With the rising number of cybercrimes, tracking nefarious actors online has become a crucial focal point for both governments and private enterprises alike. When cybercrime takes place within your own digital environment, identifying the extent of the compromise and investigating the root cause should be your top priority in order to contain the damage, eradicate the threat, and mitigate further loss.
Digital forensics is the process of uncovering and interpreting electronic data from digital devices. It is often in relation to cybercrime and assists in pinpointing the origin of an attack, tracing it back to the source and enabling the recovery of lost or stolen data. Typically, an investigation involving digital forensics would include the following five critical steps:
Knowing where to look for electronic evidence is extremely important when beginning an investigation. Sources of relevant evidence may include (but are not limited to) mobile phones, computers, servers, emails, and internet service providers. The process of identification may not only be digital; observation of physical surroundings (e.g., security camera positions, key card access control readers, etc.) may also provide physical evidence in putting together a timeline.
Containment serves as the first active response to a crisis, disabling the hacker from carrying out malicious activity to prevent further damage. The nature of the incident will determine the type of containment effort taken, ranging from controlling, monitoring, and enabling added security measures.
Upon identification, system or network isolation might be necessary in order to reduce damages and prevent further disruption to business operations. To decide whether or not the system requires isolation, consider critical factors such as the extent to which the system, platform, or application is deployed within the company network.
3. Collection & Preservation
Data collections should be done without damaging the original systems, meticulously following established procedures and ensuring data integrity. Different data acquisition methods and tools may be used for different systems. Analysis should be conducted on the acquired copy or duplicate image rather than the original point of breach to allow for evidence corroboration.
The process of preserving data is key to ensure all information available is authentic and valid. Fundamental documentation of the evidence collected should include information on the date and time of collection (When), description of the evidence itself (What), information of the source system such as the operating system (Where), software or hardware specifications, and network identifier, and details of the acquisition tools used (How). There should also be established standards to properly store the data collected and prevent any evidence tampering.
Much like a physical crime scene, photos (or, in this case, digital copies) are taken of the evidence at the scene of the incident. Visuals of the scene are used as a point of reference for investigation. As incident responders often work in teams, these visuals enable parallel analysis among the multiple specialists. Digital copies are also highly useful for documenting the Incident Report following the investigation.
4. Analysis & Eradication
The primary goal of analysis is to determine how and when the breach happened by scrutinizing and interpreting the evidence collected. The analytical process draws on a multidisciplinary approach, pulling resources from various skillsets, expertise, and training. Approved tools and methodologies must be adhered to during this process.
Time and date parameters or boundaries are often the first two key factors identified as they are important in building the timeline of events that uncover how an attacker may have entered a system, moved within it, and taken actions on objectives. Time and date parameters also help investigators narrow the scope of an investigation, eliminate externalities and hypotheticals, and focus on the time range of the attack to more efficiently obtain useful findings.
Matching evidence to an event timeline may help identify corroborative evidence of the incident. Depending on the goals and priorities of the investigation, forensic investigators may interpret and draw conclusions based on facts gathered from the evidence.
As part of the threat eradication process, activities such as blocking malicious network indicators, rebuilding compromised systems, resetting account credentials and others should be taken with verification steps to follow so as to ensure a comprehensive remediation. A thorough exposure check or a vulnerability assessment of the entire system and continuous monitoring are advised to identify other weak links and potential threats. To prevent future occurrences, a new set of defenses may be proposed.
One important action that complements the steps above is copious note-taking. Documentation should be detailed enough such that actions taken can be replicated and reproduced by another person.
The last step in this process is reporting. The report should identify the source of breach, techniques and methodology used to investigate and mitigate the attack, the evidence collected, and advisory materials for stakeholders and decision makers. The report should be factual, impartial, and non-technical for stakeholders to easily understand and take necessary action.
While each company or system is unique and requires its own incident response plan, the above-mentioned serves as a general overview of the investigation process involving digital forensics. For professional advice on incident response planning suited to your firm’s specific needs, schedule a call with one of Blackpanda’s cyber incident responders to plan your response.