The second type of tool helps CSIRT members collect technical information to support incident investigation and resolution. These tools enable forensic investigators to collect evidence of incident activity to discover what happened, why it happened, how to stop it from happening again, and whether any legal action can be taken against the incident source. These toolsets often provide the ability to discover traces of past activity in memory, stored on disks, or in log files. CSIRT members who are trained to use investigation software can be very valuable resources for your team. In many cases, the difference between a successful incident resolution and an unknown loss is the quality of the incident investigation.

Explore the various tools and any training that is available for them. Select the set that fits your CSIRT activities. TABLE 13-6 lists some incident data collection and management tools.

The tools you choose will help find evidence of incident activity. The information will only be useful if it supports your investigation’s goals. Arbitrarily searching for evidence will likely result in collecting too much data and possibly missing evidence you will need. Before beginning any investigation activities, review your CSIRT’s goals for an investigation. Although each organization should develop its own specific goals to direct activities, most incident investigations strive to answer the following questions:

• What happened?—Gather as much information about the incident as possible.

• Who did it?—Discover as much information as possible about the source of the attack.

• When did it happen?—Collect information on when the incident started and when it stopped.

• Where did the incident originate and where was its target?—Discover the source’s location and the target of the attack.

• Why did the attacker attack this system?—Discover the attack’s purpose and goal.

• How did it happen?—Attempt to understand how the attacker compromised your security controls and accessed your system.

Incident response tools make investigation activities easier, but they cannot take the place of clear goals. Your incident response plan directs all of the activities involved in an investigation, and your investigative tools provide the capability to satisfy your investigation’s goals.