Contents
1. Conducting Investigations
There are four main types of investigations that often involve cybersecurity professionals. These are:
1. Operational investigations:
- Seek to resolve technology issues (EG: service might be returning errors, a server might be responding too slowly, or a network might be congested)
- Restore normal operations as quickly as possible
- low standards of evidence as no legal action involved
- Involve root cause analysis (what caused it in the first place?)
2. Criminal investigations
- conducted by government agencies investigating violations of criminal law
- penalties include fines or jail time
- highest possible standard of evidence
3. Civil investigations:
- investigate the violation of a law, but are not criminal offences. EG: resolve a contract dispute between parties
- Can be initiated by government or private citizens
- Do not involve fines or jail time Uses preponderance evidence
4. Regulatory investigations
- May be civil or criminal
- Use the standard of evidence appropriate for the type of case
Interviews
Interviews are one of the most important tools available to investigators conducting any type of investigation. During an interview, investigators ask a cooperating individual a series of questions designed to elicit information valuable to the investigation. It is important to remember that an interview is always voluntary.
When investigators question a hostile subject without that subject’s consent, it’s known as an interrogation. Cybersecurity analysts should never find themselves in the position of conducting an interrogation, and should leave this responsibility for trained law enforcement office.
2. Evidence Types
There are 3 main types of evidence:
1. Real Evidence:
- tangible objects that can be brought into the courtroom (eg: a bloody knife, or in the cybersecurity world a computer)
2. Documentary evidence:
- consists of written information. EG: a written contract or computer logs
- Evidence must be authenticated by testimony
- Original documents are superior to copies
3. Testimonial evidence:
- consists of witness statements
- Direct evidence – witness provides evidence on their own observations
- Expert opinion- expert witness draw conclusion from looking at the evidence. EG: bringing in a cybersecurity expert to look at logs and draw conclusion of what happened
- Testimonial evidence must not consist of hearsay/gossip
3. Introduction to Forensics
The goal of digital forensics is to collect, preserve, analyse, and interpret digital evidence in support of an investigation. This includes everything from pulling data from a smartphone or a laptop to analysing network traffic logs.One of the most important guiding principles of any forensic science is that investigators must never take any action that alters the evidence itself and may lead to misinterpretation of that evidence.This is easy to understand when applied to physical forensics. Investigators should wear gloves at a crime scene and avoid contaminating samples with their own DNA. It’s a little more difficult to understand how this applies to digital forensics, but it is equally important that investigators working with digital data also take steps to insure that they don’t contaminate the evidence.
Order of volatility
The order of volatility influences how investigators should gather evidence. Investigators should place more urgency on gathering more volatile evidence during an investigation because time is of the essence.
For example, data written to a hard drive will last longer than information stored in RAM. Hard disks, therefore, are less volatile than memory.
Generally speaking information should be gathered in this order:
1. Network traffic
2. Memory contents
3. System and process data
4. Files (get temporary files first)
5. Logs
6. Archived records
Time offsets help correlate records from different sources.
Alternate Evidence Sources
Sometimes you might to look outside of the digital world for evidence. This can include:
- Video recordings
- Witness statements
4. System and File Forensics
Protecting Evidence
Remember that the first rule of evidence collection is that investigators must never take any action that alters the evidence itself and may lead to the misinterpretation of that evidence. When it comes to systems and files, forensic investigators preserve this principle by never working with the actual physical evidence unless absolutely necessary.
Investigators do this by creating copies or images of the physical evidence and then using those images for forensic analysis. the analyst must connect a device to the drive and use that device to copy off the data stored on the media. Whenever media is connected to a system, there is always the risk that the analysis process will inadvertently write data to the media.
Forensic analysts use special devices known as write blockers or forensic disk controllers to prevent this from happening. The write blocker sits in between the forensic system and the evidence and intercepts all requests sent to the evidence removing any requests that might tamper with the contents of the drive.
Hashing
Hashes are used to demonstrate that a file hasn’t been altered. A hash is a unique signature of a file generated by using a mathematical algorithm. If you take multiple hashes of the same file over a period of time, you will get identical results. If the file changes even slightly, the hash value changes completely. If the investigators compute hash values at the time they collect evidence, they can then recompute hash values when analysing and presenting evidence or an image of that evidence to prove that the file they are working on is identical to the file that was originally collected.
Hashes can be applied to any type of file ranging from a simple paragraph of text or a file containing an image of an entire hard drive.
EXAM TIP: never try to perform forensics yourself unless you have received proper training.
5. Network Forensics
Network transmissions are digital consisting of ones and zeroes sent across some form of network media. Ethernet networks send electrical impulses over copper wire. Fibre optic networks use pulses of light transmitted over strands of glass. And wireless networks use radio waves to send digital bits through the air. Whatever media is used, anyone with access to that media can capture those pulses as they travel.
Forensic Tools
Wireshark
This is a packet capture software. Full packet capture requires a lot of storage. This conducts full packet capture grabbing every bit that they see on a network and then reconstructing it into the packets used to exchange data between systems.
Netflow
This is short for Network Flow. Net flow captures high level information about the communication on a network.
It’s similar to the information that you’d find about phone calls on your telephone bill. The bill tells you every phone number that you dialled as well as the time and duration of the call. It doesn’t tell you what was said during that call. NetFlow data gives you similar information about network communications. You’ll find the source and destination IP addresses of each network communication as well as the network ports involved, a timestamp, and the amount of data exchanged in each communication. This provides valuable who talked to whom information about network communications, but just like a telephone bill doesn’t include the content of the telephone communication
6. Software Forensics
There are two major uses of software forensics in today’s cybersecurity environment.
1. Intellectual Property
Software forensics are often used to resolve intellectual property disputes between parties. This is a very common occurrence in civil disputes, and software forensic specialists are often used in court to testify about the origins of software code. For example, suppose a key software developer leaves a company and accepts a position at a competitor. The competitor may then later release a new product version that includes features very similar to the first company’s product. The first company may accuse the competitor of using the newly hired software developer to steal code. Software forensics experts may analyse the code for the two products and draw conclusions about whether one company used the other company’s source code to add functionality.
2. Malware origins
Software forensics experts may analyse malicious code found on a system and compare it to other known malware objects to determine whether they were written by the same author.
7. Embedded Device Forensics
Embedded devices are special-purpose computer systems found inside of many of the objects that we use in daily life, as well as in industrial settings.
They contain both hardware and software that help that device function. In many cases, they connect to a Cloud service that provides data storage and added functionality. Cars are a great example of embedded devices in action. Modern cars contain dozens or even hundreds of embedded systems, each designed to perform a unique purpose. Some of these embedded systems are simple, perhaps regulating the vehicle’s climate control system. Others are more sophisticated, powering the car’s GPS navigation. These embedded systems contain a wealth of information that may be valuable in a forensic investigation. Investigators analysing the GPS unit, for example, could determine where a car was located over a period of time.
We use security monitoring systems that contain computing devices. Our thermostats may be smart devices powered by Cloud services, and even our lights may be controlled by smart apps. Each of these devices may collect information that’s useful in a forensic investigation. They can tell us who was present in a building and where they went. Even a thermostat can provide valuable information to investigators about the temperature in the room over time, helping to determine an accurate time of death for an individual found dead in the monitored area. Smart home assistants, such as Amazon’s Alexa, and Google’s Home, also collect information about us and send it off to the Cloud. These devices contain microphones capable of recording activity in an area and then sending it to a Cloud service speech recognition.
In a murder investigation in Bentonville, Arkansas, investigators noticed an Amazon Echo device in the suspect’s home and sent a subpoena to Amazon requesting any recordings from that device that may contain background sounds relevant to the crime. They also said they would conduct a forensic analysis of the device itself, to see if it had any recordings on the device that might be relevant to the investigation. We’re beginning to see the use of embedded devices as forensic evidence, and this trend is likely to continue in the future as these devices are found in more locations.
8. Chain of Custody
When evidence is used in court or another formal setting, both parties involved in a dispute have the right to ensure that the evidence presented has not been tampered with during the collection, analysis, or storage process.
The chain of custody, also known as the chain of evidence, provides a paper trail that tracks each time someone handles a piece of physical evidence. The chain of custody also plays an important role in ensuring the authenticity of evidence.
When collecting physical evidence, the evidence should always be placed in an evidence storage bag or other container that is labelled with the date, time, and location of collection, the name of the person collecting the evidence, and the contents of the storage bag. It should then be sealed with a tamper resistant seal that would show if someone opened the container. Each piece of evidence should then be accompanied by an evidence log that records important events that happen in the life cycle of the evidence.
9. Electronic Discovery (eDiscovery)
When organisations are involved in legal disputes, they have an obligation to preserve evidence related to that dispute and produce it in response to a legitimate legal order.
There are 3 major steps in the electronic discovery process:
1. Preservation: When an organisation receives notice of potential litigation, the first step they should take is the issuance of a litigation hold, to individuals and departments that may have electronic or paper records relevant to the dispute. A message is sent to those individuals and departments informing them of the potential litigation and instructing them that they are required to preserve any records related to the dispute. It’s important to remember that preservation includes more than just not intentionally destroying information. They must suspend any automated processes that would destroy relevant information. This most often affects IT groups by requiring the preservation of log entries.
2. Collection: If the legal dispute progresses, the legal team will decide when to begin evidence collection. Some of the sources that may be included in collection efforts include documents stored on file servers, files stored on individual computers, email messages stored on servers or in the cloud, and records in enterprise systems managed on premises or in the cloud.
3. Production: This is where the real heavy lifting of the discovery begins. Attorneys will pour over all of the collected records and decide which are relevant to the dispute and not protected by legal privileges such as attorney-client privilege. After completing this review, the attorneys will create an electronic file containing all relevant records and share it with the other side.
