Lab #9

Course name and Number: ISSC 362 attack and security 1. When you are notified that a user’s workstation or system is acting strangely and log files indicate system compromise, what is the first thing you should do to the workstation or system and why? a. Disconnect from the network via unplugging the network interface and pull the power cord. Through doing this you can isolate the damage to the areas that it is located without the chances of it uploading data or changing the system during power down. 2. When an antivirus application identifies a virus and quarantines this file, does this mean the computer is free of the virus and any malicious software? b. No it does not. When the virus quarantines the file it puts it in a sandbox where it can’t affect the system. However, the virus program doesn’t necessarily detect other portions of the program. This will take analysis to determine if there is more. Also, the virus vault must be emptied in order to delete the actual files. Following this a thorough scan must be implemented in order to check the system for any changes that were made by the malicious software. 3. Where would you check for processes and services enabled in the background of you “student” VM workstation c. Through the system configuration setup. This can be reached through running msconfig command under the run dialog. Once inside you can see all running services, boot services, startup services, and system services. Another method of checking the running services is through the processes tab of the ctr+Shift+esc command. This will show all running processes and allow the user to shut them down. 4. Where would log files typically be kept on most Microsoft systems? d. Control panel/administrative tools/event viewer. Or C:/Windows 5. What is the SANS institute’s six step incident handling process.
Phase 1: Preparation
Phase 2: Identification
Phase 3: Containment
Phase 4: Eradication
Phase 5: