INCIDENT RESPONSE WORKSTATION

SOC / Incident Response / Digital Forensics Analysis Platform

LIVE

CRITICAL INCIDENT

Analysis Phases

Follow NIST Incident Response lifecycle for systematic analysis

Initial Preparation & Environment Setup

1. Create Forensic Workspace

forensic-setup.sh

# Create timestamped forensic directory INCIDENT_ID="INC-$(date +%Y%m%d-%H%M%S)" FORENSIC_DIR="/forensics/$INCIDENT_ID" mkdir -p $FORENSIC_DIR/{memory,disk,logs,network,malware,timeline} cd $FORENSIC_DIR # Set strict permissions chmod 700 $FORENSIC_DIR chown root:root $FORENSIC_DIR # Initialize evidence log echo "=== FORENSIC INVESTIGATION LOG ===" > evidence.log echo "Incident ID: $INCIDENT_ID" >> evidence.log echo "Started: $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> evidence.log echo "Analyst: $(whoami)" >> evidence.log echo "Hostname: $(hostname)" >> evidence.log

2. System State Documentation

capture-state.sh

# Capture volatile data first (order matters!) date -u > $FORENSIC_DIR/timestamp.txt uptime > $FORENSIC_DIR/uptime.txt who -a > $FORENSIC_DIR/logged_users.txt w > $FORENSIC_DIR/user_activity.txt ps auxwww > $FORENSIC_DIR/processes.txt pstree -p > $FORENSIC_DIR/process_tree.txt netstat -antup > $FORENSIC_DIR/network_connections.txt ss -tunap > $FORENSIC_DIR/socket_stats.txt lsof -i -n -P > $FORENSIC_DIR/open_files_network.txt cat /proc/meminfo > $FORENSIC_DIR/memory_info.txt free -m > $FORENSIC_DIR/memory_usage.txt df -h > $FORENSIC_DIR/disk_usage.txt mount > $FORENSIC_DIR/mounted_filesystems.txt lsmod > $FORENSIC_DIR/loaded_modules.txt env > $FORENSIC_DIR/environment_vars.txt

3. Timeline Reference

timezone-sync.sh

# Document timezone and NTP status timedatectl > $FORENSIC_DIR/time_config.txt cat /etc/timezone >> $FORENSIC_DIR/time_config.txt ntpq -p 2>/dev/null >> $FORENSIC_DIR/time_config.txt chronyc tracking 2>/dev/null >> $FORENSIC_DIR/time_config.txt # Get hardware clock hwclock --show >> $FORENSIC_DIR/time_config.txt # All timestamps should be in UTC for consistency export TZ=UTC

Essential Forensic Tools Installation

Core Forensic Suite

install-tools.sh

# Update package lists apt-get update # Memory forensics apt-get install -y volatility3 lime-forensics # Disk forensics apt-get install -y sleuthkit autopsy foremost scalpel apt-get install -y extundelete testdisk photorec # Malware analysis apt-get install -y clamav chkrootkit rkhunter apt-get install -y yara python3-yara # Network forensics apt-get install -y tcpdump wireshark-common tshark apt-get install -y nmap ngrep netcat-openbsd apt-get install -y zeek suricata # Log analysis apt-get install -y logwatch goaccess lnav # System monitoring apt-get install -y htop iotop nethogs iftop apt-get install -y sysstat auditd # Hashing and verification apt-get install -y hashdeep md5deep ssdeep

Configure Audit Logging

audit-setup.sh

# Enable comprehensive auditing systemctl enable auditd systemctl start auditd # Add critical audit rules auditctl -w /etc/passwd -p wa -k identity auditctl -w /etc/shadow -p wa -k identity auditctl -w /etc/sudoers -p wa -k priv_escalation auditctl -w /var/log -p wa -k log_tampering auditctl -a always,exit -F arch=b64 -S execve -k command_exec auditctl -a always,exit -F arch=b64 -S connect -k network_connect # Save rules permanently auditctl -l > /etc/audit/rules.d/forensic.rules

Incident Tracking ID

Lead Analyst

Severity Level

Affected Systems

Incident Response Workstation v2.0 | SOC / IR / Forensics

Always maintain chain of custody and document all actions