Reclaim...the environment by restoring the victim system to a secure, operational site.
Record...all evidence and conclusions in an accurate manner documenting all of the details of the investigative steps and security remedies undertaken.
Summate...the processes conducted and record the lessons learned while fixing the problem.
Computer Forensics Methodology Overview
If there is confirmation that an incident has occurred beyond a reasonable doubt, it is common practice to proceed with a computer forensics investigation on the compromised machine. The two most fundamental principles of computer forensics are 1) the preservation of evidence, and 2) the necessity of thorough and complete documentation to ensure forensic integrity.
A computer forensic site is really no different than a homicide site. For instance, the authorities take all measures to retain the integrity of the crime-scene by putting police tape up; chalking the outline of the body; placing numbered cards by evidential matter; and taking an abundance of pictures to capture the scene as of that point in time. In computer forensics, this evidence retention is accomplished by duplicating ("duping") the hard-drive(s) or other systems. This technique allows a computer investigator to capture the electronic evidence before it can be modified either intentionally or inadvertently.
The ultimate goal of computer forensics is to identify the attacker, but before doing so, there are certain objectives that need to be achieved during the investigation. First, one must determine the earliest detection of compromise (e.g. what time of day the attacker entered the building). Next, the investigator must identify the initial method of the compromise (e.g. did the attacker enter through an open window or break down the door?) Once one figures out the point of entry, they can begin examining the indicators of the compromise for instance hostile programs, malicious tools or hostile IP addresses (e.g. broken glass, a battering ram and fingerprints). Lastly, the investigator needs to examine the environment and estimate the data viewed, taken, or stolen from the system (e.g. if the family jewels were taken from the safe).
These goals are achieved by approaching computer forensics in three phases:
- Phase 1: Evidence Preparation
- Phase 2: Forensic Analysis
- Phase 3: Case Documentation
The Evidence Preparation phase is essential, because if you do not properly manage the digital evidence, the remainder of the forensics process will be disparaged and lack integrity. The first step is to maintain a catalogue of notes for each system reviewed populating your significant findings throughout the process. Next, the files should be extracted into a notes catalogue segregated into certain categories. The suggested categories include web logs, registries, event logs, and attacker tools. In addition, all well-known files and applications resident on the system can be identified based on a known hash-value for each of them. This provides one with the ability to minimize the scope of our analysis by eliminating these known non-malicious files. The filtering is performed based on the hash values and not the filenames as it is trivial for an attacker to modify the latter in an attempt to masquerade a malicious program as a well-known application.
Now that we have separated the information between what does and does not need to be analyzed, it is time to conduct the Forensic Analysis phase of the engagement. This phase commences with the review of the file system for hostile programs (e.g. Trojan horses, backdoor keystroke loggers) and performing a detailed time/date stamp analysis on those hostile files. By looking for anomalies in web and event logs, it will be possible to see questionable activity and hone in on the hostile files. At this point, the relevant timeframes should be noted to focus one's attention at performing a manual review of the contents of all directories housing hostile programs. Among the logs and directories to be reviewed are: system logs, security logs, application logs, Dr. Watson logs, Windows registry, the quarantine directory and the IIS web logs.