|
An Introduction to Digital Forensic Investigations
By Evan Wheeler - CISSP - Senior Security Consultant, AKIBIA
What is Digital Forensics?
Digital forensics as a discipline is not particularly new however, in the past it was usually associated with law enforcement investigations of computer-related crimes. More recently, it is becoming increasingly common for high profile corporations, especially financial services companies, to have fulltime resources dedicated to battling the onslaught of cybercrime and malware keying in on these profitable institutions. In today’s changed landscape, digital forensics is considered a subset of the incident response genre and an important aspect of a company’s overall security initiative.
Often the distinction between forensic investigation and incident response is blurred, but in principle not every security incident will require a forensic response. For instance, a virus outbreak among several user workstations may require an incident response team to engage in order to contain the spread of the virus and clean the infected systems. In this case, it may be evident that the source of the outbreak was an infected email sent to a user, and uncaught by perimeter email scanning, perhaps because it was a brand new variant with no existing signatures. Typically, this type of incident would not require further investigation. However, a digital forensics investigation would be necessary if the source of the virus was unknown; if efforts to eradicate it were continually unsuccessful; if the impact on the infected systems was unclear; and if the scope of the infected systems was unknown. This scenario would require specialized personnel who were skilled at system compromise analysis and malware reverse engineering. While this is just one potential incident that would require a forensic investigation, there are a number of others that would necessitate a similar investigation including financial fraud, internal security policy violations, system vulnerability exploits, e-discovery, and sensitive data leakage investigations.
As high profile security breaches continue to make headlines, companies can no longer afford to be in the dark regarding incident response and investigative capabilities. It is important for all organizations to be proactive about possible incidents. Organizations should develop a strategy for approaching a forensic investigation, identify the appropriate partners to leverage during an incident and ensure a thorough understanding of the total security framework and how it would stand up to a digital investigation. Forward-thinking risk managers and security professionals are focusing not just on implementing specific compensating controls to mitigate traditional technical weaknesses, but they are also spending time and resources planning for various incident handling scenarios similar to a disaster recovery exercise. This planning inevitably involves strong incident response policies, procedures, training, and communication, but also will require digital forensics.
The Incidents Behind the Digital Forensics Movement
So how does digital forensics fit into the incident response landscape and why has it gained so much momentum and publicity recently? Partially this is a result of an increase in corporate emphasis on enforcing more detailed security and acceptable use policies. The “newsmaker” potential of these security incidents, and the ensuing public relations challenges, as well as advances and sophistications in technology are combining to increase the need for digital forensics.
Security policy violations, such as misuse of the Internet, or illegal access of customer data, are gaining the attention of management and human resources. Any time management chooses to pursue a security incident, a strict procedure must be followed to maintain the forensic integrity of the evidence collected and to avoid accusations of prejudice by internal staff involved in gathering and analysis of evidence. For example, recent case law has shown that when administrative action is taken against an employee, and the evidence is based solely on an IP address that was associated with that user’s system, the action will not hold up in court. Therefore it becomes important for human resources as well as corporate legal council to be familiar with the company’s forensic investigation approach.
Similarly, security incidents on the network are being detected more often due to improved network security controls such as Intrusion Detection Systems (IDS) and security information management systems. As more incidents are detected, it is obvious that more will need to be investigated.
How To Approach a Digital Forensic Investigation
It’s hard to prepare for the unexpected, yet in the case of digital forensic investigations, this is a necessity. It is critical for IT, HR and legal to become educated regarding the possible scenarios the organization might face. From there the groups can create a prioritized action plan for reducing the time and resources required to perform forensic incident response activities.
To determine your organization's forensic readiness, it is vital to evaluate the current security posture and analyze technical controls, policies, procedures and skill sets. A skilled forensic investigator can analyze these results and recommend an action plan to fill the gaps identified. This process greatly increases the efficiency of any investigation whether it is performed internally, by a third-party, or even involving law enforcement. Although in this article we are focused specifically on the digital forensic aspects of the incident handling lifecycle, this preparation also increases a company’s ability to efficiently respond to any security incident.
Should your organization need to conduct a digital forensic investigation it is important to work with a trusted, third party advisor. Digital Forensics is a very specialized field and to conduct an investigation accurately, and without losing or misinterpreting data requires significant expertise. Maintaining discretion in the investigation is an absolute necessity and a third party can ensure the investigation is conducted without bias or prejudice.
Akibia offers Digital Forensic Services, and you can learn more about our offering in this issue of Bandwidth by clicking here.
About the Author: Evan Wheeler, CISSP
As a Security Consultant working in many industries for over ten years, Evan Wheeler is accustomed to advising clients on all aspects of Information Assurance. Specializing in risk management, digital forensic investigations, and secure application design, he offers an expert insight into security principles for both clients and security professionals. Evan has spoken to many audiences on topics ranging from Payment Card Industry (PCI) risk management to building a forensic incident response infrastructure. He currently leads the forensic investigation team as a Senior Security Consultant for Akibia Network & Security Solutions, Inc. and maintains a role as a Security Advisor to the High Performance Computer Modernization Program within the U.S. Department of Defense. As a complement to this diverse experience in the field, he is currently pursuing a Master of Science in Information Assurance at the National Security Agency certified program at Northeastern University.
 |
