Secrets of Effective Cyber Forensics Investigation and Data Collection

Quick and efficient responses to collect data from a compromised computer…                                                                  

Some companies empanel cyber-forensic experts to investigate cyber incidents and perform root-cause analysis. However, such consultants may not always be available on an immediate basis due to prior commitments or contractual and paperwork requirements prior to investigation. The affected company is thus unable to complete the incident response, relevant data collection, and recovery procedures on time.

The objective of collecting digital evidence is to identify, preserve, recover and analyze it. Internal teams of companies should be equipped to perform these tasks and advise the senior management on the next course of action. This blog explains some of the best practices with illustrative examples of recommended measures in three scenarios.

The process:

Isolating the infected system from the network is a standard practice. This protects the system from further detriment and ensures that other systems within the network are not affected. The next step is to collect and acquire relevant data from the system in a manner which confirms its completeness and integrity. Various proprietary and freeware tools are used for this purpose –e.g. freeware like Access Data, FTK Imager/Lite, Encase Imager, and Sleuth Kit Autopsy. They are available in both portable and installable versions and should be used in adherence to the organization’s security policy, and approved methods of accessing and collecting data in a forensically sound and legally acceptable manner.  

The installable version of forensic data acquisition tools tend to occupy a finite space on the storage media and RAM, thereby overwriting previously residing data and processes, which may be of potential evidentiary value, apart from consuming system resources. As such, it may not be a good option to install tools into the compromised system to capture the data. The alternative is to plug in the portable version, which consumes minimum memory, significantly reducing the probability of overwriting any existing critical process and data.

Let us look at some approaches for data collection from the affected systems.

Scenario 1

Capturing and analyzing the state of an active system for processes, network connections, and session IDs may be appropriate in certain scenarios. This information can be retrieved from the system’s random access memory (RAM) and will help the forensic examiner identify the incident’s root cause. Hence, acquiring RAM data will suffice the need, save time and eliminate unnecessary storage requirements. Freeware which is available in a bundle of utilities can be used to collect, monitor and investigate the data in such scenarios. It is advisable to check if the utility is equipped to record the system’s running processes, save results in CSV format, include file signatures to validate the authenticity and display file-scan status from virus databases.

Scenario 2

System triaging may be employed if the data collection requirements are different from the previous scenario. This method is useful to search, categorize and capture selective data from both volatile (RAM) and non-volatile (hard disk) storage of compromised systems and their functionalities are not affected by the collection process. Freeware utilities with data collection profiles can be used from portable devices, by directly plugging them into the live systems to search, filter, collect and process the relevant data through system triaging.

Scenario 3

In this scenario, ransomware attacks or malicious executables are present in the compromised system. The system should be kept disconnected and switched off to prevent data loss, data exfiltration, and additional damages. Since malicious code may still be present in the system, data can be acquired through any of the following methods:

1. Remove hard drive(s) from the system, capture the entire physical drive or logical drive by using a write blocker,
2. Use forensic bootable media to boot the system, while keeping it disconnected, and acquire the desired data

These bootable tools support data acquisition of the entire disk or selective data collection without system login credentials and paid versions also support key based acquisition of encrypted hard disks.

Log Data Overview

The impacted system’s data may not be sufficient to perform a root cause analysis. Hence, the following sources are recommended for a successful root cause analysis.

A) Firewall logs

B) Router/switch logs

C) System event/syslog

D) Application logs

E)  Database logs

F)  Antivirus logs

G) VPN logs

H) Secure web gateway (proxy) logs

I) Intrusion detection logs

J) Prevention system logs

Some other logs of potential evidentiary value to any forensic/incident investigation are audits logs, transaction logs, connection logs, system performance records, user activity logs, various alerts and messages, and SIEM logs.

The crux of incident investigation lies in identifying, handling, collecting and analyzing the relevant data to decide on the control objectives of any such activity.