Digital forensic analysis is systematical investigation of device, system, network communication or memory image. In the context of solving cybersecurity incidents its purpose is to answer questions depending on type of analysis.
Digital forensic analysis consists of multiple phases:
-
Obtaining digital evidence
-
Analysis of digital evidence
-
Creating report/briefing or expert’s report for judicial proceedings
When capturing digital evidence, it is important to ensure:
-
Precision - acquired evidence is identical with data from original media
-
Integrity – acquired evidence must not be changed in time (their change must be discoverable)
-
Authenticity - acquired evidence come from analyzed device/system/source in set time period
-
Confidentiality and accessibility
At IstroSec we have our own methodology that ensures that all the points above are met when acquiring digital evidence from workstations, servers, external media, mobile phones, cloud and network or security technologies. During acquisition our specialists use up-to-date best practices, recognized in US, EU and Slovak court of law.
Forensic triage
This type of forensic analysis tends to be done in reaction to cybersecurity incident. Goal is to confirm or rule-out breach of system and identify indicators of compromise (IOC). In case of system breach, the goal is expanded to identify other systems that were breached and identify any additional resources that were used in attack.
In case of a suspected breach of cloud systems, we focus on confirming account compromise or parts of cloud solution, identifying indicators of compromise and getting list of all accounts that were compromised.
In case of cyber incident all this information serves as foundation for phases Containment, Eradication and Recovery. Forensic triage does not serve as substitute of full fledged forensic analysis, but as a foundation for identifying which systems need to be analyzed in depth.
Minimal scope of forensic triage is:
-
Scanning for malicious code with 5 different antimalware solutions
-
Searching for relevant IOC
-
Searching for indicators of persistence (approx. more then 100 different sources of persistence)
-
Searching for evidence indicating program execution
-
Searching for evidence indicating opening or viewing files and folders
-
Searching for evidence indicating lateral movement (movement between devices)
-
Searching for evidence of encryption
-
Automated analysis of logs
Forensic triage typically answers questions like:
-
Is the device being analyzed compromised?
-
Does the system contain any IOCs with relation to case being investigated?
-
Which systems were attacked from the analyzed system?
-
Which devices accessed the analyzed system?
-
Which accounts were compromised?
-
What method did the attacker use to access C2 (Command and control)?
-
Which persistence mechanisms were used?
-
Were there attempts to get rid of evidence?
-
Are the security mechanisms on system uncompromised?
-
Does the system contain malware?
Forensic analysis
Comprehensive forensic analysis is commonly carried out independently, or in a case of incident response as extension of forensic triage. Within the scope of forensic analysis, we will define forensic hypothesis.
Forensic analysis as a reaction on incident, by default answers questions like:
-
Which device was compromised first? (Patient 0)
-
How did the attackers compromise the device? (Patient 0)
-
What activity did the attacker perform on the device?
-
Which vulnerability did the attacker use in order to breach the initial device?
-
Which files did the attacker open or view?
-
Did the user click on spearphishing email?
-
Was there any data exfiltration?
-
Did the attacker access any specific database?
-
Did the attacker modify any documents on the device?
-
Did the attacker modify any database?
Steps taken during forensic analysis are selected based on their relevance to specific type of incident. Forensic analysis by default involve:
-
Scanning for malicious code with 5 different antimalware solutions
-
Searching for IOCs relevant to specific case
-
Searching for indicators of persistence (approx. more then 100 different sources of persistence)
-
Searching for evidence indicating program execution
-
Searching for evidence indicating opening or viewing files and folders
-
Searching for evidence indicating lateral movement (movement between devices)
-
Searching for evidence of encryption
-
Complex log analysis
-
Timeline analysis
-
Analysis of filesystem and if possible, reconstruction of deleted parts
-
User activity analysis
-
Exfiltration analysis
In case its relevant, during the forensic analysis there are additional steps taken:
-
Forensic network analysis
-
Memory analysis
-
Malware analysis
-
Analysis of network and security devices
-
Analysis of IOT devices
Why IstroSec?
Our forensic analysts have years have experience with court cases, BEC, investigation in regards of HIPPA, APT compromise and many more. IstroSec experts hold various certificates such as GCFE, GCFA. Some members of our forensic team were part of winning team of Locked Shields 2016 and keep giving forensic lectures on acclaimed university.