Welcome back to the second installment of our DFIR blog! If you didn’t read Introduction to Digital Forensics and Incident Response check it out.
Let’s get started on our next chapter, Timeline Analysis and Time Stamped Forensics.
A Chapter from Your Favorite Crime Novel
In one of his blog posts, Corey Harrell described timeline analysis as a "great technique to determine the activity that occurred on a system at a certain point in time". When referring to DFIR, we would take it one step further: timeline analysis is necessary for effective incident response.
Imagine you’re a detective investigating a crime scene. A murder occurred in a hotel and you collected all the evidence – obvious and microscopic. You now have more information than you can process; the time stamped history of the victim's room keycard, camera recordings of the victim's public actions, phone logs from the hotel room and reported sightings from hotel staff.
To understand what really happened, to identify the killer, and to find the murder weapon, you first need to identify the original confrontation. You need a simple, chronological order of events. You need a proper timeline.
Digital forensic investigations work the same way.
In the aftermath of a security incident or breach, the responsible teams retrieve a lot of information from multiple sources; the time stamped history of file system changes, digital recordings of the actions done on the computer, and reported details from users.
Once you have all the relevant data, you need to organize these pieces of information into one complete timeline, which will assist you with the analytical process. To avoid wasting your time, you need a tool that automatically organizes your timeline.
Digital Evidence Collection
As there are noteworthy parallels between the homicide investigations and digital forensic investigations, let's continue with the above analogy.
Once a physical crime takes place, collected forensics are only useful if they are both accurate and quickly retrievable. If the killer discarded the murder weapon into a trash can that is cleaned every hour, the weapon will likely not be included in the gathered evidence. If forensics are not collected immediately, pieces of evidence can be compromised, destroyed, or (even worse) discovered when it’s too late to take action. If there was a robot that automatically appeared at crime scenes and collected all the relevant information in a forensically sound manner, detectives would have greater success at solving every crime and solve them with great speed.
Digital forensic investigators feel exactly the same way; after a security incident, collecting the relevant logs as soon as possible would make the investigation and analysis procedure so much easier. As every second ticks by, more necessary digital evidence (mainly volatile data) can disappear and highly important information can be lost.
When building a timeline of collected digital event artifacts, each artifact must include a source, a time stamp, and its timing relevant to the alert. For example, on a forensic timeline, a process running on the compromised machine would appear identifying that it was initiated by ENDPOINT41 on 20/01/2017 at 13:43:52, which was 0 hours, 6 minutes, and 24 seconds before the alert was triggered.
On the timeline, each forensic artifact is inserted according to its timestamp. This allows investigators to find suspicious events that might have caused the incident.
The Answer: illusive networks
Remember that robot that lives in the dreams of digital forensics investigators? Stop dreaming because that solution is real!
When using illusive, a security team immediately gets all necessary post-incident information, gathered in a forensically sound manner.
When attackers try to execute malicious activity, illusive slows down their connections and its real-time forensics module automatically collects all the relevant artifacts from the compromised machine, sending it back for analysis.
The collected forensic evidence is correlated with the event's time stamp and can assist with the incident response process.
In addition, automated analyzers kick in and find rogue activity within collected forensics.
The Bottom Line
Security incident response is incomplete without a speedy and accurate forensic timeline such as what illusive offers. These world-class forensic tools will enable you and your fellow investigators to focus on solving crimes quickly and efficiently.
Mark your calendar and register for the 2017 SANS Threat Hunting & Incident Response Summit as we take center stage to teach you best practice response techniques to catch attackers in the network. Can’t make it? We’ll be at other events in 2017 – come visit us! Follow us on Twitter @illusivenw and on Facebook.
WE WANT TO SEE YOU AT RSAC 2017!
NORTH HALL BOOTH 4509 ⊥ SOUTH HALL BOOTH 2831