Subject: Digital Forensics

Topic: Initial response and forensic duplication

Difficulty: High

The incident response process consists of all the activities necessary to accomplish the goals of incident response.

The overall process and the activities should be well documented and understood by your response team, as well as by stakeholders throughout your organization.

The process consists of three main activities are:

1. Initial response
2. Investigation
3. Remediation

Initial response is an activity that typically begins the entire IR process.

Once the team confirms that an incident is under way and performs the initial collection and response steps, the investigation and remediation efforts are usually executed concurrently.

The investigative team’s purpose is solely to perform investigatory tasks. During the investigation, this team continually generates lists of what we call “leads.” Leads are actionable items about stolen data, network indicators, and identities of potential subjects, or issues that led to the compromise or security incident.

These items are immediately useful to the remediation team, whose own processes take a significant amount of time to coordinate and plan. In many cases, the activity that your team witnesses may compel you to take immediate action to halt further progress of an intrusion.