Where to start?

I was wondering how does someone go about trying to learn the process of investigating a security incident. Security incidents include a range of different scenarios. For example, a security incident could be an employee violating a company policy, unauthorized access to a database, or a server being breached by an attacker.

Complicating matters, each scenario can have numerous sources of data that can assist with your investigation. To illustrate, take the example of a server being breached by an attacker from the Internet. The devices that could contain potential evidence are all of the devices between the attacker to the breached server. Not only does this cover the attacker’s system and the breached server but it also includes the intermediate devices such as routers, switches, other servers, and firewalls. Plus, each device can have numerous data sources where evidence could be located; the breached server could have evidence stored in memory, hard drive, or on a backup tape somewhere. Lastly, each data source can have various locations where evidence can be located, such as the application logs, registry, or user profiles stored on the server’s hard drive.

Thinking about all of this I needed to figure out where was the best place to start so I turned to research using books and the Internet. My initial focus was to understand the process for investigating security incidents. This included trying to understand the overall forensic process and the data that can help an investigation. Right off the bat I knew I had to use baby steps so I decided to learn how to investigate a single system since I already had an understanding of the forensic process. (I plan on discussing the overall forensic process in future posts). There are different scenarios for a single system such as a hacked server or a compromised client; both of these scenarios can involve numerous ways of how the system was breached. I opted to start with learning how to investigate a single system infected with malware. I thought what I learned in this scenario could be applied to other scenarios. Plus, this is most likely the first scenario I will encounter once I understand the process. However, my eventually goal is to understand how to investigate a network wide incident that includes clients, servers, routers, and firewalls.

An investigation for a breached system would include various questions that have to be answered such as: what occurred, when did the incident occur, how did the incident happen, where did the incident occur on the network, and what can be done to prevent the incident from occurring in the future. Continuing with the baby steps approach I decided to only focus on answering two questions. Is the system infected and how did it become infected? Having established the two questions I needed to answer, the next step was to determine what data can be used to answer those questions and how that data can be collected and examined. As I mentioned previously this is a new area for me so I heavily referenced the books Windows Forensic Analysis, Incident Response and Computer Forensics, and Malware Forensics Investigating and Analyzing Malicious Code.

These books helped identify the data that can be examined to answer the questions, which for a single computer involved volatile data, the hard drive, and the various locations in the both of them. The next few blog posts will cover how I was able to answer both of these questions.