Tools to support the IM function

While Incident Response are working away on log analysis, RAM and Disk acquisition and analysis, the IM function is working on collating and sharing information.

For this they need a variety of different tools and software to help visualise and convey the current status of the incident. Below is are some of the ones we have used or have seen used to great effect. Note that different incidents have different information sharing requirements, so don’t be concerned if you use one product for a major external breach and another for a possible internal Ransomware case.

Mindmapping software:

Voice/Video Comms software (cloud):

Evidence acquisition tools (both):

Evidence analysis tools:

As per acquisition and the following:

Incident Collaboration software (cloud):

Incident Collaboration software (on prem):

Sending files and passwords

See this post (the text got too long for here).