One of the biggest threats facing businesses and corporations today is that of Cyber-attacks and threats. If these are large enough in scale and magnitude, it could even be considered as an act of Cyber terrorism, in which a significant impact can be felt in both regarding cost and human emotion. Whenever something like this occurs, two of the most common questions that get asked are:
How did it happen?
How can this be prevented from happening again in the future?
Obviously, there are no easy answers to this, and depending on the severity of the Cyber-attack, it could take weeks and even months to determine the answers to these two questions. Regarding the latter, this can be answered via the means of conducting various, in depth penetration testing exercises.
In this regard, once the lines of defense have been beefed up, these tests can push these defense mechanisms to their absolute breaking point, to determine and uncover any hidden weaknesses or holes.
Regarding the former, this is where the role of forensics comes into play. For instance, any remnants of the Cyber-attack and any evidence left behind at the scene needs to be collected very carefully collected and examined. It is from this point onwards then the questions of “who, what, where, when and why” can be answered by the forensics examiners and investigators.
It is important to keep in mind that the field of forensics, especially as it relates to Information Technology is very broad in nature, and involves many sub specialties. These include digital forensics, mobile forensics, database forensics, logical access forensics, etc. to just name a few.
In this article, we provide an overview of the field of computer forensics. We focus primarily on what it is about, the importance of it, and the general steps that are involved in conducting a computer forensics case.
A Definition of Computer Forensics and Its Importance
The term forensics literally means using some sort of established scientific process for the collection, analysis, and presentation of the evidence which has been collected. However, all forms of evidence are important, especially when a Cyber-attack has occurred. Thus, a formal definition of computer forensics can be presented as follows:
“It is the discipline that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.” (SOURCE: 1)
Obviously, when a Cyber-attack has occurred, collecting all relevant evidence is of utmost importance to answer the questions which were outlined in above. However, keep in mind that the forensics examiner/investigator is particularly interested in a particular piece of evidence, which is known specifically as “latent data.”
In the Cybersecurity world, this kind of data (also known as “ambient data”) is not easily seen or accessible upon first glance at the scene of a Cyber-attack. In other words, it takes a much deeper level of investigation by the computer forensics expert to unearth them. Obviously, this data has many uses to it, but it was implemented in such a way that access to it has been extremely limited.
Examples of latent data include the following:
Information which is in computer storage but is not readily referenced in the file allocation tables;
Information which cannot be viewed readily by the operating system or commonly used software applications;
Data which has been purposely deleted and is now located in:
Unallocated spaces in the hard drive;
Print spooler files;
The slack space between the existing files and the temporary cache.
The importance of computer forensics to a business or a corporation is of paramount importance. For instance, there is often the thinking that simply fortifying the lines of defense with firewalls, routers, etc. will be enough to thwart off any Cyber-attack. To the security professional, he or she knows that this is untrue, given the extremely sophisticated nature of today’s Cyber hacker.
This premise is also untrue from the standpoint of computer forensics. While these specialized pieces of hardware do provide information to a certain degree as to what generally transpired during a Cyber-attack, they very often do not possess that deeper layer of data to provide those clues as to what exactly happened.
This underscores the need for the organization also to implement those security mechanisms (along with hardware above) which can provide these specific pieces of data (examples of this include those security devices which make use of artificial intelligence, machine learning, business analytics, etc.).
Thus, deploying this kind of security model in which the principles of computer forensics are also adopted is also referred to as “Defense in Depth.”
By having these specific pieces of data, there is a much greater probability that the evidence presented will be considered as admissible in a court of law, thus bringing the perpetrators who launched Cyber-attack to justice.
Also, by incorporating the tenets of a “Defense in Depth,” the business or corporation can come into compliance readily with the federal legislations and mandates (such as those of HIPPA, Sarbanes-Oxley). They require that all types and kinds of data (even latent data) be archived and stored for audit purposes. If an entity fails any compliance measures, they can face severe financial penalties.
The Steps Involved in Conducting a Computer Forensics Case
Ethical Hacking Training – Resources (InfoSec)
Equally important in this regard is maintaining a chain of custody, which details who had custody of the evidence and the latent data over the course of the actual investigation. It is important to note that the steps outlined below are only the general steps which are utilized.
Obviously, the specific sequencing and the activities which encompass them will vary greatly. In fact, it is important to implement a dynamic computer forensics investigation methodology as each Cyber-attack is very different from one another.
This first part ensures that the forensics investigator/examiner and his or her respective team is always prepared to take on an investigation at literally a moment’s notice. This involves:
Making sure that everybody has been trained in the latest computer forensic research techniques;
Being aware of any legal ramifications when it comes time to visit the scene of the Cyber-attack;
Planning ahead as best as possible any unexpected technical/non-technical issues at the victim’s place of business;
Ensuring that all collection and testing equipment are up to speed and ready to go.
At this stage, the computer forensics team receives their instructions about the Cyber-attack they are going to investigate. This involves the following:
The allocation/assignment of roles and resources which will be devoted throughout the course of the entire investigation;
Any known facts, details, or particulars about the Cyber-attack which has just transpired;
The identification of any known risks during the course of the investigation.
This component is divided into two distinct sub phases:
This involves the actual collection of the evidence and the latent data from the computer systems and another part of the business or corporation which may have also been impacted by the Cyber-attack. Obviously, there are many tools and techniques which can be used to collect this information, but at a very high level, this sub phase typically involves the identification and securing of the infected devices, as well as conducting any necessary, face to face interviews with the IT staff of the targeted entity. Typically, this sub phase is conducted on site.
This is the part where the actual physical evidence and any storage devices which are used to capture the latent data are labeled and sealed in tamper resistant bags. These are then transported to the forensics laboratory where they will be examined in much greater detail. As described before, the chain of custody starts to become a critical component at this stage.
This part of the computer forensics investigation is just as important as the previous step. It is here where all of the collected evidence and the latent data are researched in excruciating detail to determine how and where the Cyber-attack originated from, whom the perpetrators are, and how this type of incident can be prevented from entering the defense perimeters of the business or corporation in the future. Once again, there are many tools and techniques which can be used at this phase, but the analysis must meet the following criteria:
It must be accurate;
Every step must be documented and recorded;
It must be unbiased and impartial;
As far as possible, it must be completed within the anticipated time frames and the resources which have been allocated to accomplish the various analyses functions and tasks.
The tools and the techniques which were used to conduct the actual analyses must be justifiable by the forensics team.
Once the analyses have been completed, a summary of the findings is then presented to the IT staff of the entity which was impacted by the Cyber-attack. Probably one of the most important components of this particular document is the recommendations and strategies which should be undertaken to mitigate any future risks from potential Cyber-attacks.
Also, a separate document is composed which presents these same findings to a court of law in which the forensics evidence is being presented.
In summary, the field of computer forensics is a very broad one, and the specifics which go into it can only be defined by the circumstances in which it is techniques are being used in. This article has examined a specific definition of computer forensics, as well as some of the reasons as to why it is so important for a business or a corporation to have a complete understanding as to what it is all about, and why they need to adopt its principles into their respective security models.
The general steps that are involved in conducting a computer forensics investigation were also reviewed in some detail. However, it is important to note that once a case has been completed and the evidence has been presented to a court of law, and the judicial findings have been ascertained, the implications of the investigation then need to be further examined. This will be examined in the next article, from both a technical and legal perspective.