Inhalt
The registered number of IT security incidents as a result of the rapid development of new and adapted cyber attack methods is worrying – and can sometimes have serious financial consequences as well as reputational damage for companies. After a cyber attack, it is therefore important to keep a cool head. Now it is important to immediately call in experts to clarify the IT security incident as comprehensively and as quickly as possible using forensic methods. Digital forensics specialists are now needed to secure evidence for criminal prosecution, but also for claims against insurance companies and service providers. In particular, it is of elementary importance to determine the extent of the damage. Valuable traces that can provide clues to the perpetrator(s) must not be covered up by hasty actions. With the help of digital forensics, the IT security incident is comprehensively analyzed and reconstructed – with the goal of using the collected and analyzed information to enable prosecution of the perpetrators. It is also necessary to implement appropriate countermeasures in a timely manner and to define future defensive measures.
What does digital forensics after an IT security incident involve?
“What exactly happened?” Digital forensics is dedicated to this central question after an IT security incident. As a sub-discipline, it belongs to forensics, just like psychological forensics or forensic medicine. Digital Forensics Specialists are responsible for securing traceable evidence according to strictly defined standards, collecting evidence that can be used in court, and clarifying facts: Digital Forensics Specialists perform meticulous detail work around a cyberattack that has occurred.
Everyone who uses digital devices inevitably leaves behind traces. An important task of Digital Forensics Analysts is to recognize, extract and visualize these fleeting traces.
In doing so, the experts search for traces at the following possible points of attack:
Endpoint Forensics
Laptops, workstations or servers: For digital forensics specialists, endpoints are a veritable treasure trove for identifying traces of attacks. This is why endpoints are usually analyzed first as part of a forensic investigation. Has malware been installed on the devices or is there any conspicuous usage behavior that deviates from the company’s usual user behavior? Using data exfiltration, forensic experts gain insights into the course of the cyberattack from the devices.
Network Forensics
Network traffic can also provide forensics experts with important insights into a cyberattack. When infiltrating networkers leave traces that are uncovered and secured by forensic experts using full-packet capture, netflow or log management.
Malware Forensics
Ransomware, Trojans, rootkits or spyware: In many cyber attacks, malware is used to infiltrate computers and networks. For digital forensic analysts, (potential) malware provides an important starting point for identifying IoCs (Indicators of Compromise). The characteristics and data that indicate that a network or computer system has been compromised enable experts to reconstruct the course of events and assess the extent of the damage.
What forensic analysis options are available?
Two types of analysis are used in the field of digital forensics: live analysis and post-mortem analysis.
Live analysis takes place on a computer system that is switched on. Here, the main objective is to extract volatile data information and examine it. The “volatile data” includes, for example, information on existing network connections, users logged into a network, active processes in the systems or even passwords of decrypted drives. The big challenge in live analysis is working on systems in real time. Even the smallest interventions, such as a keyboard entry or the movement of the connected mouse, change the data of the computer system. For this reason, strict adherence to predefined procedural instructions is particularly important in live analyses.
Post-mortem analysis is the second variant in the field of IT forensics. This analysis is performed when an IT security incident occurred some time ago or volatile file information is not relevant for resolving the incident. The main work in the area of post-mortem forensic analysis takes place on the data carriers of the computer systems affected by a cyber attack. The focus of the investigation is the times of the metadata within the system.
What are the digital forensic steps after an IT security incident?
While the location of evidence collection and the tools used differ in each forensic engagement – the approach remains the same. SECUINFRA’s Digital Forensic Specialists perform forensic analysis in six interrelated steps that build on each other. The so-called “Investigation Lifecycle” comprises:
Identification
In the first phase of a digital forensic assignment, the important question is what exactly happened. In the identification phase, the forensic experts contact the company concerned, coordinate closely with the client and conduct initial interviews. The search for evidence begins with the identification of possible sources of relevant evidence.
Preservation
In order to reconstruct the exact course of events and create a chain of custody that cannot be manipulated or traced, the digital forensic analysts establish strict guidelines in the preservation phase for handling the evidence identified and analyzed in later phases. The chain of custody is not only relevant for criminal prosecution or insurance claims, but also enables the exact course of events to be reconstructed. The information obtained can then be used by the company concerned to improve its cyber resilience.
Collection
Cyber attackers leave behind digital traces. In the third phase of a digital forensic operation, these are collected by the forensic experts for later evaluation. Depending on the security incident, the evidence may be hidden on infected laptops, hard drives or phones, in log data, downloads or system images, and also in recordings of network traffic or the contents of mailboxes. If subsequent analysis of the evidence reveals indications of other sources of relevant evidence, the Collection phase can be repeated several times.
Analysis
The collected evidence is intensively and systematically analyzed in the Analysis Phase. Found evidence is evaluated and conclusions are drawn based on the found evidence. It is possible that further evidence will have to be collected (by repeating the Collection Phase) in order for the Digital Forensics Specialists to confirm or refute the conclusions drawn. The Analysis Phase is characterized by scientific meticulousness – after all, even the smallest trace may conceal important evidence.
Documentation
Documentation of the investigation is a continuous process throughout the entire forensic operation. Only thorough, permanent documentation can ensure that the entire forensic operation can be reconstructed in detail and in a way that is legally binding. The documentation includes all details of the operation, starting with the recording of the case, the results of the initial interviews, the recording and analysis of the evidence, the resulting conclusions and the final reconstruction of the cyber attack. With detailed and complete documentation, the traceable chain of custody – the chain of evidence – is formed.
Presentation
The presentation phase is the final phase of a digital forensic operation. Here, the course of the cyber attack is reconstructed as accurately as possible on the basis of the evidence found and the resulting conclusions. The Digital Forensics Analysts create an incontrovertible chain of evidence that can be used for criminal prosecution or to enforce claims for damages. If desired, the findings of the reconstructed crime can subsequently be used for improvement proposals to strengthen the cyber resilience of the affected company.
What are the advantages of a digital forensics framework contract?
IT security incidents can be reliably resolved with digital forensics – provided tools are used correctly and promptly by qualified specialists. A digital forensics framework contract enables companies to quickly and easily access efficient and targeted support from digital forensics specialists. With an individual forensics framework contract, companies can prepare themselves in the best possible way for an IT emergency. In addition to the significant financial savings potential, a forensics framework contract also offers other advantages:
1) Fast and known reporting path
If an incident occurs, no valuable time is lost with an existing framework agreement. The forensics service provider’s team of experts already knows the customer’s technical and organizational infrastructure, so there is no need to spend time learning the existing system architecture. Direct contact with the responsible digital forensics team eliminates the need for a detour via the sales department. This significantly speeds up response times.
2) Less ordering effort
An existing forensic framework contract minimizes administrative efforts in the acute event of a claim. This keeps capacities free and enables prompt deployment of IT forensic experts without detours.
3) Assured service level agreement (SLA)
A forensics framework agreement ensures that the services provided by forensics service providers are tailored precisely to a company’s needs. Companies benefit from firmly promised response times in the event of serious IT security incidents and can rely on rapid access to expert knowledge.
4) Reduced negotiation costs
In the event of an acute security incident, upcoming price negotiations can cost valuable time. With a forensics framework contract, there is only an initial negotiation effort – and this in advance of possible IT security incidents. This not only reduces costs, but also makes the deployment of IT forensics experts easier to plan financially.
5) Favorable conditions
Long-term cooperation between a company and an IT forensics service provider makes attractive, discounted conditions possible. Without an existing forensics framework contract, significant price premiums can be expected in the event of an acute incident, especially in the case of rapid, unplannable deployments of IT experts.
Conclusion
No company is safe from cyber attacks. From small sole proprietorships to global corporations, cybercriminals are targeting business operations. Even with the use of state-of-the-art IT security solutions, a security incident cannot be ruled out. If an IT security incident occurs, it must be investigated as comprehensively and thoroughly as possible. Not only to bring the perpetrators to justice, but also to understand the attacker’s modus operandi and thus be better prepared for future cyberattacks. Following an IT security incident, IT Forensic collects digital evidence, analyzes and documents it, and makes it possible to create an accurate picture of the security incident through meticulous, criminological detail work. To ensure that digital forensics experts can be deployed promptly, it is advisable to conclude a forensics framework agreement at an early stage. This not only ensures cost transparency, but also guarantees the rapid deployment of the forensic experts – and the urgently needed access to comprehensive expert knowledge.
Would you like to learn more about digital forensics? Then contact us online or by phone at: +49 30 5557021 11. We will be happy to advise you!
