Cyber forensics: taking tips from a detective’s playbook
Jayne Friedland Holland
You approach the scene, taking the first steps to determining what happened and how to prevent it in the future. Following your training, you secure the area, conduct a scan of the scene, take photos to maintain a permanent record of the scene as you found it, and begin collecting and evaluating physical evidence.
You are not, however, a detective or criminal investigator. You’re approaching the scene of a cyber-attack. While you won’t put up crime scene tape or dust for fingerprints, there are striking similarities between a crime scene investigation and cybercrime forensics. With IBM reporting 1.5 million U.S. cyber-attacks monitored in 2013, IT and security professionals can take a few tips from law enforcement about securing, assessing and reporting at a cyber-attack crime scene.
Approach, secure and protect
For any detective, the first steps at a crime scene include a scan of the area -- what is out of place, initial observations about how the incident occurred -- quickly followed by securing the scene, establishing boundaries with tape and limiting entry and exit points. The same holds true in cybercrime forensics.
Should a cyber-attack occur in your organization, first assess the business impact: What has occurred? How did the attack happen? Have appropriate steps been taken to contain the immediate threat? How severe is the incident? Has confidential information been compromised? During this assessment, establish the virtual crime scene “boundaries,” quickly identifying what systems or servers are affected and what data is and isn’t volatile. Volatile information is that which can be lost if a computer or system is powered off, so it is critical in the early stages to identify risks before taking steps that may compromise the forensic investigation. Also, quickly assess any non-volatile or static data stored on hard drives.
As in a physical crime scene, cyber forensics includes securing physical evidence and piecing together a timeline. While physical evidence may not include footprints or shell casings, it is important to secure both hardware and software to find and review evidence left behind.
Use forensic imaging to record the system and related components, capturing significant network traffic and creating a mirror of the network at the time the incident occurred. That way, the exact image of the breached network is preserved for analysis if system changes are made after the investigation begins. Then, evaluate all available information sources, such as log files, network traffic, external devices that may have been used (e.g., thumb drives), virtual machines, physical systems and databases.
Just as packaging and marking physical evidence correctly in a crime scene is crucial, cyber forensics professionals must follow the data collection process exactly to prevent errors or information being inadvertently modified. Physical evidence should be “fingerprinted” using a one-way hash, a cryptographically sound, non-reversible algorithm. This fingerprint will be unique to the source being collected and can be verified easily to prove integrity of collected information at a much later date. This is especially important if evidence eventually will be used in prosecuting the responsible individual or group. Accordingly, an appropriate evidence collection process and maintenance of the evidence chain of custody is critical.
In a physical crime scene, detectives perform fingerprint analyses, collect physical evidence for DNA testing and prepare toxicology reports. After a cyber-attack, IT specialists should:
- Forensically recover artifacts from collected images, analyze them and identify characteristics to produce a detailed timeline of what occurred.
- Examine the current environment to show how applications, servers and devices were configured or patched at the time of the event.
- Conduct a detailed analysis of file systems and memory images to determine whether any unusual files are present, unusual processes are running or suspicious network connections are open. This analysis may lead the response team to additional information sources. Be prepared for multiple rounds of collection and analysis before the investigation closes.
Drafting the narrative
The information you gather may be needed weeks, months or even years later if the crime is prosecuted. Therefore, document the investigation in a thorough report of the steps taken to collect, extract and analyze the information. To better defend any challenge to statements of fact made in the account, the report should include information on how the artifacts used in analysis were recovered from collected data. The report should be detailed enough to allow another expert to start from a duplicate copy and follow the steps in the report to reach the same results.
If the report is part of the legal process, it also might include a credentialed expert’s conclusions as supported by the facts in the report and the expert’s investigative background. The report should answer questions identified as critical during the investigation and also clarify questions where no evidence supports the claim. This is especially important in data breach investigations where a desired outcome of the forensic analysis is no evidence of access or compromise of sensitive data.
Preparing for the future
In today’s digital age, the question is “when,” not “if” you will be a victim of a cyber-attack. An IT or security team can take these steps to enhance the investigative and cybercrime forensic process:
- Have a data classification policy in place to identify requirements for handling specific datasets and how that information should be secured and appropriately destroyed as required by state or federal law.
- Provide employees with security training. Ongoing staff training must not only address how to best secure hardware, software and the environment, but also the human element -- who has access, what development and maintenance procedures are in place and how are employees trained to handle sensitive information?
- Draft and distribute an incident response plan so all parties understand the appropriate steps required to handle a security issue or cyber-attack effectively and expeditiously. Don’t wait until an attack occurs to make up the playbook -- have it ready and make sure everyone in the organization understands the role they play in identifying, reporting and responding to a security issue.
Jayne Friedland Holland is the chief security officer and associate general counsel at NIC Inc., a provider of eGovernment services. She speaks regularly to government regarding sound cyber security procedures. She can be reached at [email protected]