Orion Incident Response Live CD
take some time to get used to it. As shown in the diagram, new information about a potential incident is entered first as an Incident Report. Once the report has been verified, an Incident is created. This incident can then lead to one or more Investigations as well as Blocks. A Block is an activity that attempts to stop or retard the attacker activity. Blocks are essentially containment steps. The investigations could be analysis work, interviews, forensic acquisitions, or any other activity that leads to the understanding and resolution of the incident. A visual depiction of the relationship between these entities is seen in Figure 8: RTIR Workflow.
Figure 8: RTIR Workflow
6.3.1. Using RTIR
The incident responder can use the RTIR web based interface (http://127.0.0.1/) to login and perform a variety of actions, such as accepting, annotating, rejecting, and closing incidents.
John Jarocki, email@example.com