DIGITAL FORENSICS
This blog describes how digital forensic techniques and tools enable defenders to detect cyberattacks and identify defensive approaches to prevent the similar attacks in future.
Cyber attackers are interested in compromising the systems of an organization. Digital forensic approaches, techniques and tools provide an opportunity for security defenders to detect and mitigate the attackers’ malicious intents and collect any potential traces of cyberattacks. The detected traces let the defenders identify how the attackers find a path into the organization’s systems and how long the attackers were implanting their malicious codes into the compromised systems. Based on the detected traces, the defenders can estimate the amount of damage that the attackers negatively have impacted on the organizations. The defenders also use the detected traces to leverage predefined security policies and rules that were applied into the organizations, and improve the defence line against the attackers. These traces need to be analyzed. The analysis helps the defenders to combine results to make a time-line regarding the attacker’s procedures on the compromised system. For instance, what kind of malicious files have been installed on the hard disk drive of the system or what kind of applications have been running on the compromised machine.
Here, various kinds of digital forensic techniques come to the picture such as memory forensics, hard disk drive forensics, network forensics, mobile forensics, etc. We provide some information for each kind to describe their intents. In memory forensics, an image from RAM of the compromised system will be acquired and will be analyzed by the defender to identify the currently running processes on the compromised system, open ports on the system, etc. In the hard disk drive forensics, the content of the drive will be examined to identify various files that may be related to a cyber incident and have been stored on the drive. For example, registry keys that have been installed, or modified by the attacker; libraries that have been installed and used maliciously by the attacker; or the files and folders that have been accessed by the attacker. In network forensics, network traffic into and from the compromised system will be analyzed in an offline or an online mode. In the offline mode, the network traffic has been captured previously while in the online mode the current traffic will be examined. Mobile forensics include a set of tools and techniques that let the defenders analyze the content of smartphone devices that have been founded in the incident environment. Cloud forensic methods let the defenders to perform an investigation on the virtual machines and their components on the cloud.
The defenders need to identify which systems have been targeted, what operating systems were mostly targeted, and what kind of vulnerabilities in the systems have been exploited. Nowadays, there are various open-source or commercial software and frameworks that are used by organizations. The attackers try to exploit unknown vulnerabilities that have been raised based on bugs in the software or frameworks. Therefore, the defenders need to identify existing bugs and weaknesses of the compromised systems to address them later effectively and quickly to reduce the possibility of reoccurring the similar cyberattacks in future. These vulnerabilities can be fixed by installing update packages that are provided by vendors who own these software and frameworks.
Based on the knowledge that have been grasped from the cyberattacks, the defenders leverage the rules in intrusion detection and prevention systems. For instance, Snort is a popular tool that organizations use to monitor their network traffic; thus, updating sets of rules that are used by Snort based on identified signatures would be a great recommendation to prevent similar security attacks. The detected traces of attacks suggest the organizations’ security teams to identify required technologies and tools to prevent the similar cyber incidents in future. It would be a good practice to report the attack into official organizations that have the authority to trace back the attackers
Detected traces need to be included in the report that is going to be submitted into the court of law to trace back the attackers. It is important that sets of evidence be collected based on a standard procedure. The evidence must be captured based on their priorities (e.g., based on their volatilities) using a set of standard tools and frameworks. For example, file-written protection tools must be used before taking any images from components of a compromised system (e.g., a hard disk driver, mobile device, RAM, etc.) to make sure that the latest state of the component has been captured, bit by bit. Next, storing the evidence in a secure place is another aspect that needs to be considered by the defenders because the evidence needs to be represented in the court of law as they have been found in the first place. Also, isolating the targeted systems from the rest of the network to disinfect them is the next task that must be followed by the defenders to remove installed malicious software. This step assures the recovery of an organization from the cyber attack to provide previous services that were interrupted because of the attack. In conclusion, digital forensics offer a varieties of techniques, procedures and tools to enable the defenders in the organizations to detect and mitigate security breaches and attacks.
Saeed Shafiee is a cybersecurity researcher (pursuing post-doc) with a PhD degree in cybersecurity.