Documente Academic
Documente Profesional
Documente Cultură
OV= 3%
Indentifying Incidents-Unit 1 DB
Gregory J. Lubinsky
Andrew J. Mahaney
Abstract
Common situations that introduce malware to computers starts of this research paper. Common
sense plays a big part in knowing what is safe and what safe sites are! Working up to
identification of incidents is precluded by arrival on the scene and on-scene visual inspection of
the surrounding area, conditions and equipment involved. Finally my point of view partially in
Introduction
5 Known Situations: There are five common situations that permit malware to be placed
on your computer for purposes of tracking, spying , hacking or damaging your system and
components (US Vortechs, 2010). Software installation is at the top of the list, because people
are always looking for new and free games, programs, and anti-virus/spyware/malware
applications for their amusement, personal work and to protect their hardware and software (US
Vortechs, 2010). Link redirections is another form of malware that people are unfamiliar with.
Identified by long load times, and inaccurate destinations, so don’t continue to click the link to
make it load, avoid it at all cost (US Vortechs, 2010). Another form is when you constantly see
popup ads from your task bar; or when you get email, in the form of Jokes, chain letters, lotto
winnings, fund or bank draft transactions, notifications of awards that you have won, or have
been awarded. These types are called “fun or friendly links or emails” so if you are getting
popups, run a scan now, if you have this type of email, just delete it the next time you visit your
email page (US Vortechs, 2010). The author states that General Links and Pop-ups are also
dangerous and he goes on to say; that freeware is not free and should be avoided (US Vortechs,
2010). Finally he says other situation are a result of infections such as browser setting changing
so you home page does not open, extra toolbars that will not go away on your browser, and
unexplained shutdowns (US Vortechs, 2010). He also mentions two others that can be said here
but the point is made and people should be aware. Browser tools are always a part of any
browser, therefore you should not download more tools for the reasons stated above and because
it just is not necessary. Every browser created comes with all the tools the user needs to keep it
running, and if more are needed, then the manufacturer will add them in the next version.
IDENTIFYING INCIDENTS 4
Recognixing the Main Incidents: What is a Computer System, it is the whole kit-n-ka-
boo-toll that makes up the work station. How is it vulnerable? Employee misuse; well, this is a
blue million ways an employee can misuse a computer. Playing games on company time, or
going on the internet to play games. Doing personal work like balancing check books or
conducting transactions with his bank. Downloading or viewing porn, or bookie information, or I
M-ing or emailing friends on company time. The subject is to vast to discuss here, and probably
be better to write a book on the subject! Intrusion, Hacking, and Unauthorized access are all
similar in intent and method but different in reason and purpose. Sabotage is considered
differently from viruses and other forms, but the raw meaning of sabotage is to destroy by
deliberate attempt of malicious actions, like throwing a monkey wrench into moving gears to
stop the machine! So to this writer; Sabotage and Virus mean the same thing to do harm to
operating systems.
Identify digital equipment and hookups. The analyst or inspector does not know if his
investigation will go to court now or later or never, but he must assume it will and take the same
precautions as if it were to go to court (Steel, 2006). Therefore recovering deleted files, and
verifies the cause, and tracks down the initiator of fowl emails, sabotage, or espionage with
intent to do harm to company or employees or both, then it is clear that he has to protect the
integrity of the evidence that he finds (Steel, 2006). His responsibilities are to identify the cause
IDENTIFYING INCIDENTS 5
of the incident, restore from the incident and prevent it from happening again (Steel, 2006). One
method of identification can be to use the suspected application being used by the intruder to
back track his moves on that application (Steel, 2006). Once the scene is secure the inspector
must remove all unnecessary network connection, save volatile data, power down peripherals
and ensure power is available for dynamic electronic devices. Document the scene, by
photographing computer screens (Desktop images, network connection and peripheral devices
such as scanners, printer and camera’s (Steel, 2006). Before ESI is conducted make sure to
process the physical environment to include but not limited to, scraps of paper, hanging or
discarded manuals, guides, and instruction sheets, loose or stored media like CD’s, DVD’s flash
drives and convertibles and keys or combinations to locked drives (Steel, 2006).
Handling Incidents with Law Enforcement. Why? Should an inspector catch a intruder
while online, he can immediately dispatch them to intercept the intruder while the inspector is
countering the actions of the intruder, in other words, keeping him busy. Working with cops and
Federal agents isn’t the matter, the matter is following protocol in the collection of evidence and
following an SOP to gather evidence correctly along with using the “Chain of Custody” forms
and procedures, policies, statutes, federal laws and state laws for collecting, handling and
securing evidence. Some forms of electronics are so volatile that once seized they must be
immediately checked for evidence, such as cell phones and PDA’ that have limited battery life.
Once the battery is gone so is all the stored information (Steel, 206). Simply by shutting down a
windows system you run the risk of the system being overwritten, the loss of swap files and
IDENTIFYING INCIDENTS 6
cache memory, also by shutting applications down, allows for unsaved material to be lost (Steel,
2006). Pressure from legislation prompted for action to be taken, in the form of special teams and
units to be formed in various levels of law enforcement to combat electronic crimes and the
collection of ESI. This promoted corporate involvement with local and other L.E.A. (Law
Handling Attacks without Law Enforcement. Most incidents of a corporate nature are
handled by the organization affected, but because of past legislation, they (incidents) have to be
at least reported to L.E.A. if nothing more than to show a pattern of activity (Steel, 2006). This
does not preclude the use of SOP’s or Chain of Custody reports, in fact it is necessary to follow
the same rules with or without police involvement, because of the importance of maintaining
clear and accurate records of action taken to recover evidence that may or may not be subject to
litigation in court (Steel, 2006). In the case of defacing websites when no sensitive information
is lost, it is likely that the company will not prosecute the offender. On the other hand if sensitive
material was lost or stolen then prosecuting the individual or group is necessary to show this type
of behavior is not tolerated and there will be consequences. Embezzlement of company funds
could be handled by simply dismissing (firing) the individual, if caught before any damage or
funds were moved, but, on the other hand if caught after the fact, then law enforcement would
become involved along with court proceedings. Pornography on a companies computer either by
visiting sites or saving photos will cost a person their job, with no further action to be taken,
IDENTIFYING INCIDENTS 7
however if it were child pornography involving targeting or abduction victims then law
enforcement possibly the Feds will become involved as well as court proceding (Steel, 2006).
Any minor infraction that calls for the dismissal of employees, can be exacerbated to the point of
involving law enforcement. You can hack a computer without causing damage or theft, but this
situation can also be escalated to the point of no return, and the end result will be possibly a
Notifying or Not Alerting Authorities. Chat Steel states (2006, p.28) to notify law
enforcement ahead of time (befor the incident) occurs! This is a breach of APA but I have to
interlude on this account! How in the world do you notify someone that you are going to be
attacked? I am sure that the FBI will simply say “ Yeah, let us know how that works out for
you?” I can see calling in the big guns when an incident first occurs, but to call before an
Summary
The US Vortechs author states above that free ware is not free and should be avoided, but
he is not talking about known and safe sites like Microsoft and C/Net which promote downloads
some of which is free. He also states the links in general are dangerous, and goes on to say as I
will tell you, that links are a common ground for transversing the internet, so do not be afraid of
all links or sites, for that you have to trust your judgment, and your common sense.
IDENTIFYING INCIDENTS 8
Recognizing main incidents is a little harder to do, since situational incidents are mostly
commonplace and recognizable to the common internet user. The use or assistance of law
enforcement is a choice of conscience either way they will be informed whether or not you invite
them. The point is to follow procedure of the rules of evidence, chain of custody and to follow
the laws governing the situation whether it be state, local or federal.This ensures protectiveness
Reference
Steel, C. (2006). Windows forensics, a field guide for conducting corporate computer investiga
US Vortechs, (2010). Recognizing malware and other internet viruses. Retrieved from http://w
ww.usvortechs.com/ resource-library/56-computer-related/57-recognizing-malware
website.
IDENTIFYING INCIDENTS 10
Appendix A
The desktop CPU (Central Processing Unit) or the box which houses the main processor
and internal circuitry the makes the machine work. The monitor, and keyboard, storage devices,
printers, scanners, fax machine, camera, phone, microphone, headphones, modem and router,
Appendix B