Incident Response - At the Endpoint

Incident Response – At the endpoint

When an endpoint is suspected of being compromised and direction to proceed has been received from the ITS security manager, these steps should be taken ASAP by ITS personnel.

Do not turn the computer off before completing the steps outlined below:

1. Disconnect the computer from the network. Do not log out, do not close applications.
   1. Disconnect the network cable if it has one.
   2. Disable the wireless card if it has one and set airplane mode.
2. Capture the contents of the ram.
   1. Insert the ram capture flashdrive into a usb port on the computer.
   2. Open the FTK Imager folder on the flashdrive.
   3. Launch ftkimager.exe.
   4. From the file menu, select ‘capture memory’.
   5. For destination, select the flashdrive.
   6. For destination filename put the computer name of the computer with the .mem extention
   7. Select the checkbox to include the pagefile.
   8. Start the capture by selecting the Capture Memory button.
3. Wait until complete – it only take a few minutes.
4. Take out the flash drive and turn off the computer.
5. The .mem file and the pagefile, along with the hardrive of the computer should be delivered to the ITS security manager.
6. The computer can be put back into service with a new harddrive.
7. The original harddrive will not be destroyed and data may be recovered after it is determined that it is free of malware.