When a cyber-attack has occurred, it's important to conduct a forensic investigation to determine the following:
Who was behind the attack.
How the attack happened.
What systems were compromised.
What did the attacker do while on the compromised system.
Look any traces of the attack.
DD - Creates a forensic copy of a drive or memory.
Memdump - Capture a forensic copy of a system's memory.
WinHex
FTK imager - Forensic tool used to capture a forensic copy of a system, drive or memory.
Autopsy - Allows you to perform forensic analysis on captured evidence.
When gathering evidence from a compromised system, it important to understand the volatility of data.
Volatile data is lost when a system or device is powered-off. Such type of data is store on Random Access Memory (RAM) and the device's cache memory.
The following are examples of volatile data:
ARP cache, clipboard content, Network session states, etc.
Non-volatile data is usually stored on a secondary storage device such as a Hard Disk Drive (HDD).
The following are examples of non-volatile data:
Log messages, devices' configurations, data stored on a Hard Disk Drive (HDD).
All physical pieces of evidence must be properly label using an appropriate labeling scheme before moving the evidence to the forensics lab.
A Chain of Custody is requirement to ensure the integrity of all evidence is maintained at all times.
The Chain of Custody will also contains a list of persons who handled the evidence during a forensic investigation.
For digital evidence, a hash of forensic evidence is created to ensure integrity of the data.
A legal hold is a techniques used by forensic investigators to preserve all forensic data and evidence.
Digital evidence may need to be stored in separate storage, this type of data is referred to as Electronically Stored Information (ESI).
ESI can be any type of data that is related to a forensic investigation.
A forensic investigator, it's important during the acquisition of forensic evidence the investigator does not accidently modify the data.
When acquiring a system image such as an entire Hard Disk Drive, it's recommended to create a bit-by-bit image of the drive.
Acquiring a system image allows you to check the contents of the captured system image (forensic evidence) without having the need to access the original drive during the forensic investigation.
It's important to use a write-blocker to prevent any accidental modification of files on the original drive during the acquisition of a system image.
Since many cyber-attacks occur across a network, it's important to gather network logs and traffic.
Gather and analyze network logs from various networking devices and security appliances.
If you are continuously capturing network packets, take a look at any unusual traffic patterns to discover any trajectory details about the attack on the network.
Not all security incident occurs on a computer or network, some incidents are physical such as theft of a company's asset.
Video surveillance is important as it will allow you to look at past footage to determine how a physical security incident occurred and any persons involved in the incident.
It's also important to achieve video content for later usage.
When capturing evidence, it's important to capture the current system timestamp on system.
When capturing digital evidence, create a hash of any digital evidence.
The hash is used to check the integrity between the original evidence and the forensic copy.
If a file was modified, the hash value can be used to determine if a file was modified or not.
There are 2 main hashing algorithms used, these are: Message Digest 5 (MD5) and Secure Hashing Algorithm (SHA).
When gathering evidence from a system, it's important to take multiple pictures of the screen of the compromised system.
The screen may have important information that may need to be reviewed during the forensic investigation.
Allows uses a camera or a smartphone to capture pictures of the screen.
A good practice is to interview any persons who may witness the event.
It's important this process happens as quickly as possible to ensure the details are vivid by the persons.
Document all pieces of information during the interview process.
It's important to ensure forensic data is properly preserved.
The preservation of data is important for both current and future investigation of the security incident.
When a security incident has occurred, the most data you have about the incident will make it easier to recover in future.
Collecting and analyzing as much data about the incident can help you to improve on the security of the organization.
Such information will also help you to improve your security policies and configurations on your network devices and security appliances.
With Counter intelligence, you'll learn about the attacker and their trends.
Such information will help you to profile the attack or the attacker quickly in a future security event.
Ensuring all devices logs everything will help provide evidence of all the steps taking by a malicious user or attacker while they were on the system.