Practically, conducting digital forensics analysis is the procedure of investigating security alerts or suspicions of malicious activity in a computer network.
I like to think of DFIR as a procedure analogous to a military debriefing.
When fighter pilots return from an operative mission, they immediately conduct a debrief, which covers the objectives, what worked and what didn’t, and exactly how the next mission will be improved upon to complete each objective. Digital Forensics is really no different and here's why ...
By examining a breach or an attacker’s infiltration, one can understand what enabled to detect the attacker, what misconfigurations or lack of security measures could allow the attack to take place, and what can be concluded from the attack for remediation purposes.
The Art of Evidence Collection
As the goal of each investigation is to understand an event better, it’s important to closely investigate facts and artifacts during the process. The art of evidence collection is a thing on its own. It is the first step in each investigation, and basically the process of identifying the potential data sources, and acquiring the relevant data from these resources, that pieces the story together.
This is not an easy task as there is a huge variety of such resources. A small amount of information can lead one to missed key points or events and that will create "holes" in your incident timeline. Too much data is another common pitfall typically leading to a bigger mess, with a lot of regular user-activity background noise, which is often a distraction. Therefore, a balance between these two situations is critical. An example of this approach was well documented in a recent Red Team exercise we conducted for a large bank.
Time is of The Essence
Time is key in the discipline of data collection. If reaction time is slow and manual, the chances are very high that one will lose volatile data, such as running processes, network connection, and so on. In addition, collecting evidence should include the element of time-stamping, which helps an incident handler build an organized timeline to review in a debrief situation.
Tag Each Category of Evidence
Each incident stands for itself and requires different data to be collected, from different resources. For example; An employee who wants to steal documents from a file server, a ransomware which tries to encrypt files on a local computer, or an adversary which conducts a lateral movement across the network to get to a specific asset all leave different traces that should be categorized uniquely.
Best-in-Class Real-Time Forensics
Putting DFIR tools into the hands of our clients and training users to launch investigations is paramount to illusive networks. Our module collects rich forensic evidence from the source of the attack, once an attacker is detected or on-demand. Acquiring forensic information is done automatically and consists of both volatile and non-volatile data. The collected evidence is always time-stamped, which allows our customers to correlate everything on a chronological timeline.
Be sure to come back and read our next DFIR blog as we take a closer look at Timeline Forensics.
Want to catch us in person? Register for the 2017 SANS Threat Hunting & Incident Response Summit as we take center stage to teach you how to hunt and response techniques to identify and stop an attack in motion.