Review the Initial Incident Survey's Results
Now you will want to consider what data from the initial analysis you can use going forward. During this step you will also want to determine what forensic details may have been lost.
"Every time you touch a system, you modify its state," said Zeltser.
What commands or tools were executed on the affected systems? What measures were taken to contain the scope of the incident? These can all impact potential forensic evidence.
Also take time now to review logs and see if there are any suspicious entries.
Prepare for Next Incident Response Steps
Does the your group or organization have specific incident response instructions or guidelines? If you are an outside responder helping out, don't assume that people know what to do. You may be dealing with outdated procedures and untrained staff, said Zeltser.
Now is the time to decide whether or proceed with live analysis or start formal forensic examination? Some companies could care less about forensics and simply want to do live analysis to deal with the problem and get back to business as soon as possible, noted Zeltser.
Other key things to ask now: What tools are available to us for monitoring network or host-based activities in the affected environment? What mechanisms exist to transfer files to and from the affected IT infrastructure components during the analysis? (e.g., network, USB, CD-ROM, etc.) Where are the affected IT infrastructure components physically located? What backup-restore capabilities are in place to assist in recovering from the incident?
Lastly, decide what the next steps will be. Who will do what and when? Now you've got a comprehensive mass of information to use to help you decide.