Computer forensics follows the bread crumbs left by perpetrators

As investigators, these security pros let the clues lead them. See in a few examples how commercial software helps these techies solve the crime.

The boss gets tipped off that an employee might be leaving the company and in so doing is trying to grab as many clients as possible to take with him to his new job. The company brings in computer forensic specialists to look through the employee’s actions online to find the evidence before confronting the employee.

Alfred Demirjian, president and CEO of computer forensic company TechFusion, has seen that and many other scenarios in the 30 years he has been in the business--anything from an employee sabotaging a former company through hijacking an email account to misusing the internet on company time. Commercial software allows his company to dig deep into an employee’s social media postings and texts, or to track them by GPS if they have a company-owned smartphone.

A client might give them a date range and TechFusion can run through the gamut of company emails to see the interactions the employee had with clients.

“Computer forensics will play a greater role in exposing the malicious acts of people. As it continues to advance, it will make it more difficult for people to hide their wrongful acts and easier to have them held responsible,” Demirjian said.

Technology has come a long way since Demirjian got into the business. The industry has advanced from one that utilized the operating system commands to one that is software based, he said. “It is now more important to have experience with the tool being used then the system being worked on.”

He added that the software has improved with greater and broader compatibility and capability. “It is faster and less expensive. This has enabled forensic engineers to perform many more tasks,” he said.

TechFusion has been involved in some high-profile cases, most recently being the infamous cell phone of New England Patriots quarterback Tom Brady. When the NFL asked to examine his texts, Brady said he had gotten rid of the phone. Those texts were later found. TechFusion was also tasked with reviewing the surveillance video taken from the late-Aaron Hernandez’s house the night Odin Lloyd was murdered.

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information. This involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.

Alfred Demirjian, CEO, TechFusion

Ryan Kazanciyan, chief security architect at Tanium, said forensics is the process of reconstructing and analyzing digital evidence to determine how a device or system was previously used. At the most basic level, so-called digital evidence can take the form of endpoint-centric data (such as the contents of a hard drive or memory), network-centric data (such as a full packet capture of all network traffic traversing through a specific device or site), or application-centric data (such as logs or other records related to the usage of a program or service).

A forensic investigator's workflow is largely driven by the specific questions that they may be trying to answer. Examples of use-cases that commonly employ forensics include:

  • A law enforcement officer has arrested an individual suspected of domestic terrorism and wants to identify all records of communication, internet activity and data related to prior or planned criminal activity.
  • A breach investigation has identified evidence that an external attacker gained access to a corporate server housing sensitive intellectual property. Analysts wish to determine the initial means of access, whether any data was accessed or stolen, and whether the system was subject to any hostile activity (such as the introduction of malware).

How is it used and how does it work?

Kazanciyan said traditional computer forensics entail utilizing specialized software to make an image of a subject system's hard drives and physical memory, and to automatically parse it into human-recognizable formats. This allows an investigator to examine and search for specific types of files or application data (such as e-mails or web browser history), point-in-time data (such as the running processes or open network connections at the time of evidence acquisition), and remnants of historical activity (such as deleted files or recent activity).

The extent to which deleted data and historical activity may be recoverable varies on a few factors, but generally degrades over time and commensurate to the volume of activity on a system, he said.

This approach to computer forensics remains suitable for focused, small-scale investigations, but is too time and resource-intensive for enterprise-scale tasks, such as hunting across thousands of systems in a corporate environment, Kazanciyan said.

“As a result, technologies that facilitate rapid search and analysis of evidence across ‘live’ systems began to flourish in the past decade, and formed the foundation of what's referred to as the endpoint detection and response (EDR) market,” he said. EDR products typically provide some combination of the following capabilities:

  • Continuous recording of key endpoint telemetry - such as executed processes or network connections - to provide a readily-available timeline of activity on a system. This is analogous to a black-box recorder on an airplane, he said. Access to such telemetry alleviates the need to reconstruct historical events via a system's native sources of evidence. It may be less useful in cases where investigation technology is deployed to an environment after a breach has already occurred.
  • Analysis and search of a system's native forensic sources of evidence -- i.e., what's preserved by the operating system on its own during normal system operations. This includes the ability to run quick, targeted searches for files, processes, log entries, artifacts in memory and other evidence across systems at scale. It complements the use of a continuous event recorder and can be used to broaden the scope of an investigation and find additional leads that might not otherwise have been preserved.
  • Alerting and detection. Products can proactively collect and analyze the sources of data cited above, and compare it to structured threat intelligence (such as Indicators of Compromise), rules or other heuristics intended to detect malicious activity.
  • Evidence collection from individual hosts of interest. As investigators identify systems that warrant further inspection, they may conduct "deep-dive" evidence collection and analysis across the entirety of a subject system's historical telemetry (if present and recorded), files on disk and memory. Most organizations prefer to perform remote, triage-level analysis of live systems in lieu of comprehensive forensic imaging wherever possible, he said.

“Much of the innovation in the forensics field is focused on simplifying and automating these processes, ensuring they can be performed even in the largest and most complex networks, and applying them for both proactive attack detection as well as efficient incident response,” he said.

Forensics is vital to incident response

Syncurity’s President and CEO John Jolly said forensics are critically important to the incident response process and are useful for both routine and timely response. For example, in an incident where a company is dealing with a successful phishing attack, forensic processes can be used to establish facts such as who clicked on the link, who was successfully phished/compromised, and what information was actually accessed or taken. 

This helps a security team plan the appropriate response and assess reporting requirements, he said. “For instance the forensic process might help you determine that 10 users clicked, but that the phish was not successful because the malicious domain was already sinkholed (blocked),” Jolly said. 

In the event corporate intellectual property is stolen, either by an insider or by an external attacker, forensics helps establish a specific timeline and sequence of events that can be used by law enforcement to investigate or prosecute the attacker. “In this situation it is important that forensics are conducted in a manner that meet and demonstrate/preserve an evidentiary chain of custody,” he said.

One key element in this phishing scenario is that the company pre-planned the response and forensic processes to a phishing attack and instantiated them in an incident response platform so that they are repeatable, predictable and measurable, Jolly said. 

The process includes appropriate escalations for different scenarios that are driven by who was phished, the value of what was or wasn't taken, and compliance with internal policies and external regulatory requirements, he said. 

“The analysts and security team then simply follow the established playbook, conducting their analysis and simultaneously establishing a forensic record as they complete the response process,” Jolly added. “Companies need predictable and repeatable response because it saves time, money, and lessens the impact of attacks by stopping the inevitable sooner.” 

The companies also benefit from establishing a process and making it auditable - this enables them to measure the process and improve it over time, and also establish to both internal stakeholders and external regulatory authorities that they are using best practices and exercising an appropriate standard of care, he said.

When asked what computer forensics will look like in the future, Demirjian said it will no longer exist in its current form. “It will become much more focused on prevention. It will change in the way data recovery has evolved. Once people started to lose their data, they started using remote back-up to prevent it. The same thing will occur with forensics. Companies will put into place forensic applications so that if something happens, they have the data and the ability to track what happened. They will no longer need to preserve the hardware.”

He said the companies will employ a service that records all actions and functions and simply request a review of the logs. All information will be stored forensically to ensure reliability.

An example of forensics

Tanium provided an example where a network monitoring device issues an alert indicating that a corporate workstation, "Alice," has communicated with the IP address of an internet host associated with an attacker, "Eve."

An investigator first needs to figure out why Alice communicated with Eve's IP address. Is the host infected with malware? If so, how did it get on the system, and what artifacts can be used to find similarly impacted systems? Was Alice used to access other systems or resources, or was the incident contained to a single host? What was Eve's ultimate objective?

If Alice already has an EDR product that provides continuous recorder capabilities, an investigator might first review its telemetry feed and search for Eve's IP address (10.10.10.135). This can identify the context (time, associated process / malware, associated user account) for each connection event.

forensics 1 Tanium

Analyst performs a deep dive on AlphaPC via Tanium Trace to investigate the IP address belonging to Eve

Next, the analyst can pivot on these findings and conduct timeline analysis to identify the events that preceded the malware's introduction to the host, and malicious activity associated with it (which may be "manually" driven by Eve or fully automated). For example, the investigation might indicate that the malware was introduced to the system through a malicious email that uses a document containing malware. Following the infection, telemetry may have recorded that Eve used the malware to steal the user's credentials and attempt lateral access to other systems within Alice's corporate environment.

forensics 2 Tanium

The malicious Excel document drops the malware Z4U8K1S8.exe. The attacker then interacts with the system through a command and control session. Tanium Trace records the processes and activity performed by the attacker.

If Alice's system doesn't have an EDR "flight recorder" running, an investigator can still piece together the same sort of timeline summarized above using the system's native sources of evidence. However, this incurs a greater level of effort and higher likelihood of gaps in the timeline.

forensics 3 Tanium

Analyst will then create IOC's (Indicators of Compromise) from information identified during investigation

After the incident has been triaged on Alice's system, an investigator likely has numerous artifacts or Indicators of Compromise that describe Eve's tradecraft -- i.e., her tools, tactics, and procedure. These can be used to search forensic evidence and telemetry across the entire enterprise in the hopes of identifying additional systems that the attacker has impacted. This leads to further deep-dive forensic analysis on newly discovered hosts. The process repeats until an investigator feels they have comfortably scoped the incident, understands its root cause and impact, and is prepared to remediate.

Show Comments