10 April 2016


by mo

Notes from CPNT-260 at SAIT.

A computer incident is an anomoly or something different or abnormal. An incident can be unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.

Goals of IR

  • Prevent incident mishandling.
  • confirm whther an incident occurred.
  • promote accumulation of accurate information.
  • establish controls for proper retrieval and handling of evidence.
  • protects privacy rights established by law and policy.
  • minimize disruption to business and network operations.

IR Team

The IR team includes resources from multiple departments of an organization.

  • Human Resources
  • Legal
  • Technical Experts
  • Security Professionals
  • Corporate Security Officers
  • Business managers
  • End users
  • help desk

This team is sometimes called the CSIRT. CSIRT is Computer Security Incident Response Team.


  • Pre-incident Preparation: take actions to prepare the organization and CSIRT before an incident occurs.
  • Detection of incidents: identify a potential computer security incident.
  • Initial response:
    • perform initial investigation
    • record basic details surrounding the incident
    • assemble IR team.
    • notify stakeholders.
  • Formulate response strategy:
    • determine best response
    • obtain management approval
  • Incident investigation
    • perform thorough collection of data
    • review data collected to determine what happened.
  • Reporting
    • accurately report information about the investigation
  • Resolution
    • employ security measures
    • procedural changes
    • record lessons learned
    • develop long term changes

Detecting an incident

Look for signs of breach such as:

  • account discrepancies
  • data modification and deletion
  • users complaining of poor performance.
  • atypical traffic patterns.
  • large numbers of failed login attempts.
  • SIEM (Security Information and Event Management)
  • Centralizing Log Systems such as SYSLOG
  • IDS (Intrusion Detection Systems)
  • Network Sniffers
  • Process management tools
  • Forensics tools

Handling an incident

Steps must be clearly defined in security policies to ensure all actions have a clear focus. The most fundamental objetive is to restore control of the affected systems and limit the impact and damage. Sometimes shutting down the system or disconnecting the system from the network is the only practical solution.


  • protect human life.
  • protect sensitive information.
  • prevent damage to systems.
  • minimize disruption of computing resources.

Recovering from an incident


  • Review policies and procedures
  • Evaluate the situation
  • Avoid panic
  • Collect information
  • Take appropriate action


  • Request Information
  • Evaluate Situation
  • Stop the attack/Secure scene
  • Preserve evidence
  • Organize examination
  • Note findings
  • Determine causes

Disk Images on Linux

Disks are physical devices. Partitions are logical divisions. File systems are format in which files are organized in the partitions.

Create an 8MB (512 byte block size * 16,000) file system:

$ dd if=/dev/zero of=disk.img bs=512 count=16k
16384+0 records in
16384+0 records out
8388608 bytes (8.4 MB) copied, 0.0426032 s, 197 MB/s

$ mkfs.ext3 disk.img
mke2fs 1.42.9 (28-Dec-2013)
disk.img is not a block special device.
Proceed anyway? (y,n) y
Discarding device blocks: done                            
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
2048 inodes, 8192 blocks
409 blocks (4.99%) reserved for the super user
First data block=1
Maximum filesystem blocks=8388608
1 block group
8192 blocks per group, 8192 fragments per group
2048 inodes per group

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (1024 blocks): done
Writing superblocks and filesystem accounting information: done

$ ls /mnt
$ sudo mount disk.img /mnt
$ ls /mnt

$ df
Filesystem               Size  Used Avail Use% Mounted on
/dev/loop0               6.8M   50K  6.3M   1% /mnt

$ mount -l
/home/mo/tmp/disk.img on /mnt type ext3 (rw,relatime,seclabel,data=ordered)

# echo 'hello, world!' > /mnt/README 
# umount /mnt
# ls /mnt