The SANS Incident Handling & Forensics presentation by Matthew J. Harmon provides a comprehensive overview of how organizations should prepare for, respond to, and learn from security incidents. Drawing on industry best practices and real-world examples, it emphasizes the importance of structured processes, clear communication, and rigorous evidence handling to minimize damage and restore operations promptly.
Incident Response
First, the talk lays out the six core phases of incident response: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learneddetailing the goals and key actions at each stage. Core principles such as work in pairs, maintain a strict chain of custody, never operate on original data, and enforce a need-to-know policy are reinforced throughout. These guidelines ensure that responders act methodically, take comprehensive notes, and prevent further compromise while preserving forensic integrity.
Techniques and Toolkits
Second, the presentation transitions to practical techniques and toolkits. It introduces the SANS Investigative Forensic Toolkit (SIFT) and offensive-focused distributions like BackTrack for evidence acquisition and analysis. Step-by-step procedures cover documenting the scene, identifying and preserving data sources (from servers and workstations to mobile devices), performing bit-by-bit imaging, and analyzing logs and memory. Finally, it underscores the need to produce clear, audience-appropriate reportswhether for corporate management, legal teams, or law enforcementto drive improvements and policy changes post-incident.