Investigate the Incident

The purpose of digital investigation is to determine the what, when, where, how, who and why related with the incident. In huge environment, with wide and complex infrastructure this stage can be divided into several layers or stages. Typically we can find this  phase splited into two steps : data  acquisition and data analysis. Going further we know that information can be considered on different layers. The first one can be described on low-level technical layer – connected with OOV hypothesis. OOV stands for order of volatility and can be simply called as data’s expected life span concept. This was introduced by Dan Farmer and  Wietse Venema in “Forensic Discovery”.

Physical data:

  Volatile information

        Non-volatile information

Volatile data is the data that will be over-written or vanish due to its nature and operation system behavior. This type of data can be found on registers, caches and main memory. What is more, information about network connections, processes is also volatile but its expected life span is a little bit longer that for main memory – just several seconds or minutes. This data cannot be found on forensic duplication. Non-volatile information can retain in memory even when machine is not powered. We are collecting all relevant information from a person or system that raised an alarm. This is another layer of information.

Incident information:

        Technical data

        Standard data

Let start from the second one. Non-technical (or other data)  can be understood as information taken from interviewed owners, administrators or simply witnesses involved somehow in incident.  This can be any reports, files, documentations, or filled form (initial response).

The technical data:

        Host-based evidence (later HBE)

        Network-based evidence (later NBE)

Host-based evidence

This is simply a collection of information gathered in Live incident response process. I can say that also memory-imaging (disk imaging) is part of live response – sure – one of its subtypes. I will be back to Live Incident response process later. Host based evidence is set of : logs, documents, files, records, network connections, routing tables, list of processes, libraries and so on. This is all that can be obtained from machine and not from network nodes that are nearby. 

There are several ways of HBE acquisition :

a)      Live Response

b)      Forensic Duplication

According to “Incident Response and Computer Forensics” written by Chris Prosise Kevin Mandia and Matt Pepe there are three types of live response:

                         Initial

    o   Take volatile data.

    o   Possibly acquire a forensic duplication.

                         In-depth

    o   Obtain volatile and non-volatile data.

    o   After scrutinizing it all, response strategy can be taken.

                         Full

    o   Obviously, we are acquiring everything from the suspected host/workstation.

The problem of cyber-crime and intrusion detection is constantly growing. There are thousands of possible threats and types of attacks. At the same time security and its Incident process response is evolving.

After initial information is presented, CSIRT is choosing the “right” steps. Types have been listed previously, but what can be said is that the hybrid method is always another type of response. We are looking for a clue information, and then following the path or choosing to acquire memory dump and check the evidence later.

Forensic duplication is obtained when we need to analyze what was going on victim/suspected machine. What files have been removed, hidden and basically all information that can be taken from file system.

I am presenting methods of windows data acquisition in another article.

Network-based evidence

What need to be remembered is  that incident response appears when the standard, or automatic security controls fails. We have tons of network/security appliances in our companies, tons of false-positive alerts and very often sophisticated malware or attack occurs and shows where do we have security gap.

NBE is the information that is gathered (or can be reactively) from network nodes such as routers, DNS servers, taps, hubs .etc. This is all packages that can be catched by any network device -  supporting standard formats.This is all information that can be found in network traffic. It allows confirming and determining whether incident occurred or not. In another words this is the type of data that is complementary to information obtained from live response – usually only  data  available.