Many different sciences are grounded in the fact that certain information will never change. For instance, gravity never changes, water molecules can be a liquid, solid, and a gas, and DNA can help match identity in human beings. In digital forensic this is different because the medium in which they work is technology and technology changes all the time. Keeping up on the latest in technological advances and their data sources which are common places to get specific information can be the difference between winning and losing a case. Knowing where to look and in which order can change based on the type of investigation that a digital forensic investigator is working on. We will look at the collection and examination of data sources based on the more common investigation that have been seen.
Network intrusions are a continual problem and will be for some time. There won’t be a shortage of network intrusion investigations happening anytime soon. (Fung 2013) says, “The Pentagon reports getting 10 million attempts a day.” Which is scary and incredible statistic on its own. But this isn’t just at the government agency level. BP the energy company has been experiencing 50,000 attempts of cyber intrusion per day, (Fung 2013). In a recent report from Verizon not only are network intrusions steadily moving up, but it shows the time to compromise decreasing, (Verizon, 2016, p. xx). This puts a large amount of pressure on the digital forensics community to speed their time for discovery.
Some of the different types of data that would need to be collected in a network intrusion investigation would be:
- IDS and Firewall logs
- HTTP, FTP, SMTP logs
- Network Applications logs
- Backtracking Transmission with TCP connections
- Artifacts and remnants of network traffic on hard drives of seized systems
- Live traffic captured by packet sniffer
- Individual systems ARP tables, SNMP messages
Collecting data from these different areas are more challenging than other data in other areas of the system. The data given will differ in all investigation but the object is to find any time of consistency in network intrusion investigations. Many of the network intrusion investigations deal with network state. Discovering the network state allows forensic experts to find possible entry points. One of the first things that needs to be done is painting a picture of the network configuration. Knowing a blue print of external facing applications and or api’s. A beneficial tool in this scenario will be the ability to create an accurate timeline of events. So, the number one priority of this investigation would be obtaining system and application logs. This will allow a forensic expert to formulate a timeline. In Table 1 we can see that there are numerous types of data sources to pull data from. However, the internal network and system logs which include Firewall, IDS, and Active Directory logs proves the most viable data sources to look for in this specific type of investigation. There is also a very high probability of collection since most of the information is obtained by taking a snapshot of the logs from a cooperative network administrator.
Table 1. Shows the different data sources in a network intrusion investigation
In a network intrusion investigation, a forensic expert wants visibility at the packet level. Both in bound and out bound. The below prioritization of data sources is as follow:
- Internal Network System Logs
- ISP Service Logs
- Computer and or server hard drives
Examining the data that was found is a separate story. Internal logs will contain the information that a forensic expert needs to build the important event timeline, however there will be could be large amount of data to examine. Thanks to tools like encase this becomes slightly easier for the forensic expert. This is where IDS systems play a huge role. Intrusion Detection Systems can capture anomaly based events or statistical based events. These will be flagged by an alert. Focusing on the alerts that were presented can give a great starting point in the examination of a network intrusion investigation. This is not the end all be all data source to look at in a network intrusion investigation in fact many things could change the type of data that a forensic expert gets back. (Forensic Mag, 2013) says “any number of activities or events might influence or affect the collected data in unknown ways, including TCP relaying, proxy servers, complex packet routing, Web and e-mail anonymizers, Internet Protocol (IP) address or e-mail spoofing, compromised third party systems, session hijacking and other person-in-the-middle attacks, and domain name system (DNS) poisoning.” Also, if there is a sophisticated network intrusion logs have the potential in being deleted or cleared. The examination of the internal network logs is invaluable in this type of investigation.
ISP server logs also pose a great data source primarily because they can give you a general location of where the network intrusion came from. Ultimately leading to an arrest. Obtaining this session data can be done by obtaining a warrant for a specific customer. This will give a forensic expert all pertinent data that an ISP has to a specific investigation, (Forensic Mag, 2013).
Malware intrusion investigations include but not limited to worms, Trojans, botnets, rootkits and ransomware. Malware is a huge problem in the United States and abroad. (Panda Labs, 2016) says, “18 million new malware samples were captured in this quarter alone, an average of 200,000 each day.” As seen below in Figure 1. The most unbelievable part of this statistic is that this is based on just one quarter. Malware investigations are on the rise. Understanding how malware enters a computer and how it communicates gives the forensic expert a huge advantage in locating the exact places on a compromise system to look. Which in turn increases the efficiency of the investigation.
Figure 1. Malware identified over the years.
Malware investigations unlike the network intrusion investigation predominantly looks at the malware itself. Understanding how the malware was introduce may lead to a conviction. Understand the level of complexity, damage and data leakage will be found on the hard drive of the infected computer or server itself. More importantly at the RAM level. As a matter of fact, (SANS Digital Forensics and Incident Response Blog, 2016), says “Investigators who do not look at volatile memory are leaving evidence at the crime scene.” Much like the data collected for the network intrusion investigation forensic experts need to understand a basic knowledge of what the operating system considers normal behavior. For this network, golden images and IDS solutions may help identify normal behavior. But the volatile memory on disk will be the number one for this type of investigation. (SANS Digital Forensics and Incident Response Blog, 2016), continues by saying “It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.”
Table 2. Depicts the order of data sources in a Malware installation investigation.
The examination of the volatile memory on the compromised computer or server will yield user actions, as well as evil processes and furtive behaviors implemented by malicious code, (SANS Digital Forensics and Incident Response Blog, 2016). As RAM, would be the top data source that a forensic expert would be looking at, the Registry if this is a windows machine would also be of interest. Time zone information, audit policy, wireless SSIDs, locations of auto-start programs, user activities and mounted devices can all be obtained from the windows registry, (Nelson, Phillips, & Steuart, 2010, p. xx). As demonstrated in figure 2 below. In figure 3 there is usb device information that can be obtain from the registry. This would all be valuable information when studying if the malware moved from computer to computer on the internal network and it behaves in general. Also, studying network logs to see if the malware is communicating with an external server would also be a data source to examine. The prioritized list of all of the data sources for the malware installation investigation would like as followed:
- Computer / Server HD
- Internal Network System Logs
- ISP Server Logs
Figure 3. Depicts a registry value where USB device that was plugged into the computer
Figure 4. Shows the created date and last access date of a wireless network
One of the biggest threats to a business is the insider threat. Insiders include anyone authorized beyond the authority of the public. (Cohen, 2012, p. xx) says, “Specifically, 76% of disloyal insiders were identified after being caught to have taken steps to conceal their identities, actions, or both, 60% compromised another’s user’s account to carry out their acts, and 88% involved either modification or deletion of information.” This includes a disgruntled employee that has possibly turned or a possible hired employee planted in the company working on behalf of another company. One of the main reasons that this is such a difficult threat to detect is largely because the employee is given regular access to a company’s network. Which allows for them to know where sensitive data is kept.
In this insider deletion investigation access to an offender’s hard drive of their computer would be a great first step. Collection of this would more than likely show nothing since the insider more than likely would try and cover his or her tracks. But using the person’s hard drive would give a forensics expert the ability to see if there are more devices that need to be considered in the investigation such as removable devices and remote storage. In the event of file deletion, access to the computers that the data was deleted from can tell information about what account deleted the file. (Cohen, 2012, p. xx) continues by saying, “While it is possible that an insider might use known malicious attack methods typically detected by intrusion detection methodologies and system, doing things that trigger such systems is rarely if ever necessary for an authorized insider.” So as the network and system logs still might prove useful this would be very difficult to identify.
Figure 4. Shows Active directory of a user and his/her last login.
The data that will be gained from the registry of the insider’s computer HD registry would be the best starting point here. Allowing a forensic expert to gauging a since of normal computer usage and seeing if there are any anomalies. Using the data from the network active directory that controls the user accounts for the entire company would allow forensic experts to pin point the account that was used in the deletion. In an examination combining the physical sensors, key card access, and account access from system logs proves to be invaluable. In figure 4 above there is useful information that can be gotten from Active directory as well. Examiner use this to combine this data together to understand consistencies and inconsistencies. This could also give a forensic expert an approximate time of when this happened allow the examiner to build a potential timeline for the investigation. As seen below in table 3 the starting point would be the compromised files on the hard drive of the given computer or server.
Table 3. Data sources ranking in an insider deletion investigation
As we can see there are many different areas where a forensic expert can look for data. As technology continues to advance these numbers will grow. The amount of time that it takes to compromise a system versus the amount of time it takes to discover is still very far apart. Which leads to the ultimate consensus in my findings that to be the forensic investigator on anyone of these investigations one would have to look everywhere. Having a general understanding of the crime does help in many scenarios but not all. When certain security measures aren’t put into place there is little an examination can do specifically in the insider threat scenario. The forensic examination is only as good as the carelessness of the insider and the security that was in place at the time. Having general guidelines, a clear understanding of the investigation, and a priority list of known data source places can go a very long way.
National Institute of Justice (U.S.). (2004). Special report, forensic examination of digital evidence: a guide for law enforcement (199408). Retrieved from publisher not identified website: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
National Institute of Justice (U.S.). (2007). Report, investigations involving the internet and computer networks. Retrieved from website: https://www.ncjrs.gov/pdffiles1/nij/210798.pdf
SANS Digital Forensics and Incident Response Blog. (2016, October 29). Digital forensics and incident response blog | malware can hide, but it must run. Retrieved from https://digital-forensics.sans.org/blog/2016/10/29/malware-can-hide-but-it-must-run/
Cohen, F. (2012). Forensic methods for detecting insider turning behaviors. 2012 IEEE Symposium on Security and Privacy Workshops. doi:10.1109/spw.2012.21
Forensic Mag. (2013, May 28). The case for teaching network protocols to computer forensics examiners: part 1. Retrieved from http://www.forensicmag.com/article/2013/05/case-teaching-network-protocols-computer-forensics-examiners-part-1
Fung, B. (2013, March 8). How many cyberattacks hit the united states last year? Retrieved from http://www.nextgov.com/cybersecurity/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775/
Panda Labs. (2016, October 20). Cybercrime reaches new heights in the third quarter. Retrieved from http://www.pandasecurity.com/mediacenter/pandalabs/pandalabs-q3/
Shephard, D. (2015, March 16). 84 fascinating & scary it security statistics. Retrieved from https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/
Verizon. (2016). 2016 data breach investigations report. Author.