Introduction to Digital Forensics 1.1 Digital Forensics Defination, Digital Forensics Goals, Digital Forensics Categories - Computer Forensics, Mobile Forensics, Network Forensics, Database Forensics Introduction to Incident - Computer Security Incident, Goals of Incident Response, CSIRT, Incident Response Methodology, Phase after detection of an incident 12 1.1 __ Digital Forensics Defi 1.1.1 Digital Forensic What is Digital Forensics? CUEDEECAIEE Digital forensic collection, preservation, analysis and presentation of computer-related evidence. It determines the past actions that have taken place on a computer system using computer forensic techniques. Digital/Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc. for evidence. 11.2 Why is Digital Forensics Important ? 1. A few criminals are becoming smarter. So data-hiding techniques which includes encryption and steganography. The evidence of criminal activity is placed in such a way where traditional Search methods cannot able to find it * Encryption : Scrambling data, for example an e-mail message, so that it cannot be readable to the interceptor. Steganography : It is nothing but hiding a message into’a larger file, typically in a photographic image or sound file.gd Ferris 12 Iiroduction to Digal Forensics ‘Computer forensics isnt just about “detective work” ‘= searching for and trying to find out information, Computer forensics i also worried with “5 Senstve data handling responsibly and confidentially «¢ Taking precautions to not null Findings by corupting data “+ _Tokng precautions to make certain the integrity of the information. ‘© Staying within the reguation and guidelines of evidence, 1.1.3 Digital Forensic Process Steps cy os the process of aga forensics For forensic investigation there are following four common steps 1 Colecton 2. Examination 3. Analysis: Reporting ‘ig. 12.1: The forensic process 2. Collection = This i the fst phase in forensic process. In this phase data i identified, labelled ‘and recorded and gathering the data and physical evidence related to the incident being fnvested is done. Simultaneous integrity ofthe chain of custody is also preserved. 2 Examination : In this phase trom the collected dota identity ond extract the pertinent Information, using proper forensic tools and techniquet and also maintain integrity of the evidence. 3. Analysis In this phase results ofthe examination phase are analyzed. From the analysis useful ‘answers to the questions are generated which are presented in the previous phases. Most probably the case gets solved inthis phase. 4. Reporting: In the reporting phase the results ofthe araysi are done, which containe ‘+ The information pertinent tothe case ‘Actions that have been accomplished actions lef to be pectormed. ‘Moves left to-be performed. _Acvcated enhancement to processes and too. i? 1 gta! Forensics MU) 13 Irtrodition 0 (1.2 _ Digital Forensics Gost ee The following are the primary goals of employing digital forensics It aids in the recovery, analysis, and preservation of computer and associated materials 19 ‘ordet forthe investigating agency to submit them as evidence in a court of law the reason forthe crime and tha identity of the primary perpetrator. 0 Maids in determining ‘0 Cresting processes at a suspected crime scene to guarantee that the digital evidence gathered is not tainted, Data colection and duplication: Recovering lost fles and partitions from digital media In order to extract and evaluate evidence: ‘lows you to rapidly discover evidence and evaluate the possible impact of harmful action on the vitim Creating @ computer forensic report that provides 2 comprehensive report on the investigative process. © Keeping the evidence safe by adhering tothe chain of custody. 13° Digital Forensics Categories - Computer Forensics, Mobile Forensics, Network Forensics, Database Forensics 1. Computer Forensles : Tis computer forensics deals with computers embedded Systems and static memories ike USB drives. Extensive range of information from logs to exigina files on drive canbe investigated in computer forensics. 2. Mobile Forensics : As mobile phones began to become ubiquitous in the near the beginning, aught, this category emerged. Mobile forensics is used to recover data from the mobile ences. A mobile device Is generally defined as one with 2 built-in communication systom (GSM or SMS) and location information through GPS; however, mebile devices aso include cameras and US8 dives. I mainly deals wth the examination and analysis of motile devices. nips to reteve phone and SIM contac, call ogs, incoming, and outgoing SMS, MMS, Audio, vdeo, etc. 3. Network Forenses: Network forensics a sub-branch of digital forensics. Network forensics is related to monitoring, capture, storing and analysis of network activities to discover the source of security attacks, intrusions or other problem incidents. ie. worms, virus oF malware attack, abnormal network trafic and security breachesIntroduction to Incident 2.4.1 Computer Security Incident Computer security Incident is any inlaw, unauthorized Computer system or a computer network. Such an acti ae 1. Theft of the Tade secrets Email spam or harassment Embezzlement ‘Unauthorized of unlawful intrusions into computing 5. Denial-of-sarvice (005) attack © Bitortion 2 Any unlawful action when the evidence of such ac y lence of such action may be stored ‘exemple fraud, threats, and traditional crimes an 8. Possession or dissemination of child iid pornography, 142 Goals of incident Response ‘The goals ofthe incident Response ate as follons 1. To prevent a daconnected, no cohesive response. Coniirs or dispels whether an incier happened Promotes gat ring of ac rate itormaven, Establishes controls for proper reieval and handling of evidence Protects pivacy rights established by law and policy Minimizes damage to business and network operations 4 5 6 7 ‘Aliows for criminal or civil acton against culprits. gta Forensics MU) ovges accurate reports and useful recommendations provides quik detection nd containment and compromise of proprietary data. ion's reputation and assets: 410, Minimizes exposure 11. Protects your organiza 12. Educates senior management. ction and/or prevention of such incidents in the future, 433, Promates quick dete ee . son canes ben asd te Compu Seis RePone or nee pain f (CSIRT) willbe staffed. Lager businesses ‘with adequate resources may be able t0 assign pat ‘on a full-time basis. However, more often than not, sees ta have citer responsi in adion 10 25 coir ‘employees to crsis response tasks businesses wil be forced to use emg incident resporsa Personnel in the internal CSIRT are classified into three QroURs © Core team 5 Technical upon © Organisational support «Each member of the CSIRT is responsible for a certain duty. t requires more than just assigning employees and developing a policy and procedure document to build this capacity within an ‘vganietion An effectve CSIR, ke any big project venture, needs a significant amount Of effort. There ere dstnet duties and responsibilities for each of the CSIRT categories. This verse gicup of individuals is intended to give direction and support during a wide range of tuations, fom minor to disastrous 4.5.1 The CSIRT Core Team ‘The CSIRT core team is made up of people whe either work Full-time in incident response oF take on incident response tasks on the side. The core team is frequently made up of people assigned to the information security team. Other companies can benefit from individuals with Incident response experience. Some of the responsibilities that can be included in the core team are 2 follows: 1. The incident response coordinator The incidest response coordinator is often the Chief Secuity Officer (CSO), Chiet ‘formation Securty Officer (CISO), oF Information Security Officer ($0), as that individual 's often in charge of the overall security of the organization's information. Other organisations may appoint @ single person to act as the incident response coordinator. SeSees ee aro Fores 7 tnvodcton to Dita Forensics 3. CSIRT Analyst(s) © CSIRT Analysts are CSIRT professionals who have little exposure to or experience with Digital Forensics (MU 16 “The incident response coordinator isin charge of managing the CSIRT before, during, and “after an event In terms Of preparation, the incident response coordinator wil ensure that ny CSIRT plans ot procedures are evaluated on a reguar basis and modified as appropriate. Furthermore the indent response coordinator i in charge of ensuring that the CSIRT team is property trained, as well as overseeing testing and trining for CSIRT employees "= During an event, the incident response coordinator is in charge of ensuring effective incident response end remediation and guiding the team through the full incident response process. Coordination of the CSIRT with senior leadership is one of the most citical of these duties during an event. With the stakes of a data breach so high, top Jeadeship, such as the CEO, will want to be kept up to date on crucial event information. It isthe role ofthe incident response coordinator to keep senior leadership up to date on all incident-relsted actions, Finally, the incident response coordinator is responsible for ‘ensuring that the event is correctly recorded and that reports of CSIRT activities are given {0 the relevant internal ard external stakeholders at the conclusion of an incident. In “addon, all CSIRT operations are thoroughly debriefed, and lessons gained are integrated Inno the CSIRT Pian, 2. CSIRT Senior Analyst(s) ‘* SIRT Senior Analyst have significant training and expertise in incident response as wel ss related capabilities such ax digital forensics or network data inspection. They frequently have several years of incdent response expertse as a consultant or as part of an ‘organisation CSIRT. During the incident response process's preparation phase. they are Ivolved in ensuring that they have the appropriate skis and training to adress their Lnvque positon in the CSIR. They ae aso frequent instructed to help in the evaluation ‘and evsion of incident response plans + Finally, experienced analysts are frequently involved in the training of junior members of the team. Once an event has been detected, senior analysts will colaborate with other CCSIRT members to gather and evaluate evidence, diect containment efors, and aid other Sta with clean-up After an event, top analysts will engure that both they and other staf ‘property document the occurence. This wil entad preparing reports for internal and ‘extemal stakeholders. They wil also ensure that any evidence is preserved or destroyed in accordance with the incident response strategy incident response operations. They frequently have only one or two years of incident response experience. As a result, they can engage in a range of tasks, some of which are directed by senior analysts. Analysts’ skils will be developed through training and ‘exercises throughout the preparation period ‘= They may also be involved in incident response plan evaluations and uparades: They will be charged for acquiring evidence from possibly hacked hosts, network devices, OF diferent log sources during an event. Analysts wil also particinate in evidence analysis and will support other team members with remedial efforts 4. Security operations centre analyst Larger companies may have a 24/7 Security Operations Center (SOC) monitoring capacity in- house or hired. When it comes to incident identification and alerting, analysts assigned to the SOC ae frequently the point person. As @ consequence, having @ SOC analyst on the team allows them to be taught on methodologies and respond to a possible security issue practically immediately 5. TT Security Engineer / Analyst(s) + Depending on the organization's 2¢, there may be employees particularly assigned with the deployment, maintenance, and monitoring of security-related software such a6 anti- virus or hardware such a5 firewalls or SIEM systems. When an issue has been detected, having immediate access to these devices is important. Personnel assigned to these tasks: vill frequently have a direct part inthe whole incident response process. The IT Security Engineer or Analyst will frequently be responsible for a substantial portion of the incident response process's preparation. + They il be the key resource for ensuring that security apps and devices are correctly set to siete tema issues and thatthe devices property log information so that events ‘may be reconstucted. They wil be entrusted with monitoring security systems for saditonal signs of hese conduct during an event. They wil alo help the other CSIRT ‘members gather proof from the security equipment. Finally following an event, there People wil be charged with setting security devices to watch for suspicious behaviour in oder to confi that remediation operations hve removed malicious acthity from compromised systems.Wout ris 0) es eS 15.2 Technical Support Personnel Technical support employees are those inside the company that do not have CSIRT activities ag Parvof ther day-to-day operations but have knowedge or access to systems and proceduts thet tay be impacted by an event. For example, the CSIRT may need to hite a server administrator to help the core team colect evidence from serves such as memory grabs or logs. Ones accomplished the server administrator's job is complete and they may no! be involved in the event. agp. The following are some of the people that can help the CSIRT during an incident: AL Network Architect/Administrator : Network infrastructure is frequently involved in incidents This covers router, switch, and other network hardware and sofware assauits. The Network ‘Architect or Administrators citical for understanding typical and abnormal behaviour of thesa devices, 25 well ar recognising anomalous network trafic. In events invoiving network Infrasnucture, these support staff can help acquire network evidence such as access logs or packet captures 2. Server Administrator : Threat actors trequenty target network systems that hold vital or sensitive data. Domain contrliers fe servers, and database servers are common high-value Targets, Log files from these systems can be obtained with the assistance of server administrators. Ifthe server administrators) are alo in charge of active divectory structure management. they may be able to assist with detecting new user accounts of making ‘modifications to existing user or administrator accounts, 3. Application support : Threat actors frequently attack web apps. Some securty breaches are caused by coding flaws that enable for attacks such 3 SQL injection or security misconfigurations. As a result of having application support stft a part of the CSIRT, direct Information about application assaults is possible, These experts are frequently able to spot ‘code modifications or validate vulnerablites found during an examination into 2 posse application attack. 44. Desktop Support : Desktop support workers are frequently invohed in the maintenance of ‘ontros such as data loss prevention and anti-virus on desktop computers. In the case of an Incident, they can aid in delivering log files and other evidence to the CSIRT. During the incidents remeciation phase, they may also be in charge of cleaning up affected systems. 5. Help desk : When it comes to recognising an issue, help desk staff are the proverbial canary the coal mine, depending on the company. When a user detects the fist symptoms of @ malware infection or other harmful behaviour, they are frequently the fst peopie contacted, AS 2 result help desk staff should be included in CSIRT response training as wel 36 ther involvement in incident identification and escalation protocols. In the case of 2 g® ‘occurrence, they may also aid in locating ather impacted personnel, introduction to Digital Foreesics Dioital Forensics (MU) 19 [53 Organizational Support Personnel ; jvisational members thet shouldbe included in the CSIRT should be included outside ae ‘non-technical concerns that na help witha variety of ofthe technical area Organizational people can i : jed by CSIRT cote and technical support personnel. These include navigating tt ae nat handle ae a ‘of the organisational support individuals who should be included in a CSIRT Plan are as. pds ses nota od ns yn es dae Ger poebemeiapemicens anne Sr eee vse tech fri ene oy ae ee Sceceee on cy acer ee nue soa saa a apeso Gnas ores cor a Soe ee th ae se Seema awe renee aes eal ee 2 Human resources : Employees or contractors are responsible for many incidents that occur in businesses. The CSIRT may be called in to examine acts ranging from fraud to large-scale data theft. 1 an employee or contractor is the subject of the inquiry, the human resources: ‘department can asistin verfying thatthe CSIRTs operations are in accordance with applicable labour ans and corporate regulations. I an employee or contractor isto be terminated, the CSIRT can work with human resources te ensure that al necessary documentation on the event 's completed, reducing the possbity of wrongful termination claim. Marketing/communications : fan incident, such as a Denial-ol-Service attack or data breach, ‘may have a negative impact on external diets or customers, the marketing or communications ‘department can assist in crating the appropriate message to assuage fears and efisure that ‘hose extemal entities are receiving the best information possible. When looking back at Previous data breaches, there was a reaction against those businesses that tried to keep the {22 to themselves ae did not notify customers. Having a good communications plan in place 2nd Putting it into action eary can go 2 long way toward calming any possible consumer or ‘ent negative reactions facties The CSIRT may requ access to places after hours oF for an extended period of Sree lactis cepartment can asi the CSRT in acquiing the appropiate acess a soon, irene nie Sectional, elites may have access to era meeting places forthe CSIRT to use inthe cove ofa lng-term cis that necessitates dedicated workspoce and infrastructure, eeWoigtal Forensics WW) 110 Introduction to Digital Forens Corporate sbcurty: The CSIRT may be called in to deal with an organization’ theft of net tops and digital material is quite prevalent to corporate security, They track employee and ote resources or other technotogies. Theft of la Survellance footage from entrances and exts is frequently avaiable may also keep access badge and visitor records for the CSIRT to personnel movement within the site. This alos fr the reconstruction of events before a theft or other conditions that led up tothe incident y 15.4 External Resources part of a broader attack on 2 numberof similar businesses. Relationships with other organisations and agencies can help the CSIRT share inteligence and resources inthe case ofan incident. Among these resources are the folowing 1. High Technology Crime Investigation Association (HTCIA) : The HTCIA is a worldwide ‘organisation of professionals and students dedicated to the investigation of high-tech crime Resources range from digital forensics techniques to enterprise-ievel data that might assist (SIRT staff with new approaches and procedures, 2. tnfraGard = The Federal Bureau of Investigation has established a private-public collaboration simed at networking and information sharing for CSIRT and infomation security practitoners in the United States. This colaboration enables CSIRT members to share infomation about ‘ends and discuss previous investigations. | Lawenforcement: There hes been an exponential increas in cyber-related criminal ats 1s 2 result, several law enforcement agencies have strengthened their capabiities 10 investigate cyercime. Leadership of the CSIRT should establish relationships with agencies that have cybercime iwestigation skll. Law enforcement agencies can give insight into specific teats or crimes that ere being perpetrated, 2¢ well as providing CSIRTS with any {ofoxmation that is of concer to ther. ‘4. Vendors :In the case ofan incident, extemal vendors can be used, and wnat they can ge {requentiy based on the specific in of business in which the company hes engaged ther. Fer ‘example, an organization's IPS/IDS solution provider may be able to assist inthe creation of bespoke alerting and blocking rules to aid in the identification and containment of malicaus acthiy, Threat inteligence vendors can also give recommendations on harmful befacut indications. Fnaly, some companies will need to employ vendors who specialise in a cea Incident resporse expertise, such as reverse engineering malware, if such capabilis ‘outside an organization's competence. Incident Ré iceted troubles like any complex solve the incident problem. In this, ‘to components and test the inputs ity incidents a lem. Black box approach is used to problem of incident resolution in computer secu engineering pro aperoach divide the large and outputs of each component Fi, 1.61 lstrates our approach to incident response, - wot fo co) aL troduction to Digital FOFENSIES gt Foren7 We dIcial Forensics aauy 12 srroduction to Dial Forenieg tion to Digital Forensics gal Forensics (MU) 333 Introduction to Digi Tou methodology, there are seven important components of incident response To meet the challenges a document SG PreciderR broperetion; In tis phase acions are taken to prepare the orpeiateyll _quvatesthe hil responce sep and the CSIRT before an incident occu, Inia Responee stops © Detection of incidents In this chase potential computer security incident is klentie, Re, © Keitel responce : In this phase an ina investigation is performed, The basic deta ‘gag! Sumounding the incident are recorded. The incident response team is assembled and 2 individuals who need to know about the incident are notified : ‘tal Ino One Pont al © Formulate recponse strategy : In this phase best response is determined and the om pone management approval is taken based on the resus of al the known facts. What types of a inistrative, oF other actions are appropriate to take are dete Pena vl, criminal, administrat ther act ‘appropriate to take are determined, Den ‘based on the conclusions got from the investigation, T ‘© Investigate the incident : In this phase thorough collection of data, To determine what Incident happened. when it happened. who did i, and now it can be prevented in the hiture is poem reviewed from the collected data L © Reporting: In this phase information is accurately reported about the investigation in a | feos ‘manner useful to decision makers. "© Resolution : In this phase security measures are employed. For any problem procedural } Fee i ‘changes, record lessons leamed, and develop long-term fixes are denied | ‘scala ai mombore 1.7__ Phase after Detection of an Incident 3 ig. 17.1 :Initial response Phases The phase after detection of the Incident is intial Response whichis depicted in Fig. 1.74. Ths cee Section discusses the activities of the inital response which is the phase afer detection of an Obtaining Preliminary Information incident. tn this section we wil see what actions the organiza ‘computer security incident will take after detecting the ‘The ital steps of any investigation are to get enough data to decide a proper response. That 's the objective of the inital resnonse stage. Your organization's initial response ought to Initial Response Phase Incorporate exercises, fot example the accompanying 1. Receiving the inital notification of an incident. When computer secunty incident occurred the organization wil face many chatenges. So thet ic Recording the details ater the in nm {© need of process that supports the falloing ‘ing the detals after the intial notification Assembling the CRT. Pesforming traditional iwestigatve steps. ; Conducting interviews Determining whether the incident is highlighted. tiication ofthe participants required to assemble your SIRT Sabet te eee a ites se nSSS | Wop eis my 1 Fesicen coll oe ce - inane Documenting Steps to Take 2 a taken. By ‘e The members of the CSIRT use the checklist to address the technical details surrounding ‘exact number: attads MN have an the incident. I is important for the CSIRT members to personally respond to obtain and umber ofthe kind of attacks that happen, thir recurence, the harm brought about by they "aaa a Clonee attacks, and te impacts these atacs had on your organization. Such measurements ae base tg Te inita response checks is used to address the folowing issues: ‘measuring the return on irvestment (ROH fr having a foralzed incident response program, ‘9 Make and model ofthe relevant systems) 1. Establishing an incident notification procedure ‘The other reason for the initial response stage is to document steps that should be Fecording the subtle elements of an incident in a composed manner. your orgarization wi System deta To fabricate a strong incident response program participation of every one of your employees 16 required. h your organization incident response ought to be everybody's top prio, is - v hd eye ee peor 0 The systems primary user. fundamental t0 build up 2 notification technique for cients to report potential computer ‘Security incidents. As a major aspect of your current security awareness © Operating system. © System administrator forthe system(s). rogram, you ought to achise the end clients of how to report incidents (by telephone, email, intranet site, or other 2 Network address or IP address ofthe relevant systems. System). Ukewise, think about making as a computer secuity anareness notice that has the © Thesystems network name. Saltable instrument to report a potential computer secunty incident. Making the incident © Whether there 2 modem connection to the systems). ‘esponse handle lear to cients will maintain a strategic distance from confusion. ‘© Critical information that may have resided on the systems). 2. Recording the details after initial detection © Incident containment. To develop an organized incident response program chectits are required, So intial response Wether the en ip Bees Ra checklists thereto record the deta after the initial notification ofan incident © Whether network monitoring f required or being conducted, Initial Response Checklists : : © Whether the system is stil connected to the Intemel/network: if not, who authorized ‘The intial response checklist is a mechanism of recording the circumstances surrounding & the removal of the system from the network and when i ill be put Back onfine. cent_The initial response checkist is divided into two separate points Whether bay sn sl cae ga 2 General information| b. More specific details ‘Whether there is @ requirement to keep knowledge of the incident on a “need-to- know ati, © Whether any remeclal steps have been taken so far (euch as packet fitering, new \ ‘& General Information | ‘access contol sts, new firewall ules, of some other countermeasure). } ‘Genera Information does not contain more technical information, This information is used to © Whether the nomaton clected s beng stored protected tamper-proof s ‘respond the end usr the following information ‘© Date the incident was detected, © Preliminary investigation. F ‘Contact information ofthe person completing the form. © TheIP addresses invclved in the indent. Contact information of the person who detected the incident. © Whether ay investigative steps or actions have already been taken, ise of echt *® Whether a forescdupication ofthe pertnan ystems needs tobe made ora logical £96 of the relevant system wil do. Se ei0a Foes 04 Case Notes ‘Chechists are too complicate. The alternative to checklist is case notes. Case notes is ‘documentation which records the steps that are taken duting your incident response proces This is the duty of the member of CSIRT to maintain wel-written notes of the deta surrounding ofthe incident. 145 Introduction to Dig Foren Incident Decloration 3. Assembling the CSIRT Severa organizations form the e CSIRTS. Some CSIRTS ae formed dyramically according parcular response to an incident, instead of an establched, cenialzed team whih ‘edited to responding to incidents. To prepare a team for a partclr incident, ora have to identi the types of sil and resources required from the rest of the ergniton ‘espond to that parecer nciden. There sno need to go through notation procedues increase ofa Its important to understand that the reported activity is computer security incident, Hf you come across a suspicious activity which presents an incident but you are not sur ‘about it then consider it ae an incident unit is proven To avoid spending time on no incident. there are afew questions that can be considered (© Was there a scheduled system or network outage that caused resources to be unawilable during the time the incident was reported? ‘© Was there an unscheduled and unreported outage of a network service provider that Caused resources 10 be unavailable during the time the suspected incident mas reported? ‘© Was the affected system recently upgraded, patched, reconfigured, oF otherwise modified in sucha way as to cause the suspicious acthity that was reported? ‘0 Was testing being performed on the network that would lock out accounts or cause resources to be unavaiible? © For insider incidents, are there any justications forthe actions an employee has {ken that remove or lessen the suspicions? 1h case when incident i occur and you are not able to tell it immediately at this time ‘assgn the incident a case or incident number, making 2 real incident. wont investigating, ident untd a certain incident cecurred. Preparing the CSIRT requit ital Forensics (MU) >. Determining increase procedures b. Implementing naification procedures i ‘scoping an incident and gathering the proper resources, including assigning a team leader and the technical stat Determining Escalation Procedures “There is no need of absolute response for every incident with an international CSIRT mobilized for he worst-case scenario, An assurance is required whether the incident handle at local evel cet ihe corporate level I there is an irvclvement ofthe internal employes inthe inant — ten it will damage only local business unit. It dows not include theft of trade secrets or disclose the data of cent which handled at loa evel. ousicer i involved inthe incident then affect ripe locationg, sts be handed atthe corporate level Implementing Notification Procedures +The ergarzation must central point of contact for al detected or suspected incidents ‘Make this point of contact 2 permanent member of CSIRT who is well versed in your ‘organization's acceleration and notification procedures. ns +The pons of cont for organization's SIT individual shouldbe set up much sooner than an incident happens. Maintain this information in notification checklist The ratication checks contin the informtion required to contact ll the team members. ‘The CRT members must have fo know at what time use the recorded conte information receded organization's notation chcit and when to not the proper people an ongoing inccent. Internal investigations often require diverse rules of notification than Cerna security incidents yu rotty mximum people about the interna investigation te thee ate hinges tate subject of mvesigntion wl nd he/she the ene tan invention Notation should vole ony people tat © Need te know about ne ivesigaton. © Can really help with the investigation. © Wi not be conse. paced r otherwise hinder the investigation. © Ae not dear end ofthe suspect. ‘Scoping an Incident and Assembling the Appropriate Resources Incident response neds quick decsions, andthe speed at which you act 1 easton tine and mone a wala elects on is reputation, When you fist step isto determine the specialist required for the work. The nur Opes On the tan cepend on thee factor :138 Invoduction o Digtl Foren, Digital Forensics (MU) ‘© Howmany workstations involved in the incident ? ‘= How many operating systems involved in the incident? ‘+ How many systems that are involved, vulnerable, or exploited ? ‘+ Timeframe in which the investigation needs to be performed Potential exposure or profile of the case ‘© Your organization's desire fora big or small investigative team, ‘© Whether or not litigation is probable? ‘© Whether itis an internal investigation? ‘+ Whether the subject of the investigation is aware of the investigation? 4. Assigning a Team Leader (Organizations must have to select @ team leader because all computer related investigations require professional: who understand technical aspects of the incident as woll as the Investigative process for computer security incidents. To ensure that you have ‘effective team leader, you should select someone who can perform the following tasks ‘© Manage the organization's CSIRT during the entre response process. ‘© Manage the interview process when talking to witnesses, system administators, end users, legal counsel, managers, and others + Provide status reports and communicate effectively to management on the progress of the response. ‘= Ensure that best practices and proper response techniques are used. © Provide overall anahsis ofthe incident Protect the evidence gathered during the investigation in @ manner consistent with yout levdence guidelines and instructions. ‘smaller organizations that cannot hav need to request support from other business units and create 2 CSIRT com} appropriate technical advisors dindesstand the details ofthe systems and the technologies involved in the investigation. These introduction to Digital Forensics Wy vig Forensics MU) 1g E ‘Assigning Technical Staff 1 full-time CSIRT need to assign technical staff. There is 2 posed of the ‘The technical advisors are employees oF contractors: WhO, people want to possess the following characteristics knowledge of Complete operating sytem. ‘Ability to review logs, aude tals and other trace evidence and to clearly report findings, Knowledge of proper evidence-handing techniques. Ability o perform proper damage assessments. Abit to assist in determining the scope of an incident [Ability to determine the nature of the incident and identify the specific technical detalls ‘that suppor their conclusions. ‘Abily to make recommendations of how to remedy the situation. Capacity to meintain the perspective that technological evidence including audit trails, logs core dumps, or Ive data callection may be critical to resolve the incident. Documentation skis to record all investigative Steps clearly and concisely. Ability to suppor the team leader. Ability o perform interviews when needed. (Once the CSIRT or investigative team & assembled, you are ready to begin the Investigation. 5. Performing traditional investigative steps 5 ‘he imestigaton phase Ives determining the surounding ofan incident inthe frm of who, what hen, wher, how. Thar ae wo waye fo simply a technica investigation isto Civ he evidence you colet nto tre categorie: ; + Host-based evidence: For the host bated evidence data \s collected from Windows or Unicmachines oom the device actly cred nthe cnt Network-based evidence : Network-based evidence fs coléited from routes, 105 network monitors. It ‘may be possible that some network node, not immediately involved in ‘the incident. ) Take responsibilty for verifying the chain of custody of evdence. Perform forensic duplication and analysis if necessary. “Compile, manage, and present the investigative report and offer recommendations 12 the legal issues and corporate polices. unbiased vestigation with no conflict of interest,jal data that contributes to the cas ‘eample motive Intent and ot some other digital evidence. t also consists of othe “information gathered from the people. This is when you gather personnel files, int employees interview incident witnesses, interview character witnesses, ond document the Information gathered Other information can include voicemail systems, time cards, card ‘wipe data, physical secuty logs, vdeo camera tapes, employee records telephone call logs and tax logs 6 Conducting interviews ‘When your CSIRT come across of a suspected incdent, the fist step is to start asking the { questions tke what who, when, where, and how’. These questions helps you to determine some facts surrounding the incident, for example the location of relevant systems, administrative contacts, what may have occured ‘may be no answer for some questions but if you gather more answers it helps to assess the Situation Some few important questions to ask while forming your inital aecumptione about an + What happened? ‘+ When did it happen? + What systems ae elevant/compromised/nvolved? + Who may have dove it? ‘+ Who uses the afected/relevant ystems? + What actions have already been taten? + Whats the corporate poicy on such an incident? nes Getting Contact information ; {ind users may provide pertinent information when he During the interview collect each individuals information like Full name, Job ttle, Company describe anomalous behaviour on the system in a helpful ‘ame, Phone number, Email address. This identifying data is citical if you need to 2. Formulating : « - 4 response strategy % ___ thet People for actions information. When you prepare your report, you should include __ tecontat information foreach person who provided you with information Imterviewing System Aaminstrators = art ceien wis the system administrator oF the «TRS 5 tse when noticaion ofthe suspeced Incident comes + Have you noticed any recent inappropriate activity? «How many of them have administrator access to the systarn? «+ Which applications provide lated acces on the system? ‘+ What are the logging capabilities ofthe network and «+ What saety measures for security ofthe system are taken? Managers regulary have advantageous bits of knowledge into ‘caused by security incidents interviewing manager is often critical involved with the security indent and what damage was truly «ample questions for managers: ‘+s there anything particularly sensitive about the data and ap ‘+ -Are there any personne! issues of which we should be aware? + Wes eny type of penetition testing authorized forthe system + What is the worst case scenario that can play out based on « incident? when ete it may be possible that therePipe rete 2 Introduction to Digital Foren folloning are some common factors yc For determining your response strategy i consider. | + Doesyour organization have a formal/public posture on responding to attacks that it mut adhere to in order to appear consstent to customers and the media? 1s the suspected attack from overseas, making it more difficult to pursue technically and 1+ Are there any legal considerations that may affect the response? + Can.you rik public disclosure of the incident to chents orto the public "+ How have you enforced same incidents in the past? What is the past record/work performance ofthe individual(s) involved? + Wilthe investigation cost more than merely allowing the incisert to continue? Policy Verification Inthe iil assessment first stepe taken je to determine the existing palcy. The policy which ‘addresses the two fundamental needs of the Investigator. network monitoring and computer {forensics examination of computer systems got the highest prot, Monitoring may be limite, legally? ‘= _sthe strategy worth pursing from a cost/benefit standpoint? without appropriate policy or banners on systems, I is also necessary to make sure that ery, | ‘exsting acceptable use and consent to monitoring polices apply to your situation, | @.1 Whats Dipta Forensics? Spin tne process of hl oer. @.2 Whats Dita Forensics? @.3Wnatarere goals tia forensics? Explain Varouscatgorie cf ial fronis. Q._ Whatie Evidence? Digital Evidence, Forensics Duplication and Digital — Evidence Acquisition 2.1. Digital evidence, Typet of Digital Evidence, Challenges in acquiring Digital evidence [Admissibility of evidence, Challenges in evidence handling. Chain of Custody 22. Digital Forensics Examination Process ~ Seizure, Acquistion, Analysis, Reporting, Necessity of forensic duplication, Forensic image formats, Forensic dupiication techniques 23. Acquiting Digital Evidence - Forensic Image File Format, Acquiring Volatile Memory (Uve Acquistion), Acquiring Nerwelatile Memory (Static Acquisition), Hard Drive Imaging Risks ‘and Challenges, Network Acquistion 22 sn the various types of digtal evidence? ‘The evidence is any information of supporting value, that means which proves something oF helps to prove something relevant tothe case. The digital evidence consists of the data on a computer, images audio and video files lis & data and information of value to an investigation that is stored on an electronic device, ‘received or transmitted by an electronic machine. ‘You can acquire the evidence when data or electronic machines are seized /in custody end ‘secured for the examination. Examples of evidence are a fingerprint. DNA. files on system ete. ‘The problems in acquiring digital evidence are (2) Digital Evidences can be easily modified, damaged or destroyedDigital Evidence, Forensics Duplication and Digital — Evidence Acquisition 2.1 Digital evidence, Types of Digital Evidence, Challenges in acquiring Digital evidence, Admissibility of evidence, Challenges in evidence handling, Chain of Custody 22 Digital Forensics Examination Process - Seizure, Acquisition, Analysis, Reporting. Necessity of forensic duplication, Forensic image formats, Forensic duplication techniques, Acquiring Digital Evidence - Forensic Image File Format, Acquiring Volatile Memory (Live Acquisition), Acquiring Nonvolatile Memory (Static Acquisition), Hard Drive Imaging Risks and Challenges, Network Acquisition 2.1 Digital Evidence Q. What is Evidence? Explain the various types of di (aCe ne) * The evidence is any information of supporting value, that means which proves something or helps to prove something relevant to the case. * The digital evidence consists of the data on a computer, images audio and video files. It is a data and information of value to an investigation that is stored on an electronic device, Feceived or transmitted by an electronic machine. * You can acquire the evidence when data or electronic machines are seized /in custody and Secured for the examination. Examples of evidence are a fingerprint, DNA, files on system ete. The problems in acquiring digital evidence are {@) Digital Evidences can be easily modified, damaged or destroyed. (©) Digital Evidences are time sensitive.———— — * sics Duplt 6 Dig. Evid. Acquistion ig Evid, Forensics Dupli.B 22 dig. Bd, Foren gta Forensics MU The places from where you con phat evidence “Testimonial evidence : Testianal evidence is nothing but the statement of 3 witness External hard drives underneath oath either in court or by deposition. This sort of evidence normally Helps OF ae Sinaia 9 Pendive validates akemative types. a eee aes Demonstrative evidence : Demonstrative evidence recreates OF ‘explains the different (Ww) Thumbdrives “talk for itsel” and Is used to demonstrate and evidence. Demonstrative evidence does not Cosnd ovo I) Celipones and maitedeices i) Voie over phones te dear previous point Tis srt of evence masdmam helpful in explaining technical (6 Answering machines 9) iPods tops to ron technical audiences. (aon een 2.1.2 Challenges in Acquiring Digital Evidence fi) Digalvideoreconers Twos) «GM. igtal canes = ae Ceminal use a ately oF trtegies to thwart digital forensic investigators including destoyng P and conceaing the evidence, ane! seizing digital devices governed by diferent aws in ciferent Gor) Severs anes | sees end ration. The principal challenges that examiners have hie acquing igtal evidence are a) sites fo) Wrelss acess pint ieee (ec) Printers that butfer Fes 1 Apassword:, access-card-, oF dongle protected computer (iy Proto-copless that buffer fles (Ge) Scanners that buffer files 2 Using digital staganogrephy to hide evidence-gathering material from pian view and in plain sight in photos, movies, audio fles, and fle systems (eg, within MS Word document). (xy Faxmachines 21.1 Types of Digital Evidence £ 3. Data obscuration methods to obfuscate information and vender it uninteligible witheut the ‘he types of evidence are password 5. Secure system/volume passwords that are difficult to guess: this saves time and money. 6. Renaming files and altering ther extensions (eg, changing DOCK into DLL, which is a known 2 Decumetay adderca Windows system fle type) I “1 Atemots ta era evidence by employing varius software tools and methods to safely wipe the hard disc 8, When available, tuming off systen/application logging and clearing the web browser's history Fig. 2.1: Types of Evidence before closing it. es 4 1. Real evidence : Reel evidence are somet f Sere err retin ot een aye scarica at sh 9. gia! media that has physical ham for instance, we are unable to recover erased contents oe most powerful evidence. This evdence typical: {rom ofeling HOD before fing it ee we 10. Digital evidence is sensitive and could be lost if not handled appropriately. The media device © Sema an ew ety | hc a eo _ | Seiad oe database document etc. Cocumentaty 11, The ease with which digital evidence can be changed; for instance, if a ngeee ONT Profess ‘and therefore m trust leave it ON anc i a al feasible, acquire ts volte memory but f the computer is OFF, {eave it OFF to prevent any data from being changed. a tne eed- *) -_ = eee Fach 24 Dig. Eid, Forensics Dui & Dia. Ed. Acquistion Seapets parg oe conn See ron exase ine on CO IEE Me Be ccs oven cartier lenin Fe econ os orn x et ino ar « UE to di Be ated rater ay ented on poser pote Force scm eins dyes cre ice ita et paervtin on widence and the seizure of devices (and 2.2 Admissibility of Evidence = Evdenceislaglly admisibe if and only itt meets the following criteria (© iS presented in order to establish the facts of a case; and {© doesnot infringe on the Constitution or cther legal provisions © The goiden rule of admissibity states that any evidence that may be rolevant is admissible, but evidence that i ieievant i inadmissible As result the courts must decide whether digital evidence is relevent to the cisputed facts of the cate and iit approprate and safe to inclide in procaedings. in practise, admissibility Fefer to a series of legal tests performed by 2 judge to evaluate a piece of evidence based on the folowing criteria 1, Relevance and reliability -