FILE: materi-13.module

Incident Response dan Forensics

Saat breach terjadi: cara handle, contain, eradicate, recover. Plus digital forensics.

RUNTIME: 28m LEVEL: advanced STATUS: ACTIVE
> INCIDENT RESPONSE $ Handle breach professionally [OK] Module loaded successfully [INFO] Ready for next stage

1. Bukan Kalau Tapi Kapan

Breach adalah pasti, bukan mungkin. Persiapan sebelum kejadian kunci. Incident Response Plan dokumen wajib di setiap company. Test drill regular.

2. NIST IR Lifecycle

4 phase: Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity. Iterative, learn dari setiap insiden untuk improve.

3. Containment Strategy

Isolate sistem terinfeksi. Disconnect dari network. Preserve evidence (jangan reboot dulu). Communication plan: management, legal, PR. Decide: monitor untuk learn vs immediate kick-out.

4. Digital Forensics

Acquire evidence (disk image, memory dump). Chain of custody (legal). Analysis (timeline, IOC). Report yang admissible di pengadilan. Tools: Autopsy, Volatility, FTK. Sertifikasi: GCFA, GCIH.

5. Lessons Learned

Post-mortem tanpa salahkan individu. Identifikasi root cause, bukan symptom. Update playbook. Update tools dan training. Share insight dengan komunitas (anonymized).

Practical Mission

  1. Buat IR plan untuk laptop sendiri
  2. Pelajari Volatility memory analysis
  3. Setup honeypot di rumah
  4. Baca M-Trends Mandiant report
  5. Simulate IR dengan teman sebagai red team

Recap Module