Digital Forensics Isn’t Magic!
Digital forensics is seeing rapid evolution through new innovations needed to meet the demands of the market, and the various threats – espionage, ransomware, stolen data, and more. Today’s digital forensics are seeing significant lab advancements across software, hardware, signal, crypto and more. Teams are leveraging new technologies to detect and analyse breaches more quickly, helping law enforcement and organisations with actionable insight.
Unfortunately, the reality is that many organisations are not prepared or ready for conducting forensic investigations. There is the preconceived notion that in any incident that may occur, conducting a forensics investigation “magically” all questions will be answered. This is far from the truth without preparation and planning beforehand.
Before probing into how to prepare your organisation to be forensics ready, it is important to understand what digital forensics is, what frameworks are used, and what methodologies or best practices should be followed.
What is digital forensics?
Digital forensics is a discipline within forensic sciences that involves analysing digital evidence from electronic devices using a repeatable methodological process to retrace the steps of what occurred in the past.
As with all forensic disciplines within forensic sciences, digital forensics is reactive, meaning that it is executed after an incident occurs. For a digital forensics process to be successful, it requires careful planning and preparation. To plan and prepare for a forensics investigation, the organisation must understand the digital forensics framework and step by step process.
Digital Forensics Framework
There are many models available from globally recognised standards such as the International Organisation of Standardisation (ISO) / International Electrochemical Commission (IEC) ISO/IEC 27041, 27042, 27043 and National Institute of Standards and Technology (NIST) 800-86 that many organisations use as a baseline methodology. The NIST 800-86 model states the following process should be conducted for digital forensics: Collection, Examination, Analysis, and Reporting.
Four step Process for Digital Forensics as stated in NIST 800-86
Digital14 Forensic and Threat Lab follows a six step framework based on best practices from NIST and the Investigative Process for Digital Forensic Science.
Six step Investigative Process for Digital Forensics used by Digital14
The identification phase focuses on identifying potential sources of relevant evidence, as well as key custodians (suspects) and physical locations of data.
The forensics investigator will gather the necessary information to assess the severity and details of the case, the surrounding context of what occurred, advise the internal client on what sources of evidence should be acquired in the environment if available to help answer the questions they proposed.
After collecting information about the incident, an investigation plan can be designed and more importantly, the approach to be taken will be defined. The approach will be based on the type of investigation. Suppose the investigation involves data theft from an insider. In that case, the forensics team may request data from the outbound network perimeter such as logs from the proxy, Data Loss Prevention (DLP), and firewall to name a few in addition to the custodian’s workstation.
Also, during this phase, the investigation lead will propose a list of activities to be performed and what teams will need to be engaged.
The collection phase involves collecting the relevant evidence at the crime scene or client site that was identified in the identification phase for forensic analysis back in the forensics lab.
Once the scope of the case is understood, a series of recommendations will be made to implement changes within the environment to help with the collection of the identified sources of evidence in the identification phase.
The changes may include but are not limited to system isolation, access or export of logs from the SIEM, procurement of keys and passwords to decrypt pertinent data, removal of the host DLP, and USB storage access. The changes will be made based on the nature and severity of the incident at hand in support of the investigation.
A chain of custody document is started for the evidence in the collection phase being transferred from the internal client to the forensics team. The Chain-of-Custody (CoC) document tracks the chronological sequence and trail as evidence moves from personnel to personnel.
The preservation stage involves the process of protecting the evidence while maintaining the integrity of the source data. The process and methodologies used by the forensics examiner must ensure that the evidence is being collected in a manner that preserves the original data without or least minimum alteration.
The forensics team must use industry best practices. Standards from organisations such as NIST and Scientific Working Group on Digital Evidence (SWGDE) provide consistent and proven methods for preserving evidence from hard drives and removable storage devices (USB Thumb Drives, Micro SD Cards, External Hard Drives).
In addition, all evidence preserved by the forensics team, a digital fingerprint or hash (MD5 or SHA-256) will be calculated to ensure validation that the original data on the source evidence has not been altered throughout the digital forensics investigative process.
In all investigations, two forensic copies must be made of the source evidence and saved to evidence storage drives, a master copy, that will be preserved and a working copy, which will be processed in the examination phase. The two copies of all collected evidence are signed in and tracked in an evidence locker and evidence management system by the evidence handling personnel in the forensics laboratory.
The examination stage involves processing the working copy evidence that was collected and preserved utilising various tools and techniques, following a defined, repeatable step by step process.
The forensics team must preemptively utilise a periodic testing process to test the forensic tools and procedures per standards to ensure the produced results are accurate and sound when used on an actual investigation.
The forensics team will process artefacts usually in the form of container files known as forensic images that are bitstream or bit for bit copies of the source evidence that was acquired in the preservation phase. The forensic images can be created in many types of formats; however, the typical standard is RAW DD or Expert Witness Format (E01).
In this phase, the processed evidence is analysed to answer the questions of the investigation of Who, What, When, Why, Where, and How. The forensics team analyses specific artefacts from the processed data depending on the type of investigation.
An example if the internal client wanted to know what websites a custodian visited on his or her corporate laptop, the analyst would analyse the web browser artefacts of the processed data. The analysis stays focused on the questions requested by the internal client and never deviates from the focus of the investigation. If the analyst comes across illegal content while focusing on the target of the analysis, it is by UAE and international law that the evidence must be reported to the authorities and law enforcement.
The presentation phase and final step involve taking the findings from the analysis stage and presenting the information in a detailed report as the deliverable to the internal client. The report will only state the facts and will not state opinions. The report can be tailored to specific audiences. The detailed report should, at minimum have the following sections:
Executive Summary: A high-level explanation that describes the investigation and the final outcome.
Contact Details: The contact information of the lead analyst in the investigation
Forensic Analysis: Present the findings in the investigation
Timeline of Events: A high-level view in chronological order of the events as they appeared in the investigation
Remediation: This includes recommendations on security controls and steps that should be implemented to minimise the risk of the incident occurring again.
- Appendix: Provides a more detailed view of the findings geared towards a more technical audience, describes the tools and configurations used in the investigation, and Glossary of Terms.
Preparing for a forensics investigation
Preparing for an investigation, organisation will need to focus on to prepare and plan carefully to be forensic ready and be able to execute the six-step Investigative Process for digital forensics.
Define what business scenarios will require digital evidence collection.
Reducing the impact of computer-related incidents.
Ensuring compliance with regulatory or legal requirements.
Identify available sources of potential evidence in the environment, such as:
Network traffic, logs, and archives
User documents, media, and voice mail
Determine evidence collection requirements and procedures.
Establish evidence collection procedures that are legally admissible in court.
Establish a policy for secure storage and handling of potential evidence.
Ensure continuous monitoring and auditing is targeted to detect and deter major incidents, using:
Intrusion detection and protection
Endpoint detection and reaction
Endpoints, firewall, and proxy
Mobile device management (MDM)
Establish when an incident is escalated to a full investigation
Ensure staff are trained to prepare for an incident.
Digital forensics will not magically solve your investigations as we previously discussed. It is important to understand what digital forensics is, what frameworks are used, and what methodologies or best practices should be followed. When an organisation follows these steps, digital forensics can provide great or magical results helping find the root cause of an incident and improve the overall security posture to your organisation.
Digital14 has an ISO 17025 accredited forensics lab that is operated by experienced digital forensics professionals from around the world who are trained and certified from industry’s top vendors.