Once the preparation of evidential matter and forensic analysis has been completed, it is time to perform the Case Documentation phase of the investigation. This phase begins with recording the earliest evidence of a compromise. Next, it is necessary to list all the files placed on the system by the attacker, as well as the files that were used by the attacker, but no longer reside on the file system. Subsequently, it is necessary to compile all of the IP addresses that initiated the attacks against the system and perform both "WHOIS" and "DNS Lookups" on those IP addresses. The WHOIS and DNS Lookups are online tools used to identify the owner of an IP address (very similar to looking in a phone book to associate a person, to a home address, to a phone number). At this point, a list of investigative questions should be accumulated for the line-of-questioning process. Case documentation should be completed and organized at this point in the event litigation support is requested.
An Incident Response Case Study
An employee of a consulting firm noticed that $20,000 had been transferred from her on-line banking account that she usually accessed from her office computer. She notified the financial institution, initiating a password change to protect her assets. An additional $20,000 was transferred out of the victim's account by the next day. She and the financial institution made another change to her account credentials and yet a third transfer of $10,000 was made after this second change. The financial institution had responded by reviewing their system security data, but did not note a compromise to their systems. They did note that the connection data lead back to a geographically dispersed point.
The victim initiated litigation against the financial institution to recover her $50,000 in funds and began the process of an investigation to review her system for electronic evidence. A forensic image duplication of the victim's hard drive was made and upon further review, we noted that several time/date stamps resulted in initial clues. Within five minutes of review, we noted a suspicious file in the form of a keystroke capture log file that had been backed up by Microsoft XP's built-in System Restore capability. Further analysis resulted in identifying that an additional 25 similar files contained keystroke logs. What had occurred was a "Trojan" was installed on her machine (without her knowledge, of course) specifically targeting financial data to capture the victim's keystrokes and periodically sending them to an email server in Europe. The Trojan would then automatically uninstall itself after two-week's time, thus removing its executable, registry entries and the keystroke capture log files. However, residues from the Trojan still existed in the system's slack space allowing us to perform a limited analysis of its capabilities.
Such an attack is not uncommon today. Attackers have come to realize that it is much easier to exploit 10 unaware end users than it is to exploit a highly protected and monitored e-commerce server for the same monetary gains.
Computer Security Going Forward
This article set out to explain, at a high-level, the steps taken during the incident response process and the computer forensic process drawing parallels to physical security. Hopefully, you were able to decipher the similarities and differences between the two disciplines and bring those into practice at your organization. Again, the good thing is now you are better versed on computer security, the bad thing is that computer incidents continue to occur at an alarming rate.
Market indications and our own fieldwork support the facts that due to the complexity of attacks, the frequency of attacks, and the enhanced visibility of these matters in regulatory requirements, that incident response and computer forensics is a burgeoning market. From executives, risk managers, security directors, and system administrators, all facets of an organization will most likely be involved in handling an incident and will be required to make informed decisions. Those organizations that have taken the proper steps to prepare for a computer incident will be better poised to make timely decisions and will mitigate their risk; thus, reducing the overall impact to their business.
Today, anyone who manages risk at an organization needs to accept that bad things will happen, and they need to take a long, hard look at their computer security program to determine if they have been diligent in addressing the question "What if a compromise occurs?" A security professional needs to be just as diligent in trying to thwart a compromise as they are in responding to a compromise. You need to be able to walk into an executive's office and say with confidence, "Yes, we have just experienced a computer incident We have an incident response plan in place. We are taking action. We know what was compromised, and we know what was taken."