• Digital Forensics Investigations

  • Digital forensics investigations are critical to solving cases such as intellectual property theft and computer incidents. Digital forensics and e-discovery includes analyzing computers, servers, mobile devices, logs, network traffic, and surveillance video in some cases.

    Digital forensics Investigation approaches can vary depending on the type of case you are investigating. For example if we are investigating an intellectual property case where company data was stolen.

    Forensics Tells a Story

    Digital Forensics Time Line

    The questions we need to answer are:

    • Was the data copied to a removable drive?
    • Was the data uploaded to a cloud storage service?
    • Was the data sent over email?
    • Was the data printed out and taken from the office?

    We will answer these questions by performing digital forensics, or e-discovery on various devices that the suspected individual had access to.

    In a Microsoft Windows environment digital forensics will reveal if USB drives were inserted in the system and provide the serial number of the USB drive.

    The browser history can reveal the time and date of any cloud storage sites that were accessed. In cases where the browsing history has been deleted, we can attempt to recover the deleted data. If the data is not recoverable, we can cross reference Internet access with firewall logs if they are available.

    Email forensics will determine if the data in question was transferred in that manner. Email clients track senders and recipients and is easy to view. Email servers might also contain transaction logs that can reveal attachments and recipients as well.

    Printer forensics is challenging because most organization don’t log print jobs. In this case we use digital forensics to look at most recent used documents, open/saved documents, recent file history, shell bags, and .lnk files.

    We have seen a shift with printer logging around Oklahoma City with organizations that outsource their printer maintenance. The company maintaining the printers will often track print jobs and take a volume based approach to billing for their services.

    Digital Forensic Investigations and Incident Response

    Digital Forensics for Incident Response

    Digital forensics investigations aren’t limited to intellectual property cases, incident response also requires forensics to determine what happened and what’s affected.

    During incident response we use digital forensics to look at items such as:

    • Firewall logs
    • Email logs
    • IPS/IDPS logs
    • Anti-malware logs
    • Running processes
    • Registry hives
    • Memory dumps
    • File opening activity
    • Network traffic

    Once all these logs (and other logs) are aggregated, we start to build a timeline if activity back to the start of the incident.

    For example, from a recent digital forensics investigation in Oklahoma City, the logs revealed how a ransomware incident took place:

    An end user was sent a phishing email, clicked on the link, and downloaded the linked malware. Once the malware was on the system, the user clicked on the executable file and the installation process started.

    After the malware was installed, the next step was to open a connection back to the attackers and give them access to their victim’s machine. The attackers had network access at that point.

    Once the attackers had network accesses, they started looking for other machines on the network to comprise and encrypt for a ransom.

    During our digital forensics investigations we encounter this basic approach in a lot of our cases around Oklahoma. If the appropriate logging and monitoring is enabled, we can use forensics to determine what happened. In cases where there’s very little logging or monitoring, it can be impossible to determine what happened.

    Logging and Monitoring

    Logging and Monitoring for Forensics

    The success of digital forensics has its foundation on the amount of available logging and monitoring in your environment. Without the appropriate logs we can’t tell a complete story about what happened.

    Without the appropriate monitoring, you don’t know when it started happening or how long it’s been happening. The longer attackers go undetected, the better they are able to cover their tracks.

    Logging retention is also a consideration. A 6 month time frame is a good start for logging retention. Your logs should be stored off site if possible, or on a heavily restricted system specifically for log storage. This approach helps ensure an attacker cannot delete logs to cover their tracks.

    In many of the information security conferences we present at around Oklahoma City we often discuss the best approach for incident response using the PICERL model, and how preparation is the key to a successful digital forensics investigation.

    Digital Forensics Investigations Cost

    Digital Forensics Cost

    The cost of a digital forensics investigation depends on the type of case. An intellectual property case where we are looking for access to certain files on a limited number of systems is usually below $5,000.

    When it comes to incident response cases, the cost can widely vary depending on the number of systems affected, and the amount of logging and available logs in the environment.

    The cost is estimated on a case by case basis based on each incident. You can also incur additional costs for time spent in court testifying, or a lack of available logs that provide value to the investigation.