During an incident and when investigating potential incidents record EVERYTHING on paper.
Timestamp every note with the time, date and location of whatever you’re noting down. If you are talking to someone, record their name and any identification they provide. Keep note of who is present at any activity you are performing during the investigation. If you remember something during the day, diarise it in the day book. If you’re looking at traffic, record IP addresses and anything else you can in as much detail as you require to remember the details potentially 5 years down the track.
Make sure that your day book is stored in a way that is not able to be electronically manipulated or read. Remember you’re using it to record events that may wind up being used in evidence, if there is any potential for it to be tampered with by the person(s) you’re investigating, your evidence may be thrown out of court.
During an investigation of a confirmed compromise, your day book should be the only place you record notes. All internal communication should be done without corporate email accounts and not using corporate PABX systems. Behave as if every corporate asset is potentially compromised until such time as you can prove that it isn’t.
I am a telco & internet entrepreneur, nerd wrangler and massive lover of bacon. I was involved in the investigation of and successful conviction of David Noel Cecil – “Evil, The NBN Hacker”.
This article is written from the experiences I had before, during and since the successful execution of Operation Damara. My experiences are from a telco perspective however they are just as applicable to corporate and government networks.
I currently work with several Australian Telco’s and IT businesses, developing Incident Response Plans and helping them ensure the ongoing continuity of their mission critical infrastructure.
If your organisation doesn’t have a strategy for dealing with internet security incidents, I would love to help you out!
Shoot me an email – email@example.com or grab me on Social Media for more information.