We recently made mention of the First Responder Forensi Toolkit in our monthly Newsflash and subsequently been contacted by readers to have a more in depth discussion as to how this would be applied out-of-the-box to their environment to instantly save valuable time and money responding to an incident, eDiscovery or PCI related investigative requirements.
Time is of the essence if your organisation is under some form of cyberattack, particularly if you have not got the correct expertise or tools on standby. For many organisations confirming they have an incident that warrants investigation or understanding the nature of an incident often is not straightforward. Commonly they do not have ready access to people with the right level of experience and skills, and they certainly don’t have a comprehensive suite of Incident Response forensic tools sitting on the shelf ready to deploy.
The First Responder Forensic Toolkit (FRFT), built using Encase - forensic, cyber security & security analytics software, enables an organisation to quickly start the incident response process without requiring in-house expertise. Within minutes the FRFT will allow you to respond to a potential incident and start collecting data necessary to complete an initial triage exercise, which is paramount to conducting an effective investigation during incident response.
In the event of a cyber security attack, a data breach, issues with a rogue employee or suspected fraud, use the FRFT to start collecting forensic data. Any privileged computer user just follows the simple instructions and the FRFT will then take care of the rest - eliminating the need to have a forensics expert travel to site. The FRFT will ensure that the captured data is encrypted and can therefore be securely transferred to our forensic analysts.
Once the data capture exercise has been completed by the toolkit our forensics experts will provide detailed reporting on their analysis of your supplied data. Guided by the intelligence gained from the triage exercise using the FRFT, the next stages of the incident response process can be initiated.
The toolkit has been developed in accordance with the following incident response and investigation standards: ISO 27035-1, 27035-2, 27037, and 27043. This helps to ensure that any information collected with the toolkit is admissible in courts.
What are the challenges the FRFT will assist you with?
The toolkit will allow an organisation to perform in-depth forensic searches, collect evidence and complete 32 predefined key investigative tasks. Some examples being –
- A Ransomware outbreak means users are unable to access their data as it has been encrypted. The toolkit will assist an organisation to quickly gather the right evidence regarding the attack and most importantly help identify recoverable copies of the data affected with ransomware. Should this option prove to be not possible then the kit can also aid in the recovery process by gathering relevant information that may help create a decrypt key
- Data breach - there is a requirement to identify which people have, without authorisation, elevated their system account privileges to access confidential company information and sent it to an external third party. The toolkit will identify system changes, detail user activity and if required recreate or recover system logs even if they have been deleted. Our technical experts advise that logs that never existed can be created!! – using data correlation techniques....
- An organisation is concerned that over time it has collected and stored credit card numbers on internal systems, however it cannot locate this data readily and is concerned that:
> They could be in breach of PCI-DSS requirements
> The data could be identified and used in the future by a hacker or rogue employee.
Note: The toolkit can perform a search for card numbers used by 12 major credit card providers.
These examples provide a simple snapshot of the power of the FRFT capabilities. Click Here to view a detailed infographic we created on common use cases.
In summary, the First Responder Forensic Toolkit (FRFT) can be quickly deployed by customers in the event of an incident as urgent action usually is required. If you are responsible for documenting and maintaining an incident response plan then it may be worth scheduling a call with one of our consultants to discuss how the FRFT will allow you to quickly take control of an incident and ideally manage it to a positive conclusion.