Digital Forensics Incident Response Team Structure and Plan - Essay Prowess

Digital Forensics Incident Response Team Structure and Plan


Kindly ADD to CART and Purchase an editable Word file at $5.99 ONLY.

Digital Forensics Incident Response Team Structure and Plan

1.0 Introduction

For quite some time now, computers have been significant instruments in criminal investigation. Computer databases seek and sought out information in much faster manner than the now obsolete paper documentation stores (Vacca & Rudolph, 2011). For instance computers can be applied in the reconstruction of ripped paper evidence as well as identify footprints conclusively.

Computers as well as other digital devices can not only contain evidence but actually be concrete evidence as they are (Kessler & Haggerty, 2010). Procedures for the level of evidence which can be found in a particular electronic device, evidence retrieval and precautions are provided in reports published by federal agencies such as the National Institute of Justice (Vacca & Rudolph, 2011).

Digital forensics bears some challenges and solutions to such challenges do not have the essence to take the same problem solving guidelines (Grobler, Louwrens & von Solms, 2010). For instance, digital forensics procedures provide that, data available has to be conclusively processed while at the same time it should be done in the fastest possible manner.

One of the contemporary challenges has been the ever growing number of digital mobile devices which tend to have distinct structures calling for distinct approaches with regard to the type of digital mobile device (Garfinkel, 2010). It is important to note that the memory on digital mobile devices is more difficult to retrieve compares to information in the hard drive. This is a challenge in the instance that such the devices’ memory contains legal evidence. Another challenge is that hard drives in today’s devices is increasing significantly such that retrieval efforts get to be more tedious which applies for external storage media in use (Leschke & Sherman, 2012).

2.0 Response to an incidence and intrusion

System forensics is a great way with which sinister security incidences can be reduced. Not only does system forensics minimize the effect of incidences which occur but this also aids forensic analysts to understand how an intrusion occurred. This is critical to the development of controls to contain or otherwise mitigate similar intrusions (Whitman & Mattord, 2010). For instance, previous Secure Socket Layers protocol primarily guaranteed secure internet sessions (Vacca & Rudolph, 2011). Its vulnerability to intrusions by man-in-the-middle led forensic analysts to upgrade the SSL protocol so as to eliminate its vulnerability.

It is critically important for organizations to formulate strategies for the prevention and mitigation of security incidents through formally established plans for incident prevention and intrusion. Formal plans are founded on the basis of analytical frameworks and are incident response protocol receptive (Vacca & Rudolph, 2011). Formal plans basically assign accountability for incident response and protection.

2.1 Minimizing incidents

It is unfortunate that in the digital age, most organizations continue to learn of incidence response only on the event that they are attacked. This is not only disruptive but is also quite costly for any organization. In a good and stable organization wary of intrusions, incident response and prevention should be an integral feature in an organization’s core risk mitigation policy (Vacca & Rudolph, 2011). An effective incident response plan should contain two critical components, prevention and incident response. Prevention is clearly the best with regard to cost effectiveness and leads to high returns on prevention investment. On the other hand, incident response is favored by most quotas.

In the contemporary world, an intrusion on an organization’s computers can bring about very high costs due to disruptions in organizational operations and lost business (Vacca & Rudolph, 2011). As a result, there is a fundamental rule applicable to incident response and prevention which is to make plans for the worst. This implies that a plan should essentially be tested for the worst possible intrusion scenario (Vacca & Rudolph, 2011). This allows for better preparation in blocking possible attacks as well as in the mitigation of probable effects arising as a result of a similar or worse intrusion.

It is important to note that there is no feasible possibility that security incident can be prevented with totality. As a result, many organizations do not consider it as cost effective to ensure the implementation of every possible security measures (Agarwal, Gupta, Gupta & Gupta, 2011). This is primarily due to the prevalence of intentional attacks, poor judgment from maintainers as well as users of an organization’s systems. Most organizations prefer to have a zero goal on the prevalence of intrusion attacks though as much as they may have the most comprehensive incident prevention and response strategy, the probability of zero intrusion can never be zero (Vacca & Rudolph, 2011). Organizations should therefore implement measures such as establish and implement secure strategies and procedures; call for support from the management with regard to incident handling and security protocols; carry out routine assessments on the internal and external organizational environment to measure vulnerability; update existing systems as well as institute routine checks on the entire computer system, network and devices; adequately train personnel in the IT department; train the computer system’s end users; enforce password policies; effectively monitor traffic in an organizations network; carry out log reviews and test implemented back up strategies (Vacca & Rudolph, 2011).

2.2 Events and incidences

An event can be defined as any apparent occurrence noticed in a computer network or system such as when a firewall interrupts network traffic. An adverse event in a computer system is one which brings about negative results for an organization relative to computer security (Vacca & Rudolph, 2011). Computer related security incidents are those events which are a violation of security policies adopted by an organization. Computer related security incidents ay include; denial of service attacks, unauthorized access, malware intrusions, and wrong usage of computer, networks, systems and devices (Vacca & Rudolph, 2011).

3.0 Incident response team

A prudent organization will always have an incident response team (IRT) on standby consistently training for quick and thorough response to incidents (Vacca & Rudolph, 2011). Small organizations may lack the capital to have incidence response teams and as such it is the responsibility of the IT department to respond as informal incidence response teams. Huge multinational companies on the other hand have hand-picked experts on standby at all times designated as the incident response team (Vacca & Rudolph, 2011). Incident response teams have to be adequately trained and prepared for; proper utilization and have perfect knowledge on the where security tools are stored; relevant communication information assembly; and the placement of all relevant system information in a location that is not only secure but also easily accessible.

IRT’s are not the same in many organizations as this is dependent on the capital that an organization is willing to invest to ensure its IT security. Risk management strategies and company size describe the structure and membership of IRTs. In some companies, the IRT forms part or all overall security teams in an organization (Vacca & Rudolph, 2011). Members in an IR team network specialists, security professionals, a representative from the end user community in an organization, applications maintainers and members from the senior management.

3.1 Creating team roles

Key members in any IR team must be inclusive of, a team leader tasked with coordinating,  accounting, reviewing the actions of IRT’s members as well as implementing policy changes and/or procedures so as to mitigate future threats (Vacca & Rudolph, 2011). Another key member is the Incident lead who is tasked with coordinating a specific incident or a set of similar incidents. He or she is regarded as the epicenter of all communication relative to a given incidence whereby team members report directly to the team lead and the incident lead reports on the behalf of an IRT. IT team members are active IRT members and their main role is to offer assistance to either the incident lead or team leader in an incident response situation and are expected to be IT specialists though not all team members will in most cases not be directly involved in incident response operations (Vacca & Rudolph, 2011). Specialists are IRT members who respond to very specific incidents and as such can be pooled from the many departments in an organization to primarily advice the active IRT members.

3.2 Coordinating incident response

When an incident is reported, it is the work of the IRT to coordinate the appropriate response and comprehensively communicate with other members of the IRT. As such, the very first IR team member at the scene of an incident should ensure that all other team members are informed of the situation (Nelson, Phillips & Steuart, 2010). The incident response member should also seek to carry out operations that seek to secure the organization’s uninfected systems with reference to procedures outlined in the incident response plan. Where there are queries, the incident response team member should be in constant contact with the IRT leader for specific guidelines when handling unique or attacks being experienced for the first time (Nelson, Phillips & Steuart, 2010).

4.0 Defining an plan for incident response

The incident response plan basically offers a framework of specific procedures on what steps to follow when an intrusion is reported. Such a plan serves to identify the roles and responsibilities of team members as well as outline precise reporting requirements for all possible incidents (Cichonski, Millar, Grance & Scarfone, 2012). As much as every team member is expected to be intimate with the details of an incident response plan, it is critical the IT staff members in any organization be made aware of such reporting procedures in the event of an incident (Werlinger, Muldner, Hawkey & Beznosov, 2010). For instance, in the event that an IT staff member comes across an intrusion, he or she should be well versed with the procedural reporting of such an incident such that alarm is raised in the approved manner (Duranti & Endicott-Popovsky, 2010).

An incident response plan outlines steps to be followed when an incident is noted, these steps include; incident assessment, communication, incident containment, incident assessment, incident evaluation, recovery, incident documentation and review (Vacca & Rudolph, 2011).

4.1 Assessment

It is critical to point out that not every event reported can be classified as an incident and the very first step an IT staff can take is to critically assess whether an observed event can be identified as an incident or not. For instance, a transmission control protocol (TCP) synchronize (SYN) is a common attack noticeable in most computer systems (Vacca & Rudolph, 2011). TCP sessions are initiated via a three way handshake through the use of three packets communicated to and fro between two systems. The initial system relays a SYN packet, the second system relays an acknowledge (ACK) packet and finally the initial system then issues a response through a SYN/ACK packet to guarantee a viable connection linking two systems (Vacca & Rudolph, 2011).

When a TCP SYN flood attack is initiated, the aggressor usually sends the initial packet but goes on to refuse to give the third packet as a result the second system is kept hanging on to the resources allotted to interconnect a TCP handshake (Vacca & Rudolph, 2011). When this is known to occur once or twice it should not be classified as an incident as it may be as a result of network inefficiencies. However, in the event that hundreds such TCP SYN flood attacks are noted a computer system can be prone to crashing. IDS are used to detect such attacks which dependent on a set threshold may set off an alarm and thus this should be reported as an incident (Vacca & Rudolph, 2011).

4.2 Communication

In the event that an IR team member has pinpointed an incident, he or she is tasked with informing other team members which can either be a call to an established organizational help desk or directly to the designated team leader depending on the procedure provided in the incidence response plan. The team leader is then tasked with determining who else in the organization is to be informed of the incident based on the logic that only the designated team members promptly assemble at the scene (Vacca & Rudolph, 2011).

As such it is important to note that communication has to flow back and forth among team members all through the duration of an incidence. This is because in some instances the initial communication may have been as a result of a poor or an overly strong assessment. As such as newer details emerge they should be communicated to other team members promptly (Vacca & Rudolph, 2011). Immediately an incident team has officially made its response, the team directly reports to either the team leader or the incident leader. Such informational is crucial to senior management and it is the duty of the team leader or incident leader to ensure that they receive this information as soon as is possible.

For instance, if some malicious entity defaced an organization’s official website and in the process released priceless organizational secrets, the incident lead or incident team leader is obligated to communicate such outcomes directly to the organization’s CEO (Vacca & Rudolph, 2011).

Information should be restricted in the event of an incident as it is important to ensure that an attacker has no knowledge at all of the operations being conducted by the incident response team. If the attack is noted to have been initiated form within the organization then the IRT has a greater chance of catching with the culprit if IRT information is restricted (Vacca & Rudolph, 2011). If the attacker is from an external source, then he or she is most likely to apply the same schemes in following attacks hence the need to keep attackers unaware of the developments in dealing with the computer system and network security (Vacca & Rudolph, 2011). As such, if there is the need for communication of an incident to people outside an organization, a public relations professional so as not to exhibit the organization in bad light.

4.3 Containment

In the event of an incident it is up to the incident response team to contain the situation as quietly and swiftly as possible. This primarily aimed at keeping the degree of damage caused at a bare minimum. In most cases the swiftest procedure is to dislodge network cables from an infected system to keep the secure system safe (Vacca & Rudolph, 2011).

Computer worms are incidents which whenever detected should be contained as soon as possible as they are known to entire cripple computer networks and systems as soon as they are activated. It is thus critical that one immediately quarantines an infected computer or system when such an event is noticed so that the malware does not affect the entire network (Vacca & Rudolph, 2011). An alternate action is to reconfigure routers to inhibit a malware from spreading over to other organizational subsystems. There are some considerations that one has to have knowledge in the event of a serious incident as discussed below.

It is critical to ensure for the protection of human life as human life is irreplaceable. Secondly, data should be protected relative to its sensitivity to ensure that unauthorized access is minimized so that it is not altered or leaked (Vacca & Rudolph, 2011). Thirdly, computer software and hardware should also be protected from theft and alteration of an organization’s system configuration. Fourthly, service integrity should also be protected by limiting intrusion into system servers and in cases where there are multiple servers the other servers should be isolated through firewall modifications to control network traffic (Vacca & Rudolph, 2011). Fifthly, evidence as to who may be responsible for an adverse threat should be protected more so ensure that it is not tampered with when an incident is being contained. Sixthly, it is critical that an attacker is not aware that his or her attack on an organization’s computer system or network is unaware that an intrusion has been detected so as to ensure he or she does not escape or use better intrusion tactics (Vacca & Rudolph, 2011).  Lastly, it is important to critically put into consideration cost versus risks. For instance, a server may be earning an organization millions in revenue such that isolating the server in the instance of an adverse threat, revenue may fall and customer satisfaction may be affected (Vacca & Rudolph, 2011). When a containment procedure is being carried out, it is better to modify an affected server’s firewall as it can be more cost effective.

4.4 Evaluations

Once an incident has been contained, it is crucial that the IRT’s evaluate the source, cause, type and extent of an attack. During evaluation the IR team can determine the extent and seriousness of an attack as well as know how many systems have been affected (Vacca & Rudolph, 2011). This process is quite similar to an initial assessment of an incident but this is done in a more detailed procedure. For instance, an initial assessment might show that an attack is from a one source but upon evaluation, it is proven that it was an attack from multiple sources (Vacca & Rudolph, 2011).

A good incident response plan classifies security levels in the order of incident severity such that for severity level one, an attack may have been strong enough to disrupt an organization’s operations. For severity level two, an organization’s operations may have been disrupted in a limited manner but required manual intervention (Vacca & Rudolph, 2011). For security level three, an incident may be an isolated adverse threat but can be resolved via automated controls. As such, for security level one, the top management should be notified while for security level two managers in charge of departments may have to be notified of an attack (Vacca & Rudolph, 2011).

4.4.1 Collecting data

An attack can be evaluated through a thorough examination of all the available information which can be found in various system and network logs. These logs include system logs, security logs, application logs, IDS logs, firewall logs and router logs (Vacca & Rudolph, 2011). In system logs, an IRT member can search for suspicious activity and in the case there are gaps or deletions among the logs an attacker may have tried to cover her or his tracks. For security or audit logs, audit failures should be critically assessed so as to enable an IRT member to determine how an attacker may have accessed an organization’s computer system and network. For application logs, which include databases or web applications, an IRT member can obtain detailed information as to what an intruder may have gained access to (Vacca & Rudolph, 2011). IDS logs, an IRT member can obtain more data on an adverse threat than a router or firewall log. These can be used to determine when an attack cab be expected. For firewall and router logs, an IRT member can obtain information on network traffic (Pilli, Joshi & Niyogi, 2010). For instance, a port scan can be logged with a single source as well as the IP address of a destination. A scan on a rudimentary port can sequentially check ports such as port A then port B and then port C. An advanced port scan will check ports at random. In large organizations, more innovative tools such as the Microsoft System Center Operations Manager (SCOM) which automatically collect data from all the above mentioned logs (Vacca & Rudolph, 2011). Such a tool can alert IRT members when unusual activity is detected for rapid response.

4.4.2 Protecting evidence

In most organizations, if an attacker is identified and apprehended, it is most likely that he or she will be prosecuted. This is dependent on the successfulness of data collection and more so protection of evidence obtained with regard to an adverse threat (Solomon, Rudolph, Tittel, Broom & Barrett, 2011). Prosecution will depend on the available evidence to bring justice and it thus critical that evidence is well protected.

4.4.3 Informing external agencies

In some states, there are laws that call for external entities to be informed of a malicious attack on an organization’s IT system. In some cases, external agencies offer to assist an organization’s IRT in the event of an adverse even (Wolf & Reif, 2013)t. They primarily seek to aid in identifying, apprehending and prosecute attackers. Some states also require organizations to notify all their clients in the event that client data has been violated.

4.5 Recovery

System recovery is essentially dependent on the magnitude of an adverse event. For instance, a virus scan will detect and eliminate malware and the system recovers immediately (Pan & Fung, 2012). However, there are some attacks which require that hard disks be copied making it a rather cumbersome procedure to recover a computer system and thus takes longer to recover full system operation ability (Shedden, Ahmad & Ruighaver, 2010).

4.6 Documentation and review

This process should be initiated once the IR team affirms than an adverse threat is authentic. During an incident, IRT members collect data in an effort to contain as well as resolve an adverse threat. When an incident has been resolved and the system recovered the final process is to document the entire process (Shedden, Ahmad & Ruighaver, 2010). This is crucial to the reconstructions of events and helps answer queries like, what led to an adverse threat?, what went on during the incident?, and how effective was the response.

4.6.1 Incident damage assessment and cost assessment

Indirect and direct costs should be considered as the IRTs determine the extent of damage an incident has caused an organization. This is critical in the event that an attacker is legally prosecuted (Vacca & Rudolph, 2011).

4.6.2 Review of response and policy updating

In a review process, an organization can determine whether there is the need for changes to be done in the approved response plan (Werlinger, Muldner, Hawkey & Beznosov, 2010). If a response was deemed to be ineffective then there is the need to query why. After such a review process, discrete recommendations for changes to be integrated into an incident response plan (Garfinkel, 2010). This could mean change of guard in the IRTs, team membership, advanced training or any other such changes that can be deemed as necessary. This is primarily done to prevent the reoccurrence of an incident (Shedden, Ahmad & Ruighaver, 2010).

5.0 Conclusion

Every organization is tasked with ensuring that the probability of an attack is as near zero as possible. It is therefore essential that a concrete plan be ready so as to provide for orderly coordination of response procedures when an adverse threat is noticed. This implies that the digital forensic data retrieval has become complex and will continue to do so in future. Organizations are therefore required to be prudent, such that they have to proactively ensure that adverse incidents of every conceivable nature are envisaged before they actually happen. This can only become a possibility if the organization has a strong incident response team structured to disseminate incidents as and when they occur in line with the organizational incident response plan. Traditional forensics which require that information be retrieved first and analysis on data done later on, suggests that other procedures have to be taken into account and thus takes longer for an organization to recover. As such, with digital forensics, relevant data can be recovered and organizational processes resumed efficiently and effectively in a much shorter duration.


Agarwal, M. A., Gupta, M. M., Gupta, M. S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer Security Incident Handling Guide. NIST Special Publication, 800, 61.

Duranti, L., & Endicott-Popovsky, B. (2010). Digital records forensics: A new science and academic program for forensic readiness. Journal of Digital Forensics, Security and Law, 5(2), 1-12

Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7, S64-S73.

Grobler, C. P., Louwrens, C. P., & von Solms, S. H. (2010). A multi-component view of Digital Forensics. In Availability, Reliability, and Security, 2010. ARES’10 International Conference on (pp. 647-652).

Kessler, G. C., & Haggerty, D. A. (2010). An Online Graduate Program in Digital Investigation Management: Pedagogy and Overview. Journal of Digital Forensic Practice, 3(1), 11-22.

Leschke, T. R., & Sherman, A. T. (2012). Change-Link: a digital forensic tool for visualizing changes to directory trees. In Proceedings of the Ninth International Symposium on Visualization for Cyber Security (pp. 48-55).

Nelson, B., Phillips, A., & Steuart, C. (2010). Guide to computer forensics and investigations. CengageBrain.

Pan, J., & Fung, C. C. (2012). Pattern for Malware remediation: A last line of defense tool against malware in the global communication platform.

Pilli, E. S., Joshi, R. C., & Niyogi, R. (2010). Network forensic frameworks: Survey and research challenges. Digital Investigation, 7(1), 14-27.

Shedden, P., Ahmad, A., & Ruighaver, A. B. (2010). Organisational learning and incident response: promoting effective learning through the incident response process.

Solomon, M. G., Rudolph, K., Tittel, E., Broom, N., & Barrett, D. (2011). Computer forensics jumpstart. Wiley

Vacca, J. R. & Rudolph, K. (2011). System Forensics, Investigation, and Response. London: Jones & Bartlett Learning International.

Werlinger, R., Muldner, K., Hawkey, K., & Beznosov, K. (2010). Preparation, detection, and analysis: the diagnostic work of IT security incident response. Information Management & Computer Security, 18(1), 26-42.

Whitman, M. E., & Mattord, H. J. (2010). Principles of information security. Cengage Learning.

Wolf, J. P., & Reif, W. (2013). An Ontology for Digital Forensics in IT Security Incidents. (Doctoral dissertation, Universtitätsbibliothek).


× Need help? Chat with Mary now!