IDENTIFYING INCIDENTS 1

OV= 3%

Indentifying Incidents-Unit 1 DB

ITF 403-1004A-02 Forensics-Network Security-Data Protecion

Gregory J. Lubinsky

August 27, 2010

Andrew J. Mahaney

American InterContinental University Online

IDENTIFYING INCIDENTS 2

Abstract

Common situations that introduce malware to computers starts of this research paper. Common

sense plays a big part in knowing what is safe and what safe sites are! Working up to

identification of incidents is precluded by arrival on the scene and on-scene visual inspection of

the surrounding area, conditions and equipment involved. Finally my point of view partially in

the summary and point the author has made.

IDENTIFYING INCIDENTS 3

Introduction

Recognizing Incident Situations

5 Known Situations: There are five common situations that permit malware to be placed

on your computer for purposes of tracking, spying , hacking or damaging your system and

components (US Vortechs, 2010). Software installation is at the top of the list, because people

are always looking for new and free games, programs, and anti-virus/spyware/malware

applications for their amusement, personal work and to protect their hardware and software (US

Vortechs, 2010). Link redirections is another form of malware that people are unfamiliar with.

Identified by long load times, and inaccurate destinations, so don’t continue to click the link to

make it load, avoid it at all cost (US Vortechs, 2010). Another form is when you constantly see

popup ads from your task bar; or when you get email, in the form of Jokes, chain letters, lotto

winnings, fund or bank draft transactions, notifications of awards that you have won, or have

been awarded. These types are called “fun or friendly links or emails” so if you are getting

popups, run a scan now, if you have this type of email, just delete it the next time you visit your

email page (US Vortechs, 2010). The author states that General Links and Pop-ups are also

dangerous and he goes on to say; that freeware is not free and should be avoided (US Vortechs,

2010). Finally he says other situation are a result of infections such as browser setting changing

so you home page does not open, extra toolbars that will not go away on your browser, and

unexplained shutdowns (US Vortechs, 2010). He also mentions two others that can be said here

but the point is made and people should be aware. Browser tools are always a part of any

browser, therefore you should not download more tools for the reasons stated above and because

it just is not necessary. Every browser created comes with all the tools the user needs to keep it

running, and if more are needed, then the manufacturer will add them in the next version.
IDENTIFYING INCIDENTS 4

Recognizing Incidents Part II

Outside Influences Incidents

Recognixing the Main Incidents: What is a Computer System, it is the whole kit-n-ka-

boo-toll that makes up the work station. How is it vulnerable? Employee misuse; well, this is a

blue million ways an employee can misuse a computer. Playing games on company time, or

going on the internet to play games. Doing personal work like balancing check books or

conducting transactions with his bank. Downloading or viewing porn, or bookie information, or I

M-ing or emailing friends on company time. The subject is to vast to discuss here, and probably

be better to write a book on the subject! Intrusion, Hacking, and Unauthorized access are all

similar in intent and method but different in reason and purpose. Sabotage is considered

differently from viruses and other forms, but the raw meaning of sabotage is to destroy by

deliberate attempt of malicious actions, like throwing a monkey wrench into moving gears to

stop the machine! So to this writer; Sabotage and Virus mean the same thing to do harm to

operating systems.

Immediate Response to Crime Scene

Identify Crime Scene

Identify digital equipment and hookups. The analyst or inspector does not know if his

investigation will go to court now or later or never, but he must assume it will and take the same

precautions as if it were to go to court (Steel, 2006). Therefore recovering deleted files, and

verifies the cause, and tracks down the initiator of fowl emails, sabotage, or espionage with

intent to do harm to company or employees or both, then it is clear that he has to protect the

integrity of the evidence that he finds (Steel, 2006). His responsibilities are to identify the cause
IDENTIFYING INCIDENTS 5

of the incident, restore from the incident and prevent it from happening again (Steel, 2006). One

method of identification can be to use the suspected application being used by the intruder to

back track his moves on that application (Steel, 2006). Once the scene is secure the inspector

must remove all unnecessary network connection, save volatile data, power down peripherals

and ensure power is available for dynamic electronic devices. Document the scene, by

photographing computer screens (Desktop images, network connection and peripheral devices

such as scanners, printer and camera’s (Steel, 2006). Before ESI is conducted make sure to

process the physical environment to include but not limited to, scraps of paper, hanging or

discarded manuals, guides, and instruction sheets, loose or stored media like CD’s, DVD’s flash

drives and convertibles and keys or combinations to locked drives (Steel, 2006).

Immediate Incident Response

Identify Types of Incidents

Handling Incidents with Law Enforcement. Why? Should an inspector catch a intruder

while online, he can immediately dispatch them to intercept the intruder while the inspector is

countering the actions of the intruder, in other words, keeping him busy. Working with cops and

Federal agents isn’t the matter, the matter is following protocol in the collection of evidence and

following an SOP to gather evidence correctly along with using the “Chain of Custody” forms

and procedures, policies, statutes, federal laws and state laws for collecting, handling and

securing evidence. Some forms of electronics are so volatile that once seized they must be

immediately checked for evidence, such as cell phones and PDA’ that have limited battery life.

Once the battery is gone so is all the stored information (Steel, 206). Simply by shutting down a

windows system you run the risk of the system being overwritten, the loss of swap files and
IDENTIFYING INCIDENTS 6

cache memory, also by shutting applications down, allows for unsaved material to be lost (Steel,

2006). Pressure from legislation prompted for action to be taken, in the form of special teams and

units to be formed in various levels of law enforcement to combat electronic crimes and the

collection of ESI. This promoted corporate involvement with local and other L.E.A. (Law

Enforcement Agency’s) to conduct joint operations (Steel, 2006).

Immediate Incident Response

Identify Types of Incidents.

Handling Attacks without Law Enforcement. Most incidents of a corporate nature are

handled by the organization affected, but because of past legislation, they (incidents) have to be

at least reported to L.E.A. if nothing more than to show a pattern of activity (Steel, 2006). This

does not preclude the use of SOP’s or Chain of Custody reports, in fact it is necessary to follow

the same rules with or without police involvement, because of the importance of maintaining

clear and accurate records of action taken to recover evidence that may or may not be subject to

litigation in court (Steel, 2006). In the case of defacing websites when no sensitive information

is lost, it is likely that the company will not prosecute the offender. On the other hand if sensitive

material was lost or stolen then prosecuting the individual or group is necessary to show this type

of behavior is not tolerated and there will be consequences. Embezzlement of company funds

could be handled by simply dismissing (firing) the individual, if caught before any damage or

funds were moved, but, on the other hand if caught after the fact, then law enforcement would

become involved along with court proceedings. Pornography on a companies computer either by

visiting sites or saving photos will cost a person their job, with no further action to be taken,
IDENTIFYING INCIDENTS 7

however if it were child pornography involving targeting or abduction victims then law

enforcement possibly the Feds will become involved as well as court proceding (Steel, 2006).

Any minor infraction that calls for the dismissal of employees, can be exacerbated to the point of

involving law enforcement. You can hack a computer without causing damage or theft, but this

situation can also be escalated to the point of no return, and the end result will be possibly a

prison term and most definitely a fine.

Law Enforcement (Local, State, Federal)

When to inform Law Enforcement.

Notifying or Not Alerting Authorities. Chat Steel states (2006, p.28) to notify law

enforcement ahead of time (befor the incident) occurs! This is a breach of APA but I have to

interlude on this account! How in the world do you notify someone that you are going to be

attacked? I am sure that the FBI will simply say “ Yeah, let us know how that works out for

you?” I can see calling in the big guns when an incident first occurs, but to call before an

incident, I just can’t see it!

Summary

The US Vortechs author states above that free ware is not free and should be avoided, but

he is not talking about known and safe sites like Microsoft and C/Net which promote downloads

some of which is free. He also states the links in general are dangerous, and goes on to say as I

will tell you, that links are a common ground for transversing the internet, so do not be afraid of

all links or sites, for that you have to trust your judgment, and your common sense.
IDENTIFYING INCIDENTS 8

Recognizing main incidents is a little harder to do, since situational incidents are mostly

commonplace and recognizable to the common internet user. The use or assistance of law

enforcement is a choice of conscience either way they will be informed whether or not you invite

them. The point is to follow procedure of the rules of evidence, chain of custody and to follow

the laws governing the situation whether it be state, local or federal.This ensures protectiveness

of the evidence for the purposes of being used in litigation.

IDENTIFYING INCIDENTS 9

Reference

Steel, C. (2006). Windows forensics, a field guide for conducting corporate computer investiga

tions. Indianapolis, Wiley Publishing Inc.

US Vortechs, (2010). Recognizing malware and other internet viruses. Retrieved from http://w

ww.usvortechs.com/ resource-library/56-computer-related/57-recognizing-malware

website.
IDENTIFYING INCIDENTS 10

Appendix A

Workstation or Computer System

The desktop CPU (Central Processing Unit) or the box which houses the main processor

and internal circuitry the makes the machine work. The monitor, and keyboard, storage devices,

printers, scanners, fax machine, camera, phone, microphone, headphones, modem and router,

servers and other laptops and desktops .

IDENTIFYING INCIDENTS 11

Appendix B