Host-Based Analysis
Security Log
A log that contains records of security related events including login/logout activity.
Threat Actor
A person or entity that is responsible for an event or incident that impacts or has potential to impact, the safety or security of another entity.
Application Blacklisting
Allows every program except those described on the blacklist to run. Makes sure known-bad software is prevented from being executed on a system.
AVAST
Antimalware software
Linux
Free, Difficult to use, Very Reliable, Strong Security
Tampered Disk Image
Image that was altered. Data, applications or systems were tampered.
Windows
Pricey, Very easy to use, Less reliable, weaker security.
Chain of Custody
A list of all people who came into possession of an item of evidence. If fail to mention this than unlikely you cannot use that evidence in court.
AVAST, AVG, CL, Kaspersky, Norton
Antivirus software
Indirect Evidence
Based on other evidence.
Corroborative Evidence
Evidence that supplements and strengthens already existing evidence. Based on theory.
Indicators of Attack
Known as IOAs, indicators that help to identify clues that an attack has taken or is taking place, such as unauthorized account privilege escalation, exfiltration of sensitive data, or requests for information from a compromised email account. Forensic evidence collected after a successful attack. Reactive Measure.
Application Whitelisting
List of applications that are authorized or allowed to run on the whitelist.
Host-Based Firewall
Software firewalls installed on a single host to monitor and control its incoming and outgoing network traffic.
Untampered Disk Image
Users must not be able to tamper with data, applications or system.
Sandboxing
A restricted, controlled execution environment that prevents potentially malicious software, such as a mobile code, from accessing any system resources except those for which the software is authorized.
Assets
Any items that have value to the organization. For example, software, personnel, processes.
Indicators of Compromise
Are suspicious or unusual behaviors or traffic that may indicate something wrong with a network or computer. Proactive measure. Describe and help to detect a methodology for performing an attack.
Host-Based Intrusion Detection
Monitors the characteristics of a single host and the events occurring within that host to identify and analyze suspicious activity. It does not actively stop threats as they happen.
Apache
Stores information about events that occurred on your Apache web server. Provides administrators with another type of log file called error logs.
