Orion Incident Response Live CD
Figure 11: RTIR Incident
The installation of RTIR in Orion stores incident information in a mysql database. This database can be accessed and manipulated using any tools that support mysql. For example, the mysqlhotcopy command can be used to make a backup of the RTIR database:
mysqlhotcopy --user=<userid> --password=<password> rt3 /backup
Future versions of Orion will scripts to automate the backup, validation, and restoration of the RTIR database. This will allow case tracking data to be archived for a specific incident. The released version of Orion will include a script to archive the RTIR database and any other data related to the incident.
6.4. Secure Communication
Communication during incident response must be trustworthy, but it also needs to be full- featured. Attackers can hamper the ability of the incident handling team to provide a timely response simply by creating doubt in the trustworthiness of normal communication channels. If the email system has been compromised, how does the team keep abreast of the situation? If normally used instant messaging systems are