Tools to support the IM function

While Incident Response are working away on log analysis, RAM and Disk acquisition and analysis, the IM function is working on collating and sharing information.

For this they need a variety of different tools and software to help visualise and convey the current status of the incident. Below is are some of the ones we have used or have seen used to great effect. Note that different incidents have different information sharing requirements, so don’t be concerned if you use one product for a major external breach and another for a possible internal Ransomware case.

Mindmapping software:

https://asana.com/
https://miro.com/
https://trello.com

Voice/Video Comms software (cloud):

https://www.microsoft.com/en-gb/microsoft-teams/audio-conferencing
https://hangouts.google.com/

https://zoom.us
https://hangouts.google.com/

Evidence acquisition tools (both):

https://www.axiom.co/
https://www.magnetforensics.com/blog/acquiring-memory-with-magnet-ram-capture/
https://security.opentext.com/encase-forensic
https://accessdata.com/

Evidence analysis tools:

As per acquisition and the following:

https://belkasoft.com/x
https://x-ways.net/forensics/

Incident Collaboration software (cloud):

https://www.atlassian.com/software/jira
https://www.cybercpr.com/
https://www.google.co.uk/sheets/about/

Incident Collaboration software (on prem):

https://www.atlassian.com/software/jira
https://www.cybercpr.com/
https://www.microsoft.com/en-gb/microsoft-365/sharepoint/collaboration

Sending files and passwords

See this post (the text got too long for here).