Case Study on Computers
Case Study on Computers
Explain What You Should Do To Isolate The Affected Computer.
I would gain access to the router to which the affected PC is connected to and block all traffic from and to the interface connected to the affected PC. In case that is not possible, I would physically disconnect the computer from the network by taking out the network cable (Whitman & Mattord, 2007).
After The Computer Is Isolated, Describe What Should Be Investigated Next.
Once the computer is isolated, further investigation should be made to note any anomaly on other systems. When this is made sure of, the extent of damage should be assessed. Using a pre-written attack profile, the possible steps and route should be determined, that could have been taken to attack and investigate all point that has been used in the attack. Further investigation question would include knowing the motive of the intruder and method of intrusion used by the intruder (Whitman & Mattord, 2007).
List of People Who Needs To Be Notified
The alert roster would be used to notify relevant personnel in the right order. This would include people from emergency response team, the affected user(s), the network manager. Further notification would be issued to the department to which the affected computers belongs to, to get a detailed picture of damage as well as help in collecting evidence related to the event (Whitman & Mattord, 2007).
Describe what you could learn by a subsequent review of the firewall and IDS logs.
A subsequent look at the logs of the IDS and firewall would reveal the full nature of the intrusion. It would not only provide information on whether the attacker was internal or external but also on the exact timings of the series of events in attack profile. It would also provide with IP address and time when the attacker first accessed the network and what resources were used in the attack. If the attack was from within the network, this information would help the computer forensic teams a lot in matching the occurrence of events with other data, in order to get to the culprit (Whitman & Mattord, 2007).
By using IDS, it was possible to detect an intrusion well in time to prevent massive damage that would have occurred if the intrusion would have gone unnoticed. Information collected by IDS was crucial in carrying out an investigation to determine the extent of damage that has already occurred and in providing valuable information about the identity of the attacker and vulnerabilities that have been present in the network.