Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:53 PM
Connect Directly

Security Careers: A Closer Look At Digital Investigations

Security incident response and forensics are, at heart, people problems. Here are some tips for making the most of them

[This article appears as a special to Dark Reading courtesy of the(ISC)2 Advisory Board of the Americasas Executive Writers Bureau.]

No matter how good their defenses, every security team eventually finds itself facing a data compromise. Increasingly, enterprises are approaching these compromises by combining two disciplines that previously were thought of separately: incident response and digital forensics.

This combined process, called digital investigations, helps to streamline both incident response and forensics. Most organization have multiple processes that outline how an incident should be handled as well as the processes for supporting forensic methodologies. The concept of merging them together may at first seem frightening, but it shouldn’t be a re-invention of existing processes.

The National Institute of Standards and Technology (NIST) have published several documents that speak to security incident handling (SP800-61) and integrating forensics with incident response (SP800-86). These documents are publicly available on the NIST website, offering a framework and guidance to building internal digital investigation processes.

As you'll see in the NIST documentation, there are key elements that are translatable between incident handling and digital forensics. One example is event categorization: the initial assessment that must be performed when the investigator arrives on the scene.

This assessment provides the basis to determine the "fruits of crime" -- what was the target -- and the "tools of crime" -- what was used. The distinction between fruit and tool forms the starting point for analysis and conducting root cause analysis. Even after you've drawn the line around your "crime scene," however, you'll likely discover new information that expands the scope of the investigation.

The best strategy for dealing with this "scope creep" is to set a large perimeter around your crime scene and work to narrow it down by ruling out possible avenues. One approach is to utilize a spider-web technique: the concept that everything has a relationship, and a small change in one area results in a large difference elsewhere.

This technique positions the actual event at the center of the web, providing several ways to move out toward the root causes. These several inter-connected, outward data paths have all contributed to the incident as either a tool or fruit of the event, and may have direct association to another data path.

As more data is identified -- and as we move further away from the event -- we will find related data paths and associated root causes. As we move outward, some paths may reach a clear conclusion, which reduces the scope of the investigation.

As the investigation progresses and the scope of data changes, there may be multiple branches of information that requires synchronized analysis. There is no means by which an investigative team can simultaneously analyze everything. The best way to produce results quickly is to divide and conquer by creating dedicated "tiger teams" that have the appropriate skill sets to work through data quickly but thoroughly.

These "tiger teams" should be assembled on demand and must have access to critical resources in order to complete their part of the investigation. Depending on the specialization of the team, there will be a different focus on data sources and where to collect evidence.

The digital investigation process does not need to be a re-invention of forensic or incident response processes and procedures. There are several documents published by reputable organizations that can be used as a basis for integrating processes and handling different types of incidents. It is important to incorporate industry best practices into your investigative process and to draw upon industry knowledge when applying investigative techniques. Keep in mind that digital investigations are conducted when there is a breach -- the race to determine root cause(s) must be quick. The race to preserve evidence also necessitates speed. But acting fast is not always easy.

With any digital investigation, it is not uncommon to have an enormous amount of data to cull before a root cause can be found. And while the incident may have occurred on an end-user system, the scope of relevant data may often include network appliances, software, or even mobile devices.

While retrieving data from assets belonging to your own organization might be straightforward, the growing use of cloud services may complicate the picture. Your ability to retrieve data from cloud service provider (CSP) systems may prove challenging. In the cloud, there is no access to or ownership of the physical assets; numerous other organizations use the same platforms.

To help mitigate these problems work with your CPS before an incident occurs to establish service-level objectives that make the CPS an extension of your incident response team and ensure that you can collect data from the cloud provider environment using sound investigative processes.

As the investigation grows and the volume of data becomes overwhelming, it is important to cull and reduce the scope of evidentiary sources and narrow the question of what is relevant. It’s not uncommon to have a broad forensic toolset where one tool is for log analysis, another for system analysis, and so on. As investigative software continues to evolve into single-point solutions, investigators will gain access to platforms that offer even better intelligence and response tools.

Security information and event management (SIEM) platforms, for example, are an excellent technology to consolidate, store, and correlate data from multiple sources -- they can quickly reduce the amount of data related to security events. Stand-alone SIEM platforms provide a simplified view of data within the organization -- they may offer automated detection, but they often rely on manually reactive processes.

By integrating SIEM systems with automated incident response capabilities, you can reduce the manually reactive processes performed by security analysts. Based on the category of incident that has occurred, there is an immediate need to collect and preserve volatile evidence that can be lost over time, such as running processes, remote system connections, and active users. SIEM tools enable the preservation of live system data at the time an incident occurs -- a capability that can be can useful when subsequently analyzing entire systems.

Now that we have extracted relevant data from SIEM and collected volatile data through automated response capabilities, it may be time to use digital forensics as a means of recovering additional evidence. For any category of incident, there are always digital artifacts that exist in some state on end-user systems; relevant information can be extracted from sources such as event logs, registry hives, or the recycle bin.

Digital forensics generally requires some level of specialized training; however, many forensic toolkits offer a great deal of automation to identify and preserve evidence. Tightly integrated and streamlined forensic toolkits allow the security analyst to complete the initial triage while preserving the forensic evidence, leaving it to the forensic practitioner to do the heavy lifting.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/29/2012 | 7:41:43 PM
re: Security Careers: A Closer Look At Digital Investigations
Analyzing the malware itself and how data was exfiltrated can also help prevent future attacks.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...