Anti Virus Scan

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, 19 October 2010

Overall DF Investigation Process

Posted on 18:16 by Unknown
In order to paint an accurate picture of how I started my journey, my next two posts will be about overall digital forensic (DF) investigation process. Technically these should have been the first two posts but I decided to discuss the examination steps and the testing I did last spring first in order to share information which was relevant to a few discussions at the time. After these two posts are completed then I will finally be caught up to where I currently am in my journey.

The majority of the time when you encounter something new one of the first things you should try to do is understand the overall process. If you want to plant a garden you don't just dig a hole in your yard, throw in some seeds, and hope for the best. If you want to learn how to fish you don't buy fishing equipment at a local store then go to the closest body of water to toss the equipment in. These approaches may result in some of the plants growing or catching a fish after the fishing pole knocked it unconscious but most likely the majority of the time these approaches will fail. The reason for this is because both approaches just tried to wing it instead of first trying to understand the overall process.

What does this have to do with investigating a security incident? When I approached this topic I started by trying to understand the overall DF investigation process prior to the complexities of the investigation such as the various examination steps, tools, techniques, or test systems. My goal was to have a repeatable investigation process which would provide consistent results instead of occasionally being lucky by winging it. To accomplish this goal I started with understanding the different phases, including their purposes, of the DF investigation process. i think the various activities within these phases are critical to understand but my focus in this post is just on the phases.

There are different models outlining the phases of the DF process with three of them being the DFRWS Framework, NIST Guide to Integrating Forensic Techniques into Incident Response, and Building a Digital Forensic Laboratory book. These models also discuss the various activities which can occur within these phases such as case management, evidence management, chain of custody, and documentation.

In 2001, the Digital Forensic Research Workshop (DFRWS) released the Investigation Process for Digital Forensic Science (A Road Map for Digital Forensic Research, 2001). The image below outlines the phases of this investigation process.


In 2006, the National Institute of Standards and Technology (NIST) released the special publication 800-86 Guide to Integrating Forensic Techniques into Incident Response (Kent, Chevalier, Grance, & Dang, 2006). The image below outlines the phases of this investigation process.


In 2009, Elsevier, Inc released the book Building a Digital Forensic Laboratory. This book discussed the phases of the investigation process which is shown below (Jones & Valli, 2009).


As can be seen in the pictures above, there are similarities between all three investigation processes (actually two of the processes are similar to the DFRWS process). The picture below shows the phases of the investigation process I decided use (note: the phases below were created using a combination of the references used in this post, my past experience processing cases, and conversations with a colleague who helped me understand the overall process when I first started in this field).


As you can see the phases above are nothing new and basically just a reorganization of the phases in the models I briefly discussed. The following are brief descriptions about these phases:

The Preparation phase covers all of the activities which would occur before you are working on a case. This would include the activities for preserving evidence and to establish guidelines on how to manage evidence (Jones & Valli, 2009). These guidelines can help ensure evidence is preserved throughout the entire investigation process.  This phase would also cover other activities such as staff training, staff recruitment, tool validation, and quality assurance measures.

The Identification phase is when there's a request for a DF investigation. In my past experience, DF has been more of a service which supports other business processes. This means a request by a customer starts the investigation process. This phase involves understanding the purpose of the request and the scope of the investigation such as type of case, subjects involved, and systems involved.

The Collection phase is when the identification and collection of any items that could be of evidential value occurs (Jones & Valli, 2009). This could include digital content such as hard drives and removable media but it can also include other types of information such as interviews and observations.

The Analysis phase includes the examination and analysis of the information. The examination is to identify evidence in the data which may be relevant to the case while the analysis is to analyze the evidence collected, identified, and extracted to develop a set of conclusions (Stephenson, 2009). The analysis would also include testing those conclusions to ensure they are valid.

The Reporting phase is when the evidence and your conclusion are presented to the person or group requesting the DF investigation.

The Archival phase is the management of the long term storage of the case materials including the evidence once the case has been closed.

My journey has initially focused on the Identification, Collection, and Analysis phases. The scenario I decided to use was a malware infection then I realized the potential complexity of this scenario in a networked environment. It could be one system or 100 systems. Potential sources of evidence could be servers, clients, network logs, or removable media. The infection vector could be email, network shares, or the Internet. I think you can see the picture of this complexity and I wanted to know how to approach this type of investigation during the Identification, Collection, and Analysis phases.

This is where Dr. Stephenson's End to End Digital Investigation (EEDI) framework comes into the picture. My next post will explain why I needed EEDI, how EEDI works, how EEDI can help test your conclusions, and the benefits of EEDI for the investigation process.


References

A Road Map for Digital Forensic Research. (2001, August 7-8). Retrieved from DFRWS 2011[banner]: http://www.dfrws.org/2001/dfrws-rm-final.pdf

Jones, A., & Valli, C. (2009). Building a Digital Forensic Laboratory Establishing and Managing a Successful Facility. Burlington: Elsevier, Inc.

Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006, August). Guide to Integrating Forensic Techniques into Incident Response. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

Stephenson, P. (2009). Cyber Investigation. In S. Bosworth, M. Kabay, & E. Whyne, Computer Security Handbook (pp. 55.1 - 55.27). Hoboken: John Wiley & Sons, Inc.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in EEDI, examination steps, investigation process | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ripping VSCs – Developer Method
    For the past couple of weeks I’ve been talking about the Ripping VSCs approach to examining Volume Shadow Copies (VSCs). I started using the...
  • Linkz 4 Free Infosec and IT Training
    In this day and age budgets are shrinking, training funds are dwindling, and the threats we face continue to increase each day. It's not...
  • Dual Purpose Volatile Data Collection Script
    When responding to a potential security incident a capability is needed to quickly triage the system to see what's going on. Is a rogue ...
  • Finding the Initial Infection Vector
    There are different ways to spread malware. Email, instant messaging, removable media, or websites are just a few options leveraged to infec...
  • Man versus AntiVirus Scanner
    Knowing what programs ran on a system can answer numerous questions about what occurred. What was being used to communicate, what browsers a...
  • Re-Introducing $UsnJrnl
    The NTFS change journal ($UsnJrnl) is not a new artifact and has been discussed before by others. The file's importance may have been ov...
  • You Are Not Admin with UAC
    There is a tendency to focus on what is different when we are faced with newer operating systems. What are the security changes and how does...
  • Building Timelines – Tools Usage
    Tools are defined as anything that can be used to accomplish a task or purpose. For a tool to be effective some thought has to go into how t...
  • Houston We’ve Had a Problem – Wow64
    This is a piggyback post to an issue Harlan has been raising about the Wow64 issue. His most recent post on the subject Wow64Node: Registry ...
  • Microsoft Word Jump List Tidbit
    Performing examinations on the Windows 7 (and possibly 8) operating systems is going to become the norm. In anticipation of this occurring, ...

Categories

  • adobe
  • advice
  • antivirus
  • attack vectors
  • autoplay
  • autorun
  • book review
  • categories
  • chain of evidence
  • conferences
  • delivery artifacts
  • detection
  • digital forensics search
  • drive-by
  • education
  • EEDI
  • email
  • encase
  • examination steps
  • exploits
  • feedreader
  • fraud
  • Google
  • hcp
  • investigation process
  • java
  • jumplists
  • kinect
  • links
  • malvertizing
  • malware
  • malware analysis
  • memory analysis
  • metadata
  • microsoft office
  • NTFS
  • perl
  • pfic
  • prefetch
  • program execution
  • readiness
  • registry
  • regripper
  • scams
  • script
  • search poisoning
  • sharing
  • shortcut files
  • spam
  • testing
  • timeline
  • timestomping
  • tools
  • tr3secure
  • training
  • triage
  • uac
  • volume shadow copies
  • xbox

Blog Archive

  • ►  2013 (20)
    • ►  November (1)
    • ►  October (2)
    • ►  September (4)
    • ►  July (2)
    • ►  May (3)
    • ►  April (2)
    • ►  March (3)
    • ►  February (1)
    • ►  January (2)
  • ►  2012 (38)
    • ►  December (3)
    • ►  November (3)
    • ►  October (3)
    • ►  September (1)
    • ►  August (3)
    • ►  July (3)
    • ►  June (3)
    • ►  May (3)
    • ►  April (3)
    • ►  March (5)
    • ►  February (6)
    • ►  January (2)
  • ►  2011 (41)
    • ►  December (4)
    • ►  November (3)
    • ►  October (3)
    • ►  September (4)
    • ►  August (4)
    • ►  July (3)
    • ►  June (5)
    • ►  May (3)
    • ►  April (3)
    • ►  March (3)
    • ►  February (2)
    • ►  January (4)
  • ▼  2010 (17)
    • ►  December (2)
    • ►  November (3)
    • ▼  October (3)
      • End to End Digital Investigation
      • Overall DF Investigation Process
      • Anatomy of a Drive-by Part 2
    • ►  September (3)
    • ►  August (6)
Powered by Blogger.

About Me

Unknown
View my complete profile