LAB DIGITAL ASSIGNMENT-2

Information Security Analysis and Audit

Name- Varun Goel Reg. No- 19BCE2296

Slot- L5+L6 Faculty- Prof. Aju D

1. Incident Response

Incident Response Phases

The basic incident process encompasses six phases: preparation, detection, containment,
investigation, remediation, and recovery. The SDC’s overall incident response process includes
detection, containment, investigation, remediation, and recovery, documented in specific
procedures it maintains. This plan is the primary guide to the preparation phase from a
governance perspective; local guidelines and procedures will allow the ISO to be ready to
respond to any incident.
a) Preparation
Preparation includes those activities that enable the SDC to respond to an incident:
policies, tools, procedures, effective governance, and communication plans. Preparation
also implies that the affected groups have instituted the controls necessary to recover and
continue operations after an incident is discovered.

b) Detection

Detection is the discovery of the event with security tools or notification by an inside or
outside party about a suspected incident. This phase includes the declaration and initial
classification of the incident.

c) Containment

Containment is the triage phase where the affected host or system is identified, isolated,
or otherwise mitigated, and when affected parties are notified and investigative status
established.
d) Investigation
The investigation is the phase where SDC personnel determine the priority, scope, and
root cause of the incident.
 e) Remediation
Remediation is the post-incident repair of affected systems, communication and
instruction to affected parties, and analysis that confirms the threat has been contained.
The determination of whether there are regulatory requirements for reporting the incident
(and to which outside parties) will be made at this stage in cooperation with OGC.

f) Recovery
Recovery is the analysis of the incident for its procedural and policy implications, the
gathering of metrics, and the incorporation of “lessons learned” into future response
activities and training. The goal of the recovery phase of an incident is to restore normal
service to the business. If clean backups are available, then these can be used to restore
service. Alternatively, any compromised device will need rebuilding to ensure a clean

recovery. Additional monitoring of affected devices may need to be implemented.

Documentation, Tracking, and Reporting

All incident response activities will be documented to include artifacts obtained using methods
consistent with chain of custody and confidentiality requirements. Incidents will be prioritized
and ranked according to their potential to disclose restricted data. As an investigation progresses,
that ranking may change, resulting in a greater or lesser prioritization of SDC resources

Contact Intimation
Further information on the Computer Security Incident Response Plan and associated procedures
can be obtained from the Incident Response Coordinator of the SDC via
[email protected]

Conclusion
The following report gives a summary regarding the pre-preparedness plan VIT needs to enforce
in order to avoid any unavoidable threats.
Formulated here is the Incident Response Plan for the VIT
organization.
Purpose
This document will describe the overall plan for responding to information security incidents
At Vellore Institute Of Technology. It defines the roles and responsibilities of participants,
characterization of incidents, relationships to other policies and procedures, and reporting
requirements. The goal of this Incident Response Plan is to detect and react to computer security
incidents, determine their scope and risk, respond appropriately to the incident, communicate the
results and risk to all stakeholders, and reduce the likelihood of the incident from reoccurring.

Scope
This plan applies to the IT SDC system, Institutional Data, and networks of Vellore Institute Of
Technology and any person external/internal who gains access to data.

Maintenance
The SDC is responsible for the maintenance and revision of this document regularly.

Authority
The Internation Standard Of Organization is charged with executing this plan by virtue of its
original charter and various policies such as the Computing Policy, Info Security Policy, and
HIPAA Policy.
Relationships to Other Groups at VIT
The Internation Standard Of Organization acts on behalf of the University community and will
ask for cooperation and assistance from community members as required. The ISO also works
closely with University administrative groups such as the Student’s Welfare and Human
Resources, and the Office of General Counsel in investigations.

Definitions
Event
An event is an exception to the normal operation of IT infrastructure, systems, or services.

Incident
An incident is an event that, as assessed by SDC staff, violates the Computing Policy;
Information Security Policy; standard, or code of conduct; or threatens the confidentiality,
integrity, or availability of Information Systems or Institutional Data.
Incidents may be established by review of a variety of sources including, but not limited to SDC
monitoring systems, reports from VIT staff or outside organizations, and service degradations or
outages. Complete IT service outages may also be caused by security-related incidents, but
service outage procedures will be detailed in Business Continuity and/or Disaster Recovery
procedures.
Incidents will be categorized according to the potential for restricted data exposure or criticality
of resources using a High/Low designation. The initial severity rating may be adjusted during
plan execution.

Purpose Identifiable Information(PII)

For the purpose of meeting security breach notification requirements, PII is defined as a person’s
first name or first initial and last name in combination with one or more of the following data
elements. So in this case these are the data elements -

● Aadhar Card Number

● State issued driver license number
Purpose Identifiable Information(PII)
PHI is defined as "individually identifiable health information" transmitted by electronic media,
maintained in electronic media, or transmitted or maintained in any other form or medium by a
Covered Component, as defined in VIT’s HIPAA Policy. PHI is considered individually
identifiable if it contains one or more of the following identifiers:

● Name
● Address
● All elements of dates
● Telephone Numbers
● E-mail Address
● Account Numbers
● IP addresses

Roles And Responsibilities

Incident Response Coordinator

The Incident Response Coordinator is the SDC employee who is responsible for assembling all
the data pertinent to an incident, communicating with appropriate parties, ensuring that the
information is complete, and reporting on incident status both during and after the investigation.
He will directly communicate with the VIT organization in accordance with all the compliance
reports.

Officers
Officers are the staff designates for various regulatory frameworks to which the University is
required to comply in this case VIT.

Users
Users are members of the VIT community or anyone accessing an Information System,
Institutional Data, or VIT networks who may be affected by an incident.
Methodologies
This plan outlines the most general tasks for Incident Response and will be supplemented by
specific internal guidelines and procedures that describe the use of security tools and/or channels
of communication. These internal guidelines and procedures are subject to amendment as
technology changes. It is assumed that these guidelines will be documented in detail and kept up
to date.

Constituencies
The SDC represents the entire VIT University’s Information System(s) and Institutional Data,
supporting the Users. To the extent possible, the SDC will attempt to coordinate its efforts with
these other groups and to represent the University’s security posture and activities. Since the
SDC is primarily concerned with preventing the disclosure of PII and ePHI, its responses to
incidents and threats will be conditioned by the role of the Users with regard to PII and ePHI.

Operational Level Agreements and Governance

Computing groups have operational-level agreements with the customers they serve. Interruption
of service is a hardship and the SDC will cooperate with these groups to ensure that downtime is
minimized. However, the SDC’s management supports the priority of investigation activities
where there is a significant risk, and this may result in temporary outages or interruptions.

Training
The continuous improvement of incident handling processes implies that those processes are
periodically reviewed, tested, and translated into recommendations for enhancements. VIT staff
inside and outside of the SDC will be periodically trained on procedures for reporting and
handling incidents to ensure that there is a consistent and appropriate response to incidents and
those post-incident findings are incorporated into procedural enhancements.
2. Autopsy Version 4.19.2

An autopsy is computer software that makes it simpler to deploy many of the open-source
programs and plugins used in The Sleuth Kit. The graphical user interface displays the results
from the forensic search of the underlying volume making it easier for investigators to flag
pertinent sections of data. The tool is largely maintained by Basis Technology Corp. with the
assistance of programmers from the community. The company sells support services and training
for using the product.
Digital forensics refers to the way toward recouping information from computerized gadgets,
from PC hard drives to cell phones. Advanced gadgets can give a wide range of kinds of data
that are not clear to the casual user. An autopsy is the chief open-source digital forensics
platform that is anything but difficult to utilize, quick, and usable in every computerized
examination. It analyzes hard drives, smartphones, media cards, etc. It is primarily developed for
Microsoft Windows, but there is minimal support for running on Linux and macOS.

For making an autopsy report I have chosen a folder consisting of photos. There is a
detailed description of the location in the report for which I have attached the
screenshots down below.

Autopsy Development Program

Autopsy was written to be a forensics platform that supports various types of plug-in
analysis modules. If your students are interested in Python or Java programming, they
can learn about analysis techniques by building modules. For example, they can learn
about EXIF data in images by writing a module to detect JPEG files and parse the fields
that store the camera make and model.
OUTPUT SCREENSHOTS

Geolocation

Timeline Report
Summary
Metadata Screenshot
Metadata
Timeline Detailed View.