Let's do a quick review of the TAARA network forensics and incident response methodology.
As we learned in Chapter 1, Becoming Network 007s, TAARA stands for the following:
Trigger: This is the event that leads to an investigation.
Acquire: This is the process that is set in motion by the trigger; this is predefined as part of the incident response plan and involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
Analysis: All the evidence that is collected is now collated, correlated, and analyzed. The sequence of events is identified. The pertinent questions relating to whether the incident actually occurred or not; if it did, what exactly happened, how it happened, who was involved, what is the extent of the compromise, and so on are...