <\/strong>are impo\u00adrant to con\u00adsid\u00ader when doc\u00adu\u00adment\u00ading inci\u00addents. Make sure that you are using only one time zone and check which time zone tools are&nbsp;using.<\/li>\n\n\n\n<li>There are <a href=\"https:\/\/en.wikipedia.org\/wiki\/Emoji_domain\">Emo\u00adji-Domains<\/a> <\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/heyitsmikeyv\/base64-keystrings\">Search also for base64 patterns<\/a><\/li>\n\n\n\n<li>Net\u00adwork pack\u00adage data can be very use\u00adful, but to store it for a longer time peri\u00adod is very ressource inten\u00adsive, obviously.&nbsp;<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?tag=flow-data\" data-type=\"post_tag\" data-id=\"521\">Flow data<\/a> can be a com\u00adpro\u00admise, to only log for some time which sys\u00adtems talked to which oth\u00ader systems.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Logs should be pro\u00adtect\u00aded like back\u00adups, also after an suc\u00adcess\u00adful attack.<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/redcanaryco\/atomic-red-team\">GitHub \u2014 red\u00adca\u00adnaryco\/atom\u00adic-red-team: Small and high\u00adly portable detec\u00adtion tests based on MITRE\u2019s <span class=\"caps\">ATT<\/span><span class=\"amp\">&amp;<\/span><span class=\"caps\">CK<\/span>.<\/a> Atom\u00adic Red Team test library<\/li>\n\n\n\n<li>Suri\u00adca\u00adta \u2014 net\u00adwork ana\u00adlyz\u00ading&nbsp;tool<\/li>\n\n\n\n<li><a href=\"https:\/\/cfreds.nist.gov\/\">CFReDS Por\u00adtal<\/a> is a page for image which can be ana\u00adlyzed with filesys\u00adtem forensic.<\/li>\n\n\n\n<li>With <a href=\"https:\/\/github.com\/fox-it\/dissect\">GitHub \u2014 fox-it\/dis\u00adsect: Dis\u00adsect is a dig\u00adi\u00adtal foren\u00adsics <span class=\"amp\">&amp;<\/span> inci\u00addent response frame\u00adwork and toolset that allows you to quick\u00adly access and analyse foren\u00adsic arte\u00adfacts from var\u00adi\u00adous disk and file for\u00admats, devel\u00adoped by Fox-IT (part of <span class=\"caps\">NCC<\/span> Group).<\/a> you can scan images for inter\u00adest\u00ading&nbsp;files<\/li>\n\n\n\n<li>See <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1132\" data-type=\"post\" data-id=\"1132\">Foren\u00adsic <\/a>site with tools to&nbsp;learn<\/li>\n\n\n\n<li>Most mal\u00adware wants to per\u00adsist itself. There\u00adfore, it is a good idea to search the <a href=\"https:\/\/andreas-klingler.de\/infosec\/?tag=persistance\" data-type=\"post_tag\" data-id=\"301\">pos\u00adsi\u00adble per\u00adsis\u00adtence vec\u00adtors<\/a>.<\/li>\n\n\n\n<li>Tip: When han\u00addel\u00ading with files, change the suf\u00adfix to pre\u00advent acci\u00addent\u00adly exe\u00adcu\u00adtion. E.g. bla.exe_<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[517],"tags":[],"class_list":["post-4522","post","type-post","status-publish","format-standard","hentry","category-incident-response-training-march-2025"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4522"}],"version-history":[{"count":22,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4522\/revisions"}],"predecessor-version":[{"id":4679,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4522\/revisions\/4679"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}