Incident Response &
Computer Network Forensics
Incident response and computer network forensics is a discipline to analyze network traffic, protocols, computer storage, media devices, and volatile memory for evidence involved in a security incident.
Introduction to Incident Response and Computer Network Forensics
Incident response and computer network forensics is a discipline to analyze network traffic and protocols, computer storage and media, and volatile memory for evidence involved in a security incident. The process for analyzing evidence is different in a criminal justice environment due to the importance of keeping chain of custody. In a criminal justice environment, chain of custody involves careful recording of who handles the evidence, the time of access, and where items are stored. The integrity of the handlers and environments for storage must be high to provide confidence to council the data has not been tampered with. Whereas in a public environment, the computer equipment may not change locations and emphasis on record retention for handling is decreased.
Over the last ten years we have see social media play a starring role in incident response and computer network forensics. Social media is utilized by attackers to locate victims and social engineer them to provide account information or steer them to particular agendas. Law enforcement has the right to work with social media to obtain images, posts, and meta-data on an individual under investigation due to grey privacy laws due to the individuals will to post their private information online. As we recently learned, the secret spice to most social media and telecommunication companies is selling personal information on individuals which makes it easy for both law enforcement and malicious actors to obtain sensitive private information. You don't think these companies get their money from selling personal adds for Fred Myer's Grocery Stores to pay silicon valley bills? They are selling off all user info constantly. End of story.
The digital forensics report below presents a real case involving cyber bullying but with fictitious evidence to showcase steps in a digital forensics investigation. The report has been edited out of respect for the family involved in the case.
See example digital forensics report here.
Disclaimer: The chosen case scenario is for learning purposes. Evidence presented in the case scenario is fictitious and are not intended to reflect actual evidence. Reference herein to any specific commercial products, processes, or services by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the U.S., State, local governments, or the University of San Diego and the information and statements shall not be used for the purposes of advertising.
Something to Remember During
Cyber Security Incidents
“Don’t fear conflict, embrace it - it's your job” (Myatt, 2012)
Cybersecurity for Executives: A Practical Guide, provides a checklist of 10 items during a cybersecurity related event. These items are combined with the presentations of conflict management by Catherine Morrison and active listening by William Ury.
“Don’t Panic… As an executive, you have a leadership responsibility to remain calm and not panic.” This phase will be combined with the conflict resolution steps of “make the approach” and “share perspectives” (Morrison, 2013). By staying calm, the team can sort out resolution steps logically rather quick reactions that could make the situation worse. The team may use conflict management step three during communications to “discuss one issue at a time” and “clarify assumptions”.
“Make sure you’ve been hacked…you don’t want to waste your precious resources chasing a bogus report or overreacting.” This again relates to the first phase of conflict management stage where the team “reflects before they begin”. Given the high rate of false alarms that can occur, the team should use multiple sources of information before making conclusions. Taking the time to actively listen to multiple sources along the communication chain may provide hints to expedite solutions.
“Gain control… what actions you take depends on the level of risk you are willing to accept”. In this step, active listening plays a significant role for the security manager in charge of the compromised system. The security manager must listen to management regarding the availability of information, platforms, and accounts before shutting down those objects. The time of availability of those systems may have long-term business consequences for clients and customers. This applies to the active listening strategy from William Ury: “listen from their frame of reference, not ours”. The solution must strike the perfect balance with business needs and resolution and action which matches the business resolution step of “Agree on solutions: Interest test – does this meet all parties’ interests?” (Morrison, 2013).
“Reset All Passwords…if your business is the victim of hacking, change every password on every computer and device, especially system administrator passwords…Many people exchange information between the home and work computers. While this often increases productivity, it also increases exposure to cross contamination…”. This involves the conflict resolution phase of “Plan Next Steps” with the specific steps of “Jointly create action plan, what needs to happen? Who needs to do what? By when?” (Morrison, 2013). With the securing manager communicating the need to change passwords to all users for their work and connected home devices, this incident management step will be completed.
“Verify and Lock Down All Your External Links… your baseline should define network’s authorized ports and protocols. Unusual network traffic using previously unauthorized and unexpected ports and protocols is a telltale sign of malicious activity”. The book discussed many connections that can come from gaming and personal use applications. It’s not new to the security industry to be faced with a few problem users who fail to follow policy. Active listening may play a factor for finding a solution, as William Ury states: “How can you possible change someone else’s mind, if you don’t know where their mind is”. By considering the users perspective, the security manager can reduce rogue connections.
“Update and scan… you should consider wiping it (such as reformatting the hard drive several times), reloading it with up-to-date security software, scanning for any residual threats, and returning it to service as appropriate.” In this step, it matches conflict managements “next steps- what need to happen?”.
“Assess the Damage… not all hacking incidents will ruin your day because not all hacking and cybersecurity incidents have the same effects”. In this step, the book recommends bringing in third-party experts to assess the extent of the damage. During the meeting with forensic investigators, active listening will play a role to decide on the next steps to reduce the organization’s “risk profile”.
“Make appropriate notifications…when you find out you have been hacked, one of the things you have to do is determine who needs to know”. Item eight of the list suggests several parties who need to know: leadership team, general counsel (legal), law enforcement, PR staff, CFO, third-party relationships, and regulatory agencies that require notification. Item eight relates to conflict management step “Plan Next Steps: who needs to do what, by when?”. During communications with various groups it would be important to listen to any suggestions carefully and all parties are achieving goal congruence.
“Find out why it happened and who did it…. Just because you have extinguished the fires that erupted from the hacking or cybersecurity incident doesn’t mean that the incident should be closed.” Item nine suggests to take any facts and circumstances that lead up to the attack to strengthen defenses against future attacks. Item nine provides insight to conflict management step “Plan Next steps: How will interaction take place if problems occur?” by anticipating a similar attack by the same group or same methods. Active listening takes precedent during the investigation to obtain clues to how or why cybersecurity events may have occurred when questioning employees involved who may be unwilling to provide details.
“Adjust your defenses… be prepared to continually adjust your defenses.” Item ten provides recommendations to prepare dynamic and changeable solutions than static. This is due to the changing technology and emerging threat vectors. During the testing phase of these solutions, can take on the conflict management approach step “Agree on Solutions” and using a reality, durability, and interest test prior to implementation.
Morrison, C.J. (2013). When Things Don’t Work: Recognizing and Resolving Conflict [PowerPoint Slides]. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjPpLuIu4LcAhUG658KHdr7AsYQFggqMAA&url=http%3A%2F%2Fweb.jhu.edu%2Fadministration%2Fprovost%2Fprograms_services%2Ffaculty_affairs%2FConflict%2520Management%2520Slides.ppt&usg=AOvVaw3LhMMv5ZeJhpfa8Frc18J3
Myatt, M. (2012, February 22). 5 Keys of Dealing with Workplace Conflict. Retrieved from https://www.forbes.com/sites/mikemyatt/2012/02/22/5-keys-to-dealing-with-workplace-conflict/#7c58371d1e95
Touhill, G.J., Touhill, J.T. (2014). Cybersecurity for Executives: A Practical Guide. Hoboken, NJ: John Wiley & Sons, Inc.
Ury, W. [TEDx Talks]. (2015, January 7). The Power of Listening by William Ury [Video File]. Retrieved from https://www.youtube.com/watch?v=saXfavo1OQo
Steps of a Cyber Forensic Investigation
The following steps are summarized from a Defcon 20 presentation by Michael Perklin titled Anti-Forensics and Anti-Anti-Forensics.
Step 1: Create Working Copies
Capture all media, USB, hard drives. The issue here for investigators is the excessive time and money to sniff through all media. This is mitigated by parallelizing the acquisition process as more drive duplicators mean less total time. The limit for this process is the time and cost budget. Second process involves using the hardware against the target. An example of this process would be to boot from CD, plug in the USB HDD, and mount a copy. The limit in this process is the number of machines the investigator can access.
Another obstruction in the investigators process may be a non-standard raid pattern. Common RAIDS share stripe patterns, block sizes, and other parameters. The target may not divulge information about the array regarding disk order, synchronous orientiation, and whether it is big ENDIAN or little ENDIAN. To overcome this hurdle, the volumes are de-RAIDed on the actual system using boot disks (Windows Live CD's) and the volume is imaged (not the HDDs).
The investigations can leverage cloud technology to speed up forensic investigations (Wen et al., 2013). This of course may have legal implications involving custody of the evidence and questions on who has access to the cloud. These cloud services are called "Forensics-as-a-service" or FaaS and can allow investigations with high technical demands without buying the equipment to do so. This results in cheaper investigation in a "pay-as-you go" model (Nanda & Hansen, 2016).
Step 2: Process Data
During the process of data, the target may have used file signature masking. This is the process of hollowing out a file and storing data in it. The result can leave a text file showing as an .exe file. The investigator can catch these files by using a technique called fuzzy hashing. The process compares identical files for potentially interesting (altered) files.
Step 3: "Separate Wheat from Chaff"
The investigator uses an application to access the National Software Reference Library (NSRL) - Commercial file values are hashed and catalogued and published by NIST. This includes every dll, exe, pdf, dat , etc. The catalogue is used by investigators to filter out "typical" items that may not provide value to the investigation. Process is called "De-NISTing".
Additional steps in the filtering process for analysis are shown below:
(Wen et al., 2013)
Criminals may take the time time modify the system and program files by 1 byte to expend the investigators time. This works two ways. For one, why would every file be edited? This would raise a red flag. For executables and DLLs the modification will break the file as the Cyclic Redundancy Check (CRC) values will not match during the run. Sophisticated hackers learned to recalculate the CRC and run with a modified DEP setting. To mitigate against this roadblock, the investigator turns to searching and not filtering. For example, data filtering, key word searches, and file signature analysis. A good application will also create histograms of dates and files with higher than average activity. VPN logins, firewall alerts, file created times, can be circled out of the chaff. There's not much in the way of the sheriff!
As you may have guessed, another roadblock would be to scrambled the time stamps of the files 'Create', 'Modify', 'Access', and 'Entry Modified' entries. This is abbreviated as MACE .
Modified – the last write
Accessed – the last read
Created – the file’s birthday
Entry – the last time the MFT entry was updated
All files store multiple timestamps in the NTFS volume for every file. When the time stamps are scrambled, the investigator knows to ignore the values. The scrambling may be applied to the entire drive or may be set in the BIOS (e.g. randomized every 10 minutes or half hour). Investigators bypass the scrambling technique by ignoring dates on all metadata. Log files may write dates as strings written sequentially. An investigator can infer sets of similar times for each set of logs written sequentially.
Step 4: Analyze Data
At this point, a traditional investigation can be up to 44k billed. In the analysis process, evidence is discovered and collected to be reported in the next step. The investigator may find that file names are restricted (e.g. con, prn, aux, nul, com1, lpt2) where windows does not allow edit or creation of the file name. The target used a method to boot up linux based files to create and store in the Windows operating system that the OS no longer recognizes. To circumvent this trick, the investigator doesn't export the files by its native file names but uses applications to export by FileID or other generated name.
Another neat trick by the target is to use "circular references". This is basically the directory system referencing to previous directories creating a re-scanning effect and delaying the overall scan. The result is the analyzing device will run out of memory or have slow processing. This effects particularly "field triage" and "remote analysis" methodologies in a time sensitive situation. Investigators have to gauge the time it should take to complete the scan or analysis to not waste an exorbitant amount of time during the investigation. The solution is to work from an image of the drive than the live data to identify those references easier.
If the target understands how log analysis works, the log files may be customized with key ASCII characters, commas, quotes, and pipes that make parsing the logs difficult. The target may enter the correct log file starting entry names multiple times to fool the log analyzer into creating many records. Here the investigator needs to assess the situation "do we need the entire log to prove a point?". Perhaps, the investigator only needs to parse a few pertinent records and document the methodology to obtain the right amount of evidence. Additionally, the investigator may write a script to parse the logs of the funny characters as needed (if not already provided by the analysis tool).
Another bump in the road is if the target is using NSF files. These are encrypted files that require the user ID and password for every NSF file being processed. The investigator needs training on applications like lotus notes and not rely too much on conversion tools.
Step 5: Report Your Findings
After the report is finished, the investigator places a hash value on the file after writing the report. MD5 and SHA1 are outdated hashes, and unfortunately some applications still use outdated hashing methods to identify reports. These hashing types are prone to hashing collision attacks where the file can be edited and still yield the same hash as if it was never edited. An investigator would need to include both files on the report since it is suppose to be a unique fingerprint. I assume this would be one heck of an explanation to the other teams in the investigation. If goodfile.doc and badfile.doc have the same hash, try explaining why the files are similar when they should have different hashes to the judge and non-techies. The solution is clear, do not use broken hash algorithms, use stronger algorithms like SHA256 or Whirlpool. Investigators are recommended to double check findings to make sure the hash located matches the file previously created.
Other counter-forensic techniques are pc's with HDD's that are not used, a boot from USB, cloud and remote machine usage, and mimicking regular usage on dummy HDD with random writes using a daemon/service. Signatures include executing the following actions and random intervals: retrieving news, webpages and write cache to HDD, syncing mail with benign/legit mail account. The investigator will think the HDD has been used recently due to the recent entries although considering a USB key used for remote access elsewhere. Other than finding and retrieving these keys, tools like Wireshark can determine the network traffic to find where the other devices are located.
Step 6: Archive Data for the Future
It is noted for a typical investigation will be just over 60 hours and 8 work days total without overtime. Extra time spent on imaging drives, exporting files, reading emails, and performing trivial tasks. The last step involves securely storing the hard drives and files that could be up to $20 dollars a month for each hard drive.
Nanda, S., Hansen, R.A. (2016). Forensics as a Service. Three-tier Architecture for Cloud based Forensic Analysis. Retrieved from https://www.researchgate.net/publication/301553168_Forensics_as_a_Service_Three-Tier_Architecture_for_Cloud_Based_Forensic_Analysis
Perklin, M. [TalksDump]. (2014, January 27). [Defcon 20] Anti-Forensics and Anti-Anti-Forensics: Attacks and Mitigating Techniques. [Video File]. Retrieved from https://www.youtube.com/watch?v=ctij93rBmsM
Wen, Y., Man, X., Le, K., Shi, W. (2013). Forensics-as-a-Service (FaaS): Computer Forensic Workflow Management and Processing Using Cloud. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.463.9583&rep=rep1&type=pdf
Tools for Home & Biz Forensics
Use a more transparent application to view services running on the system. Microsoft describes the tool:
"Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded".
Used to discover malware located in the RAM. Here is a description from the website: "The software was based on years of published academic research into advanced memory analysis and forensics. Up until that point, digital investigations had focused primarily on finding contraband within hard drive images. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to knowledge that had been common within the offensive software communities....Volatility releases are the result of a lot of in-depth research into OS internals, applications, malicious code, and suspect activities. Releases represent a milestone in not only our team's progress, but in the development of the community and forensics capabilities as a whole. While releases may seem few and far between, we strive to perform rigorous testing of our new features before calling it stable."
"PyFlag is a web-based, database-backed forensic and log analysis GUI and computer forensics framework written in Python. PyFlag stores disk images in numerous file formats, including raw, sgzip, AFF, and EnCase format. "
This is a rootkit detector and finder. Personal success with this item removing a RAT tied into my Microsoft word application that was editing my school assignments. Use caution when using this program and research all applications and processes before taking actions.
Malwarebytes provides a free rootkit detection tool. Again, the user should exercise caution when using and follow all recommended steps on the website.
Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. Virus total described as: "VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API".
Windows Powershell Commands
Windows Powershell comes stock on Windows systems. The following commands can be used to investigate issues on the PC (Lewis, 2014).
To get a list of all running processes:
Get-Process | Out-Gridview
To get a list of installed programs:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
To get a list of the IP configurations for network card configurations, one can use:
Ipconfig –a or Ipconfig /all
The driverquery command can be used to list out any drivers in use that could be used to identify potentially malicious drivers:
or to create CSV use driverquery /v /fo csv > drvlist.csv
Recommendation to avoid using forensics:
1. Do not run as admin
2. Not only use an antivirus & Malwarebytes, but password protect the application in settings
3. Remove/Disable Remote Access in the registry and possibly BIOS if no remote support/home viewing is needed
4. Run airplane mode if not using wireless connections.
5. Password hygiene on router, modem, and running updated firmware
6. Invest in a router, modem, and other hardware known for good security
7. Utilize guest network for guests that want to connect to WiFi and machines on insecure networks
Lewis, N. (2014). Hacking Forensics Windows Command Line Tools for the Modern Era. Retrieved from https://searchsecurity.techtarget.com/tip/Hacking-forensics-Windows-command-line-tools-for-the-modern-era