Tools that should be part of an effective response toolkit include:

• Forensics tools: These tools allow you to accurately examine digital media using processes that allow for the establishment of a legal, sound, audit trail ensuring that you can accurately do the following:
  • Identify important investigative information for backup
  • Preserve identified information for future analysis
  • Analyze preserved information to uncover facts
  • Act on facts through further investigation, response, or reporting

Open source tool examples:

• • CAINE: http://www.caine-live.net/
  • SANS Investigative Forensic Toolkit (SIFT): https://digital-forensics.sans.org/community/downloads
• Backup tools: In most cases, it is safer to restore an environment from a backup rather than attempting to clean it after an intrusion has occurred. There is far too much risk associated with knowing if you have properly cleaned an affected device. Backup tools allow you to recover from an incident with a fully restored environment including your data.

Many of the considerations for planning the proper use of backup tools come from the concepts of business continuity and disaster recovery covered in Chapter 7, Business Continuity/Disaster Recovery Planning. A concept not covered in the BCDR chapter is that you need to have enough available backups to ensure that if you restore a backup, you will not be restoring backed up malware. Ensure that you have enough backup data so that you can go back in time to restore data that was available prior to an incident.

Open source tool examples:

• • Amanda: Open source backup: http://amanda.zmanda.com/
  • Clonezilla: http://clonezilla.org/