Notes from CPNT-260 at SAIT.

A computer incident is an anomoly or something different or abnormal. An incident can be unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.

Goals of IR

IR Team

The IR team includes resources from multiple departments of an organization.

This team is sometimes called the CSIRT. CSIRT is Computer Security Incident Response Team.


Detecting an incident

Look for signs of breach such as: * account discrepancies * data modification and deletion * users complaining of poor performance. * atypical traffic patterns. * large numbers of failed login attempts. * SIEM (Security Information and Event Management) * Centralizing Log Systems such as SYSLOG * IDS (Intrusion Detection Systems) * Network Sniffers * Process management tools * Forensics tools

Handling an incident

Steps must be clearly defined in security policies to ensure all actions have a clear focus. The most fundamental objetive is to restore control of the affected systems and limit the impact and damage. Sometimes shutting down the system or disconnecting the system from the network is the only practical solution.


Recovering from an incident



Disk Images on Linux

Disks are physical devices. Partitions are logical divisions. File systems are format in which files are organized in the partitions.

Create an 8MB (512 byte block size * 16,000) file system:

$ dd if=/dev/zero of=disk.img bs=512 count=16k
16384+0 records in
16384+0 records out
8388608 bytes (8.4 MB) copied, 0.0426032 s, 197 MB/s

$ mkfs.ext3 disk.img
mke2fs 1.42.9 (28-Dec-2013)
disk.img is not a block special device.
Proceed anyway? (y,n) y
Discarding device blocks: done                            
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
2048 inodes, 8192 blocks
409 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=8388608
1 block group
8192 blocks per group, 8192 fragments per group
2048 inodes per group

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

$ ls /mnt
$ sudo mount disk.img /mnt
$ ls /mnt

$ df
Filesystem               Size  Used Avail Use% Mounted on
/dev/loop0               6.8M   50K  6.3M   1% /mnt

$ mount -l
/home/mo/tmp/disk.img on /mnt type ext3 (rw,relatime,seclabel,data=ordered)

# echo 'hello, world!' > /mnt/README 
# umount /mnt
# ls /mnt
comments powered by Disqus