Digital Forensic Case Study Report

CaseTitle:
Equifax Data Breach Investigation
Case Overview:
In 2017, Equifax, one of the major credit reporting companies in the United States, suffered a
massive breach where sensitive personal data of nearly 147 million individuals was compromised.
The stolen data included customers' names, Social Security numbers, birth dates, addresses, and
credit information.
Investigation Details:
 Date and Time of Incident: September 2017
 Location of Incident: Equifax's system.
 Type of Device(s) Involved: The breach involved various devices within Equifax's network
infrastructure, including servers, databases, and potentially other networked devices where
customer data was stored or processed. Additionally, it may have encompassed endpoints
such as workstations or laptops that were compromised to gain unauthorized access to the
network.
 Description of Evidence Collected: During the investigation, various types of digital evidence
were collected to understand the scope and impact of the breach. This evidence may have
included:
 Log Files: Server logs, firewall logs, and other system logs were collected to analyze network
traffic, user activity, and any anomalous behavior indicative of unauthorized access or data
exfiltration.
 Forensic Images: Forensic images of affected systems, including servers and endpoints, were
created to preserve their state at the time of the breach. These images were then analyzed to
identify signs of malware, unauthorized access, or data manipulation.
 Network Traffic Data: Packet captures and network flow data were collected to reconstruct
network activity during the breach. This included analyzing communication patterns between
compromised devices, command and control servers, and external entities.
 Malware Samples: Any malware discovered on compromised systems or within network traffic
was collected for analysis. This included extracting malware samples for reverse engineering
to understand their functionality and origins.
 User Accounts and Permissions: Details of user accounts, their permissions, and access logs
were collected to identify any unauthorized access or suspicious user activity within Equifax's
systems.
 Database Records: Extracts of database records containing customer information were
collected to assess the extent of the data breach and identify specific data elements that may
have been compromised.
Analysis of Digital Evidence:
Analyzing digital evidence collected during the investigation of the Equifax data breach posed
several challenges. Some of these challenges include:
 Volume of Data: The sheer volume of digital evidence collected, including server logs, network
traffic data, and forensic images, can be overwhelming. Analyzing large datasets requires
significant time and resources to ensure thorough examination.
 Data Complexity: Digital evidence often comes in various formats and may be highly complex,
requiring specialized tools and expertise to interpret effectively. For example, analyzing
network packet captures or malware code requires advanced technical skills in cybersecurity
and digital forensics.
  Encryption and Obfuscation: Attackers may use encryption or obfuscation techniques to hide
their activities and evade detection. Decrypting encrypted data or DE obfuscating malicious
code can be challenging and may require sophisticated decryption tools or manual analysis.
 False Positives: Sorting through digital evidence to distinguish between legitimate activities
and suspicious behavior can be challenging. False positives, where benign activities are
incorrectly flagged as malicious, can lead to wasted resources and unnecessary investigations.
 Legal and Privacy Concerns: Adhering to legal and privacy regulations while analyzing digital
evidence is paramount. Ensuring proper chain of custody, maintaining data integrity, and
protecting personally identifiable information (PII) are critical considerations during the
analysis process.
 Attribution and Identification: Determining the identities of the perpetrators behind the breach,
as well as their motives and methods, can be complex. Attribution relies on a combination of
technical analysis, threat intelligence, and collaboration with law enforcement agencies and
cybersecurity experts.
 Timeliness: Conducting a timely analysis of digital evidence is essential for mitigating ongoing
threats and minimizing the impact of a breach. Delays in analysis can allow attackers to
further infiltrate the network or cover their tracks, making it challenging to identify and
remediate security vulnerabilities.
Tools and Methods Used:
1.Forensic Imaging Tools: Specialized software tools like FTK Imager, EnCase, or dd (command-
line utility) were used to create forensic images of compromised systems and storage devices.
These tools ensure the preservation of evidence and allow investigators to conduct analysis
without altering the original data.
2.Malware Analysis Tools: Malware analysis tools such as IDA Pro, OllyDbg, or Ghidra were
utilized to dissect and analyze any malicious software discovered during the investigation. These
tools assist in understanding the behavior, functionality, and origin of malware samples.
3.Network Analysis Tools: Network analysis tools like Wireshark, tcpdump, or Snort were
employed to capture and analyze network traffic associated with the breach. These tools help in
identifying communication patterns, suspicious activities, and potential data exfiltration attempts.
4.Log Analysis Tools: Log analysis tools such as Splunk, ELK Stack (Elasticsearch, Logstash,
Kibana), or Sumo Logic were utilized to parse and analyze server logs, firewall logs, and other
system logs. These tools facilitate the detection of anomalous behavior, unauthorized access, and
other indicators of compromise.
5.Forensic Frameworks: Forensic frameworks like The Sleuth Kit (TSK) and Autopsy were used to
conduct in-depth forensic analysis of disk images and file systems. These frameworks provide a
wide range of forensic analysis capabilities, including file carving, metadata extraction, and timeline
analysis.
6.Threat Intelligence Platforms: Threat intelligence platforms like Virus Total, Recorded Future,
or Threat Connect were leveraged to gather intelligence on known threats, indicators of
compromise (IOCs), and threat actors associated with the breach. This information helps in
contextualizing the findings of the investigation and identifying potential links to existing threat
campaigns.
7.Data Visualization Tools: Data visualization tools such as Tableau, Gephi, or Maltego were
utilized to visualize relationships between different entities, such as IP addresses, domains, and
user accounts. Visualization aids in identifying patterns, correlations, and trends within the
collected data.
8.Manual Analysis Techniques: In addition to automated tools, manual analysis techniques such
as static and dynamic code analysis, memory forensics, and manual log review were employed by
forensic analysts to uncover hidden threats, identify attack vectors, and reconstruct the sequence
of events leading to the breach.
Challenges Faced:
Weaknesses in Equifax's previous security and protection system. The scale of the breach and the
amount of data stolen. Identifying the perpetrators and determining the sources of the breach.
Legal and Ethical Considerations:
1.Initiating an official investigation to determine the company's liability and take appropriate legal
action.
2.Compensating affected customers and the company's commitment to enhancing security and
protection measures.
3.Cooperating with relevant authorities in criminal investigations and digital analysis.
This case represents a real-life scenario where Equifax experienced a significant breach in 2017,
resulting in the theft of sensitive personal data from millions of individuals.
Conclusion:
The Equifax data breach serves as a stark reminder of the critical importance of robust
cybersecurity measures for protecting sensitive customer information. It underscores the
devastating consequences that such breaches can have on individuals and businesses alike,
highlighting the need for constant vigilance and proactive security measures.
Lessons Learned:
1. Strengthen Security Measures: Companies must continuously assess and strengthen their
cybersecurity infrastructure to safeguard against evolving threats. This includes implementing
encryption, access controls, intrusion detection systems, and regular security audits.
2. Data Protection Compliance: Compliance with data protection regulations, such as GDPR in
Europe or CCPA in California, is essential to ensure the lawful and ethical handling of customer
data. Organizations should prioritize privacy by design principles and adhere to industry best
practices.
3. Transparency and Communication: Prompt and transparent communication with affected
individuals and stakeholders is crucial following a data breach. Companies should provide clear and
timely updates on the incident, its impact, and the steps being taken to mitigate risks and address
concerns.
4. Incident Response Preparedness: Having a robust incident response plan in place can help
organizations respond effectively to security incidents. This includes establishing clear roles and
responsibilities, conducting regular training and drills, and collaborating with external cybersecurity
experts and law enforcement agencies.
5. Continuous Monitoring and Threat Intelligence: Continuous monitoring of network activity and
leveraging threat intelligence can help detect and mitigate security threats in real-time. Proactive
threat hunting and sharing threat intelligence with industry peers can enhance cyber resilience and
response capabilities.
References:
1. Equifax Data Breach: What Happened and What to Do: https://www.equifax.com/personal/data-
breach/ [1]

2. GDPR (General Data Protection Regulation): https://gdpr.eu/ [2]

CCPA (California Consumer Privacy Act): https://oag.ca.gov/privacy/ccpa [3]

NIST Cybersecurity Framework: https://www.nist.gov/cyberframework [4]

Ponemon Institute: Data Breach Reports and Research: https://www.ponemon.org/ [5]

DONE BY: JOOD

SHATNAWI
RUBA ALSHUNNAQ
ANSAM HAYAJNEH
ANWAR ALMOMANI
YARA ALSHUNNAQ