Summary
Evidence that is pertinent to incident responders is not just located on the hard drive of a compromised host. There is a wealth of information available from network devices spread throughout the environment. With proper preparation, a CSIRT may be able to leverage the evidence provided by these devices using solutions such as a SIEM. CSIRT personnel also has the ability to capture network traffic for later analysis through a variety of methods and tools. However, all these techniques are influenced by the legal and policy implications that CSIRT personnel and the organization at large need to navigate. By preparing for the legal and technical challenges of network evidence collection, CSIRT members can leverage this evidence and move closer to the goal of determining the root cause of an incident and bringing the organization back to its full operation.
This chapter discussed several sources of evidence available to incident response analysts. Logs from network devices...
