Task 2
Interview with IT manager:
When exactly was the incident first detected (date and time UTC or local) and who triggered the alert.
What to capture: exact timestamp, alert source (user, automated alert, backup failure).
What was the first visible symptom (deleted files, ransom note, service outage) and the sequence of events from detection to now.
What to capture: order of events and how long each took.
Which specific folders, filenames or client IDs were deleted or altered on the NAS and how many client records (approximate count) contained PII.
What to capture: exact folder names, file names, client identifiers.
Do we have evidence of data exfiltration prior to deletion (suspicious outbound transfers, large uploads, or unknown external connections around the same time)?
What to capture: timestamps, transfer sizes, destination IPs or domains.
Describe the backup configuration for the NAS (onsite/offsite, frequency, last successful backup timestamp) and when the last successful restore test was performed.
What to capture: backup timestamps, retention windows, backup system name.
Are backups currently intact and isolated from the network? If not, what problems were identified when attempting verification?
What to capture: verification outcome and any errors.
Which user accounts performed the delete operations according to NAS logs (usernames, service accounts, or IP-based sessions)?
What to capture: usernames, associated device names, session timestamps.
Which administrator or shared accounts currently exist on the NAS and when were they last used?
Who can create admin accounts and what is the approval process?
What to capture: list of admin/shared accounts and owner/approver names.
What do the firewall logs show for the incident window (external source IPs, ports, protocols, repeated authentication attempts)?
Have we blocked any of those IPs yet?
What to capture: external IPs, ports, times, and actions taken.
How is remote access currently authenticated (VPN vendor, MFA, device compliance checks, MDM).
Were any non-corporate devices used to connect at the incident times?
What to capture: MFA status, MDM presence, device identifiers.
Which logs have been secured and where are the forensic images/log exports stored?
Following on, who has exclusive access?
What to capture: list of preserved logs, storage location, hash or export confirmation.
What immediate remediation steps have already been performed (account disables, firewall blocks, NAS taken offline, forensic engagement)?
Following on the previous question, what remains outstanding and who is accountable?
What to capture: actions taken, outstanding actions, responsible people and timelines.
Comments
Post a Comment