Steps to Digital Forensics Simplified
What is digital forensics?
With the rising number of cybercrimes, tracking nefarious actors online has become a crucial focal point for both governments and private enterprises alike. When cybercrime takes place within your own digital environment, investigating the cause and extent of damages should be your top priority in order to contain the breach, eradicate the threat, and mitigate further loss.
Digital forensics is the process of uncovering and interpreting electronic data from digital devices. It is often in relation to cybercrime and assists in pinpointing the origin of an attack, tracing it back to the source and enabling the recovery of lost or stolen data. Typically, a digital forensics investigation follows five critical steps to mitigate damage and prevent the reoccurrence of a cyber breach.
Knowing where to look for electronic evidence is most important when beginning an investigation. Sources of relevant evidence include mobile phones, computers, servers, emails, and internet service providers. The process of identification is not only digital; observation of physical surroundings (e.g., security camera positions, key card access control readers, etc.) also provides physical evidence in putting together a timeline.
Upon identification, system or network isolation might be necessary in order to reduce damages and prevent further disruption to business operations. To decide whether or not the system requires isolation, consider critical factors such as the extent to which the system, platform, or application is deployed within the company network.
Containment serves as the first active response to a crisis, disabling the hacker from performing malicious activity and preventing further damage. The nature of the incident will determine the type of containment effort taken ranging from controlling, monitoring, and enabling added security measures.
3. Preservation & collection
The process of preserving data is key to ensure all information available is authentic and valid. Fundamental documentation of the evidence collected must include information regarding the operating system, network traces, and application-specific logs.
Much like a physical crime scene, photos (or, in this case, digital copies) are made of the evidence at the scene of the incident. Otherwise known as capturing, imaging, or printing, visuals of the scene are used as a point of reference for investigation. As incident responders often work in pairs, these visuals enable parallel analysis and ensure that the investigation is conducted on a duplicate image rather than the original point of breach to allow for evidence corroboration. The digital image is also useful for generating the Incident Report at the end of the investigation.
4. Analysis & eradication
The primary goal of analysis is to determine how and when the breach happened by scrutinizing and interpreting the evidence collected. The analytical process draws on a multidisciplinary approach, pulling resources from various skillsets, expertise, and training. Approved tools and methodologies must be adhered to during this process.
Time and date parameters or boundaries are often the first two key factors identified as they are important in building the timeline of events that uncover how an attacker may have entered a system, moved within it, and taken actions on objectives. Time and date parameters also help investigators narrow the scope of an investigation, eliminate externalities and hypotheticals, and focus on the time range of the attack to more efficiently obtain useful findings.
Matching evidence to an event timeline is crucial in identifying corroborating accounts of the incident. Outputs of the analysis include information on system and user generated files among others. Forensic investigators then interpret and draw conclusions based on facts gathered from the evidence.
As part of eradicating the threat and preventing future occurrences, a new set of defenses are put in place. A thorough sweep through of the entire system is also advised to identify other weak links. An important action that complements these steps is copious note-taking. Documentation should be detailed enough such that actions taken can be replicated and reproduced by another person.
The last step in this process is reporting. The report should identify the source of breach, techniques and methodology used to mitigate the unwarranted attack, the evidence collected, and advisory materials for stakeholders and decisionmakers. The report should be factual, impartial, and non-technical for stakeholders to easily understand and take necessary action.
While each company and system is unique and requires its own incident response plan, the abovementioned serves as a general overview of the digital forensics process. For professional advice on incident response planning suited to your firm’s specific needs, schedule a call with one of Blackpanda’s cyber incident responders to plan your response.