Digital forensics and incident response — Introduction
Despite the efforts of security teams worldwide, security breaches and incidents continue to occur. To avoid being caught off-guard, the…
Despite the efforts of security teams worldwide, security breaches and incidents continue to occur. To avoid being caught off-guard, the smart approach is to prepare in advance for when an incident takes place. This is why Digital Forensics and Incident Response (DFIR) has become a critical component of Defensive Security.
The field of Digital Forensics and Incident Response encompasses the gathering of forensic evidence from digital devices such as computers, storage devices, and smartphones for the purpose of investigating security incidents. It enables security experts to track the actions of an attacker and assess the extent of the damage, allowing them to bring the impacted environment back to its pre-incident state.
DFIR experts possess a deep understanding of both Digital Forensics and cybersecurity, which they use in combination to achieve their objectives. The two domains are closely linked and interdependent, with Incident Response drawing on the knowledge obtained through Digital Forensics, and Digital Forensics using Incident Response to define the goals and scope of the investigation. The IR process sets the boundaries for forensic investigation, making the two domains inseparable.
The need:
DFIR provides several benefits to security professionals, including:
- Distinguishing actual security incidents from false alarms by locating evidence of attacker activity in the network.
- Thoroughly eliminating the attacker’s presence from the network.
- Determining the scope and duration of a breach is crucial for effective communication with stakeholders.
- Uncovering the vulnerabilities that allowed the breach to occur and identifying changes to prevent future incidents.
- Gaining insights into attacker behavior, which helps block future intrusion attempts.
- Sharing information about the attacker with the wider security community.
Jargons
1. Artifacts
Artifacts are indications of actions taken on a system and serve as evidence in the DFIR process. They are gathered to support a conclusion about attacker behavior. For instance, if it’s believed that an attacker utilized Windows registry keys to persist on a system, that registry key can serve as evidence to support this claim. The registry key in this case would be considered an artifact. Collecting artifacts is a crucial step in DFIR, and they can be retrieved from the file system, memory, or network activity of an endpoint or server.
2. Chain of custody
The preservation of evidence integrity also requires maintaining a secure chain of custody. After evidence is collected, it must be kept in secure storage, with only individuals related to the investigation having access to it. If the evidence is in the possession of anyone not involved in the investigation, the chain of custody becomes contaminated and raises concerns about the validity of the data. This can undermine the case being built by introducing unknown variables that cannot be accounted for. For example, if a hard drive image is transferred from the person who took the image to the person who will perform the analysis and falls into the hands of someone who is not qualified to handle such evidence, it is impossible to ensure that they handled the evidence properly and did not alter it in any way.
3. Order of volatility
(Volatility: The propensity of digital evidence to change or disappear over time. For example, data stored in RAM is volatile and may be lost once power is lost or the system is shut down.)
Digital evidence can be highly volatile and may be lost permanently if not captured promptly. For instance, the data stored in a computer’s memory (RAM) will be lost once the computer is turned off as RAM only retains data while the power is on. Some evidence sources are more volatile than others. For example, a hard drive is considered persistent storage and retains data even if power is lost, making it less volatile than RAM. In DFIR, it is crucial to understand the order of volatility of different evidence sources in order to capture and preserve them appropriately. In the scenario mentioned above, it would be important to prioritize the preservation of RAM before the hard drive to avoid losing any data stored in the RAM.
4. Timeline creation
After collecting the artifacts and ensuring their integrity, it is necessary to present the information they contain in a clear and understandable manner. One effective way of doing this is by creating a timeline of events that arranges all activities in chronological order. This timeline provides a comprehensive view of the investigation and helps to consolidate information from multiple sources to tell a story of what happened.
5. Evidence
Data that supports a claim or hypothesis. Evidence can be in the form of files, system logs, network traffic, or memory dump, among others. For example, system logs that show the attacker accessing sensitive data can be used as evidence of a breach.
6. Forensics Image
An exact digital copy of a data storage medium, such as a hard drive or memory dump, is used for analysis. For example, a forensics image of a hard drive may be created to preserve the evidence before conducting a detailed analysis.
Digital forensics
Digital Forensics (DFIR) is the process of collecting, analyzing, and preserving electronic data for the purpose of investigating a crime or determining the cause of a security breach. DFIR involves collecting and analyzing digital evidence from various sources such as computer systems, hard drives, mobile devices, and network logs. This data is used to identify the cause of a security incident, determine the extent of the damage, and provide evidence for legal or investigatory purposes. The main objectives of DFIR are to preserve the integrity of evidence, accurately analyze and report on the findings, and ensure the confidentiality and privacy of sensitive information. Digital Forensics is an interdisciplinary field that combines knowledge from computer science, law, and criminal justice to provide a comprehensive and systematic approach to the investigation of digital incidents.
Type of digital forensics
- Host-based forensics
- File and disk analysis
- OS analysis
2. Network-based forensics
Incident Response process
The most common utilization of Digital Forensics in Security Operations is for conducting Incident Response. In this task, we will examine the process of Incident Response and how Digital Forensics contributes to the IR process.
SANS has published an Incident Handler’s handbook. The handbook defines the steps as follows:
- Preparation
In order to be ready for an incident, proper preparation needs to take place. This involves having the necessary personnel, procedures, and technology in place to both prevent and respond to potential incidents.
2. Identification
In the identification phase, signs of an incident are recognized through various indicators. The indicators are then evaluated for false alarms, documented properly, and communicated to the relevant parties who are involved. This helps ensure that the right individuals and resources are alerted and ready to respond to the incident.
3. Containment
The goal of the containment phase is to prevent the incident from causing further harm or damage and to prevent the attacker from accessing the network or systems. This can be done by isolating the affected systems, shutting down or disabling access to services, or by implementing network segmentation or firewalls. The containment process may also involve identifying and removing malware or attacker tools from the affected systems. This phase will also require continuous monitoring of the affected systems and networks to ensure that the attacker is not able to penetrate the network again.
4. Eradication
Once the threat has been effectively contained, steps must be taken to remove it completely from the network. It’s crucial to perform a thorough forensic analysis to understand the threat and ensure that it’s completely eliminated, as any missed steps could leave the network vulnerable to future attacks. For instance, if the entry point used by the attacker is not sealed, the threat will not be fully eradicated, and the attacker may regain access to the network.
5. Recovery
This stage is referred to as recovery, and it’s important to ensure that the recovery process is properly documented to understand the cause and effects of the incident. Additionally, the recovery process should aim to restore the services to a better state than before the incident, taking into consideration the lessons learned from the incident and ensuring that similar incidents do not occur in the future.
6. Lessons Learned
This last phase is also known as the recovery phase and is critical in making sure that the same incident doesn’t occur again. The lessons learned are incorporated into the process to improve the overall incident response capability of the organization. A post-incident review helps identify areas that need improvement in terms of technology, process, and people. This phase is also an opportunity for organizations to demonstrate the effectiveness of their incident response processes to stakeholders, including customers and regulators.
Tools
- Eric Zimmerman’s tools
- Autopsy
- Volatility
- Velociraptor
- Redline
- KAPE
- FTK Imager
- bulk_extractor
- Exiftool
- Scalpel
- RegRipper
- WinprefetchView
- ShellBags Explorer
- USBView
- NetworkMiner
- etc…
Hay Yay!!!
Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.
Follow me on twitter for updates: <click me please>