1. When you are notified that a user’s workstation or system is acting strangely and log files indicate system compromise, what is the first thing you should do to the workstation or system and why?
Inform the IT help desk to have the user cease all activity on the workstation and to wait for you to arrive at the physical desktop location. The workstation must first be physically disconnected from the network leaving it physically isolated but now powered off. It should be left in its steady-state.
This isolates the contaminated workstation from the organization’s network and Internet, as well as preventing the contamination from spreading. Logs, memory forensics, footprints, and other malicious activity must be kept in its steady-state untouched. Forensic images of the logs should be performed along with a memory forensics scan. Anti-virus and anti-malicious software removal tools can be enabled from a CD-drive
2. When an anti-virus application identifies a virus and quarantines this file, does this mean the computer is eradicated of the virus and any malicious software?
No, many times virus and trojans can leave residuals or wreak havoc on other processes. It is important to note that the quarantined file is never off the computer until cleaned out or deleted – it’s like putting the unknown file in a holding tank until you can assess what it is and how to eradicate.
3. Where would you check for processes and services enabled in the background of your Student VM workstation?
Windows Task Manager > Applications > Processes > Services will display all the enable applications and processes on your workstation. Hidden trojans and unwanted executables like keyboard buffers, scripts can be identified here.
4. Where would log files typically be kept on most Linux systems?
5. What are the SANS Institute’s 6 step incident handling process?