IR Life Cycle
The first phase of the Incident Responds Life Cycle.
What is the preparation phase?
Its the free tool used to acquire physical images of hard drives and flash drives and memory.
What is FTK Imager?
This term refers to always documenting where evidence is - knowing who has it and when - to maintain integrity.
What is Chain of Custody?
Apps on smartphones are contained in these - like where small children play.
What is a sandbox?
What is the Detection Phase?
This open source tool created as a masters thesis project can extract the content from iPhones.
What is UFADE?
To protect a smartphone from being remotely wiped, this should be enabled to prevent it from obtaining signal.
These types of files store configuration and settings information for smartphone apps on iPhones.
What are plists or property lists?
The phase in the IR life cycle that ensures that the threat does not move anywhere else in the organization.
What is the containment phase?
What is Hashcat?
These devices that look like pouches can be used to hold smartphones to prevent them from sending and receiving data.
What are Faraday bags?
These files can become quite large and store bulk data from smartphone apps, especially communication apps that have contacts, calls, and messages.
What are databases?
The last phase of the incident response life cycle.
What is the Lessons Learned phase?
The environment used to analyze Malware on windows - launched in a virtual machine.
What is FlareVM?
You should wear these to make sure not to disturb fingerprints that might be found on evidence.
What gloves?
An popular encoding scheme used to store data in smartphone apps. You know it is being used when you see a JPG that starts with /9j/.
What is base64?
A game organizations play to simulate attacks to practice the IR life cycle to help in preparation of an attack.
What are tabletop exercises?
This tool can be used to find deleted files in images and devices.
What is QPhotorec or Photorec?
This is often referred to as a digital thumbprint and a way to identify if a file has been altered.
What are Hash Values?
This uniquely identifies a file as all files have one - usually the first few bytes.
What is a file signature or magic bytes?