Five key steps for Digital Forensics and Incident Response

The significance of activities such as Incident Response planning and Digital Forensics may for many seem only relevant for organisations that work in the most security conscious sectors. However, I believe that a rounded appreciation of good cybersecurity practices is valuable, if not critical, for all organisations. It is important that, in any size or type of organisation, if a security incident should occur, those charged with responding and investigating are prepared to follow a structured, effective and informed process.

Spending a small amount of time thinking through how well an IT environment’s configuration and security controls may support a forensics exercise, in the event that an organisation suffers a breach, can have a significant impact on the cost and disruption experienced when one actually does occur. Being prepared could be the deciding factor for the subsequent longevity of an organisation or individuals within it.

Both physical and digital forensics have the same fundamental goal - to prove exactly what happened during a given event period, and to attribute actions to a specific individual, allowing effective and appropriate response. They both rely on the acquisition and analysis of data in a timely fashion, and in a manner that allows the provenance of the data to be confirmed.

There are many proposed methodologies for digital forensics, but generally, they can be condensed into the same five steps:

Gather human intelligence

Clarify the time and date boundaries

A modern network generates thousands of events every minute, which means that, before undertaking any investigative action, it is important to narrow down where to look.

Find out who is involved

The crux of any investigation, this requires detailed questioning of those who reported the event. Questions such as: 'When did you first spot it; how long was it a problem/did it go on for; is it still happening; who is involved?'

Ascertain which machines are affected

You can identify from the users which machines have been affected. However, this may not represent the only area that needs investigation – remain open minded.

Identify what actions have been taken since the discovery

In any digital forensic investigation, once you interact with the environment it automatically changes and the evidence is altered. It is important to understand what actions people have taken (or tried to take) and work from that point.

Be prepared to eliminate ‘false positives’. Disproving facts with evidence is equally as useful as proving a theory during an investigation.

Plan your approach

Prioritise your targets

In a digital environment events happen very quickly. Identify and prioritise the areas where you can get valuable evidence; working from the most volatile environment, to the most stable.

Keep it legal

Ensure that legal guidelines are followed. If you don’t follow procedure, evidence may be inadmissible in a court of law, should the need arise.

Allocate resources and skillsets

Ascertain whether you have the right people to conduct the investigation. You will need experts for your hardware and software configurations to ensure that valuable evidence is not inadvertently compromised. External agents could provide an unbiased alternative.

Balance value against cost

There is a cost associated with any work, and so a sanity check is vital. Balancing the proportional effort, cost and risk to the business is essential.

Obtain evidence

Document and sign your evidence

Everything that is captured must be documented exactly, dated and signed because as evidence is touched, it is immediately changed. This ensures that a clear audit path is kept.

Capturing the data

Any work carried out on data should be on copies only, always preserving the integrity of the original data. Keeping a strong chain of custody ensures that the master copy is kept intact and remains the ultimate reference point.

Use cryptographically verifiable data

When data is captured and recorded it will always have a ‘hash’ - its unique identification number. Any copies taken will also have the same hash reference.

Analyse the evidence

Make a timeline of events

Data from multiple sources may have different time stamps, by compiling the data together you can build a complete picture. Matching the evidence over the time period also helps to identify corroborating evidence.

Analyse the data

From the timeline of events it is important to work systematically, hypothesising and running tests to prove/disprove any theories. Additional corroborating evidence may be required.

Report on your findings

At the end of the investigation your report needs to be understandable and contain only defensible data. The report will need to explain findings that make sense to non-technical people. The report must be factual, presenting data, dates and events that have happened, and it must be impartial.

As well as the summary report it is also important that all relevant data is compiled in an additional appendix. For serious cases, investigative experts will need to review the data to corroborate the facts that you have presented.

By following these five steps your digital forensic investigation and subsequent report is more likely to meet the stringent requirements of courts and industrial tribunals, and provide valuable information to the business and people affected.

Chris Cassell at Becrypt

Image source: Shutterstock/bikeriderlondon