Incident Investigation And Response Techniques

An Article Written By Trainee Haneen Khoshhal From University Of Prince Mugrin about Incident Investigation And Response Techniques in Cybersecurity.
Incident Investigation And Response Techniques


Computer forensics now called “digital forensics” and due to the growth of the internet and computer networks the need for digital investigations have increased. Computers can be used to commit crimes, and also crimes can be recorded on computers, such as embezzlement, e-mail harassment, leaks of proprietary information and even terrorism. Investigate criminal and civil cases depend on the skills of professional digital forensics.
Purpose of the Report.
Any organization, company or ministry must secure it’s information from attackers who want to damage or steal sensitive information. The purpose of this report is to clarify the importance of incident response, how to investigate and verify information when the crime happen and learn more about investigation and incident response.
1.2 Overview of this Document
This report will tell you when information security incidents occur, the organizations must respond quickly to protect themselves fast from attack, also to limit the damage of attacks, developing and improving incident management capabilities. And prepare incident reports.


INVESTIGATION 1.Introduction to Investigation
When a digital devices is used to commit a crime, investigator use cyber forensics to uncover the truth. The investigation begins by getting people away from any computers considered part of the cybercrime or the crime scene and disconnecting any communications links to those computers for the purpose of preserving evidence and make them safe from any change. 

2. Incident investigation techniques and steps
When the case arrives to the digital forensics investigator the first item you should consider for a forensic workstation is determine the status of the system if it’s a live or dead acquisition and then use a write-blocker as shown in figure 1 below that used to protect evidence disks from being written to them and it has two types which are hardware and software. Take a copy after that for the evidence bit by bit of a hard drive which called Bit-stream copy that can be used to create an exact copy of a hard drive, capture both allocated and unallocated space, and there are some tools can be used to analyze the hard drive such as Encase, FTK imager, ProDiscover and many others. The image must be verified to assurance the integrity by using a hash function like MD5 and SHA1…etc. If the hashes improper or doesn’t identical then the evidence may not be admissible in court because of that the analysis must be on the copy and the original must be protect. Also the deleted data must be recover to analyze.




RESPONSE 1. Introduction to Incident response
Incident response is an organized way to manage and fix the effects of cyberattacks or breaches to limit damages and costs of fix it. Prevention from attacks is better than repair it. 

2. Incident response Prevention
As mentioned above, prevention from attacks is better than repair it, because that may make you lose data and pay a lot of money to repair it. So, your sensitive data must be protect by encrypt them to mitigate unauthorized access, install Anti-Virus or Anti-Malware, create a strong passwords and change them periodically and so many other ways. 

3. Incident response Prevention
To respond a security incident fast you need to establish incident response teams that include information security and general IT staff. Any incident that is not handled and fix fast can escalate into a bigger problem that can lead to a damaging data breach or system collapse. Incident response quickly will minimize losses, mitigate from exploit weaknesses or vulnerabilities and the risks of the future. Also, it’s very important for the organization to create an incident response plan (IRP) to mitigate the risk of the breach. Incident response plan has seven steps which are:

  • Detection.

  • Response.

  • Mitigation.

  • Reporting.

  • Recovery.

  • Remediation and Reporting.

  • Lessons learned.

And the detection is probably the most important step of the incident management plan because if you cannot detect the risk you will not be able to respond to it. 

1- Nelson, B., Phillips, A., & Steuart, C. (2016). Guide to computer forensics and investigations: Processing digital evidence. Boston, MA: Cengage Learning. 2- Stephenson, Peter, and Keith Gilbert. Investigating Computer-Related Crime. CRC Press, 2013. Retrieved from 3- Mingchao Ma. STFC – RAL, UK. Security Incident Investigation, 2010. Retrieved from 4- Rouse, M. (2017, October). What is incident response? – Definition from Retrieved