Talk With an Expert

Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response

Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response (PDF, 2.40MB)Published: 21 Sep, 2016
Created by
Gordon Fraser

A commonly accepted Incident Response process includes six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Preparation is key. It sets the foundation for a successful incident response. The incident responder does not want to be trying to figure out where to collect the information necessary to quickly assess the situation and to respond appropriately to the incident. Nor does the incident responder want to hope that the information he needs is available at the level of detail necessary to most effectively analyze the situation so he can make informed decisions on the best course of action. This paper identifies artifacts that are important to support network forensics during incident response and discusses an architecture and implementation for a home lab to support the collection of them. It then validates the architecture using an incident scenario.