DFIR Briefly Expained – Part 2
Before we begin with learning how to collect digital evidence we first need to talk about “scope.” Scoping is a very selective process by which we narrow our investigation to the most important evidence to be collected and analyzed first. We want to narrow our focus to only those system(s) with the highest probability of collecting the evidence we need in our incident. Initial reporting of an incident or suspected incident usually occurs in one of two ways:
- Information provided to the DFIR team from monitoring practices:
- System Event Logs
- Network Logs
- Alerts from Intrusion Detection Systems or Intrusion Prevention Systems (IDS and/or IPS)
- Alerts from Endpoint Monitoring Tools
- Alerts from Antivirus/Malware software scanners.
- Threat Hunting teams working to identify malicious activity on the network
- Information reported by humans:
- Calls or complaints to the Help Desk from employees
- Calls or complaints to the Help Desk from customers
- Tips from Law Enforcement
- Security researchers reporting through responsible disclosure.
- Common Vulnerabilities and Exposures (CVE’s)
Armed with the above information and conducting additional interviews of the parties involved will help guide us to the most important system(s) that we need to focus on first. During the analysis of these initial system(s), the evidence may lead us to additional systems that will need to be collected. This process of being selective with our initial collection process is necessary to keep us from being overwhelmed with data and falling victim to “analysis paralysis.” During the scoping process we need to ask very specific questions that answer the important “Who, What, When, Where, and Why” questions.
Who are the parties involved?
What happened? Specifically, what happened or what was observed?
When did this occur or when was it first observed? Date and Time matters.
Where are the systems located? (Local/On-site? Another location? Cloud based?)
Why? The least important question but still relevant to try and figure out.
Some other special considerations that you need to keep in mind are: What is the legal authority? Search Warrant; Consent; Legal or HR authorization? You need to document the legal authority and understand what you can and cannot do. If your examination takes you into a new or unexpected direction not covered by your original search authority, make sure you stop the examination, document this full stop, and consult with Legal/HR/Case Agent for guidance on how to proceed.
One really important step that should never be overlooked or ignored in the field of digital forensics is documentation. Documentation is absolutely *KEY* to be able to troubleshoot and find the important answers in your examination. Specifically, notes that are in chronological order of step 1, step 2, step 3, etc., will help you to see where you have been, what tools you have used, and the results you arrived at. It will help you to remember where you left off in a case after a long weekend or holiday. It helps you to retrace your steps when you venture off down a deep rabbit hole of some obscure artifact you thought may turn out to be related. This will also help you to troubleshoot your case and provide context to your investigative process when undergoing an internal peer review process, to cross examination, and everything in between. Case notes can and will help you become a better forensic examiner. I don’t care how you keep your notes – handwritten in a journal, a simple text document inside of Microsoft’s notepad, an Excel spreadsheet, whatever works for you. Be consistent and intentional with documenting as much as you can. Finally, detailed documentation will help you with your report writing. (You do know that you have to write a report right? Tool generated reports don’t count. If you want to do quality forensic work you need to learn to write quality reports.)
How to properly acquire Digital Evidence:
- Forensic Triage of Windows based systems and the forensic tools and software needed to do the job:
- Belkasoft Live RAM Capturer
- Magnet RAM Capture
- KAPE Forensic Triage
- FTK Imager
- Dumpit
- Redline
- We will then learn how to process the triage collection with some of these tools:
- Autopsy
- Eric Zimmerman’s suite of tools
- KAPE
- And others…
Leave a Reply