The SOC team has detected and confirmed an incident with the following events been initially correlated: a
Question:
The SOC team has detected and confirmed an incident with the following events been initially
correlated: a suspicious out-of-office-hours activity (incl. external flash drive attached) on a
workstation connected to gateway 10; opening of a large number of files on a file server connected to
gateway 9; and a large volume of traffic between the workstation and a DB server connected to
gateway 5. Based on the advice you provided in Question 1 which of the data that has been collected
will be relevant to this case, and what evidence do you expect to derive from there?
This is an ongoing incident and as part of the Incident Response you have been asked to provide
advice on whether they need to start collecting any additional data, if so what type and from where
(both network-based as well as from end-points) - this is in addition to the advice you provided in
Question 1. The approach you advise should be forensically sound so that any evidence collected can
be used in court.
Financial Management for Public Health and Not for Profit Organizations
ISBN: 978-0132805667
4th edition
Authors: Steven A. Finkler, Thad Calabrese