Digital Crime Scene Investigation – Handle with Care

A cyber breach or security incident can and does happen to every business. However, no matter how large or small, how your company responds to a cyber-attack is a more defining characteristic of its security posture than your ability to prevent the incident in the first place.

After detecting a cyber-attack, most IT departments will prioritise the containment and remediation of the incident as soon as possible. These incident responders, however, must also be mindful of preserving and collecting evidence for further analysis.

Post-breach investigations may reveal the possibility that some evidence could have been tampered with or mishandled, like throwing out the dirty weapon or walking around with muddy shoes at a proverbial crime scene. If the perpetrator is identified, the onus lies on the organisation to prove the integrity of the evidence collected from the crime scene, or it will be inadmissible in court.  

There are significant legal repercussions if your organisation fails to maintain such evidence adequately. For example, in Singapore, the Personal Data Protection Commission (PDPC) mandates companies correctly address the data integrity of the collected evidence with the chain of custody to ensure legal defensibility.

According to the Personal Data Protection Act (which the PDPC enforces), “the Commission may draw adverse inferences against the organisation that failed to preserve and produce any piece of evidence to the effect that had the evidence been produced, it would have been adverse to its case. Adverse inferences may also be drawn against a complainant if the evidence ought to have been preserved and produced by the complainant.”¹

The PDPC mandates retaining records relating to an investigation for one year or such longer period as directed after the investigation has been completed. The Commission also encourages all companies to have a “detailed litigation hold policy in place to ensure that documents and records relating to an investigation or potential investigation of a breach of its obligations under the PDPA are preserved and not deleted, disposed of or destroyed.” ¹

Digital evidence is fragile.

Besides ensuring the data integrity and chain of custody to avoid damaging or tampering with the evidence, extracting and recovering said evidence from a cybercrime scene can be challenging.

Evidence destruction is a common problem. For example, suppose threat actors installed a malware process or other applications on a device. Future forensic analysis will rely on this process being available in memory, which may be lost when the device is turned off. On the contrary, if the device remains on, the risk of vital evidence, such as event logs being lost due to retention policies, increases with the amount of time elapsed since the incident occurred. Therefore, it is best practice to take an image of the evidence as soon as possible under the direction of digital forensic experts.

There are also other types of information that the IT team can retrieve from artefacts, such as running processes, network connections and other data stored in memory.

The initial problem in any cybercrime scene is gaining access to the device(s) and its data. Each new feature, hardware, operating system and application requires training in new tools and techniques to acquire evidence and conduct analysis. Additionally, combining data from these disparate sources, timestamps and timezones for comparative timeline analysis is cumbersome.

Finally, the crime scene is not limited to the physical location that was the target of the cybercrime, especially when most employees work from home. The crime scene can span multiple digital devices, systems, and servers across different networks, cloud service providers and third-party suppliers. Therefore, determining which devices to secure as evidence across your infrastructure is necessary. Careful consideration should be given to the time this will take and what is essential for further analysis to determine how the attack took place. This will need to be done in parallel and may compete with the need to restore the infrastructure and data to a known good state from backups with patches and updates applied.

Good evidence management requires more than just a single person, even if they are forensic experts. You need staff who know how to identify and isolate evidence when they are first on the scene. You need trained IT personnel as first responders who can preserve and analyse data without damaging it. And you need leadership to coordinate an incident response, one who knows the right time to bring in forensic expertise.

In short, you need an entire team that knows the best ways to preserve digital evidence. You need a plan…and a partner.

Most organisations lack the in-house skills to develop or execute an effective plan to manage digital evidence on their own. Even if they are lucky enough to have a dedicated incident response team, the team might be flooded with false positives from their automated detection systems. Or, they might be too busy handling existing tasks to keep up with the latest forensic techniques, emerging threats and threat analysis.

Trustwave, a Singtel company, can help organisations bring control and stability to what can become a chaotic event and develop incident response playbooks tailored to their teams’ structure and capabilities. This can help shape and strengthen their security maturity for organisations to reduce overall risk and speed up future response times. (Gartner recently recognised Trustwave as a leading DFIR vendor in its Market Guide for Digital Forensics and Incident Response Services² report. The report helps security and risk management leaders to identify the proper criteria for selecting a provider that best fits their organisation’s specific needs.)

In addition to helping your team respond to attacks and develop an entire incident response readiness program, the Trustwave DFIR team also provides comprehensive tools to analyse evidence that can support litigation or documentation for management, legal teams and regulators in the following areas:

Training

Often, the DFIR expert assisting company staff during a breach may be offsite so training the internal team is critical. DFIR experts will train and practice with first responders to detect compromised systems, identify how and when a breach occurred, understand what attackers took or changed, and successfully contain and remediate incidents.

Timeline Analysis

Forensic tools will parse the collected evidence and the timestamps extracted from both the file system and the artefacts, including created, modified and accessed times. No matter how disparate the data set or how different the time zones are, the team will present key findings in chronological order to lend further strength to the story by linking artefacts and files together. Included in the timeline analysis, the DFIR experts can identify opened files, executed programs and downloaded files.

Searches

The DFIR team has forensic and eDiscovery tools to search across small or large data sets and disc images with hashes of known files, keywords, concepts, and regular expressions. They can also carve the disc image to recover recently deleted files from unallocated space.

Malware Analysis

The team can identify malware samples from evidence, reverse engineer samples and provide an analysis report identifying the malware capabilities and threat intelligence.

Reporting Results

The final report will include such items as the data acquisition techniques leveraged to collect and preserve evidence, forensic analysis methods and processes utilised in locating evidence; technical findings, including extracts of relevant data sources, conclusions of the investigation; inclusive or conclusive evidence of a breach, exposed data at risk, details of completed containment actions and recommendations for specific improvements to your security posture.

Take Action... Sooner Than Later

With successful breaches on the rise, it’s a reality that your organisation will become the victim of a compromise. The question is not if but when.

To complement internal response and recovery capabilities, organisations should invest in a DFIR consulting retainer to ensure experts are on standby to provide advice to contain a security breach and mitigate further waves of attacks. Even as internal cyber breach protocols and remediation efforts kick in, you are assured the DFIR team will provide guidance to identify and preserve evidence for analysis.

An expert DFIR team knows they must correctly address the data integrity of the collected evidence and assure legal defensibility through a proper chain of custody. With Trustwave DFIR consultants located around the globe, an expert is only a phone call away, ready to minimise the impact of a breach, preserve critical evidence, analyse the incident, and provide recommendations to bolster your organisation’s security posture.

Sources

¹ 2019 personal data protection digest.pdf (PDPC, pg 225, section 26)

² Gartner Market Guide for Digital Forensics and Incident Response Services, (21 September 2021)