Crack the Case Before You Open It
December 05, 2011
Conventional forensics has long since had a consistent approach to investigations:
- - Grab the data from the infected machines
- - Load it into an analysis tool
- - Start digging until you can find something or exhaust all avenues of possibility
While this approach can work for many (especially those with unlimited amount of time on their hands) there are ways to make the investigative process much more efficient and accurate. With the exponential expansion of data storage capacity the ability of the examiner to simply "start digging" can easily lead to extensive overhead and dependency of tools and automated resources. This is why I propose a paradigm shift and submit that rather than wait until the evidence is collected and loaded into an analysis device, the investigation can begin the moment the examiner receives a case.
The following are the "6-Steps" towards cracking a case before you open the evidence:
- Interview Personnel
- Gather Background
- Create a Hypothesis
- Create a Timeline of Triage
- Create a Profile
- Create an Action Plan
I first want to clarify that while the purpose of this article is to shift the paradigm of forensic investigations, it is not to remove or minimize efforts that are truly important to all investigations. One such example is the collection of evidence itself. With the ever expanding capacity of storage, the time it takes to forensically collect evidence is growing as well. On average a single drive could take multiple hours to complete. Often examiners will simply "kick-off and wait". They start the collection and let it run until complete then pack up and leave the scene. I propose that during the time it takes for the data to copy, the examiner can use that time to ask targeted and indirect questions ("Alternative Questioning") about the case. The examiner must interview any and all individuals relevant to the investigation. Furthermore, professional forensic examiners have a unique ability to identify patterns and pick out details that normal individuals would overlook. This skill can easily be applied to facial features, hand gestures, and non-verbal communication. This is why forensic examiners can make solid interviewers as they can pick up on the subtle changes in body language.
Every investigation has a purpose. There is something that must be found and questions that must be answered. The more information an examiner can collect about the purpose of the investigation, leads to more accurrate and efficient analysis of the evidence collected. At the basic level, the importance of background information is as simple as "how will you find what you are looking for if you don't know what it is?". That doesn't mean that you must know all the answers before hand, but it does mean that you must define what the result is or at least what you wish to find. That way when you review all the evidence and data you will recognize what you are looking for. Here are some simple questions that can make a big impact on establishing a background of the case:
- What is the driving factor for the investigation?
- What is the end goal of the investigation?
- What lead to the initiation of the investigation?
- What and where is all the data stored that potentially relevant to the investigation?
- What has been done up to this point?
Create a Hypothesis
If you have completed steps 1 and 2, then you will likely have a pretty good idea of what the investigation entails. This is a crucial point in transition of the investigation. Take all the information that has been collected and formulate one or multiple hypotheses. If there was one step that I would highlight as the most important of all, it is this one. The examiner must review all the information provided and recreate what they think happened. This recreation of the event becomes the transition point between collection of information and establishing an action plan for the investigation. Some cases may only have 1 initial hypothesis, while others may have many missing variables that allow for a variety of outcomes. You must decide on which ones are the likeliest and begin with 1-3 hypotheses. Example: Sensitive Data Compromise
- There is no firewall
- External vulnerability scans identify:
- Corporate workstations have public IP addresses
- Multiple workstations are listening on TCP port 3389 and 5900
- A/V is installed on multiple systems but not updated
- No output network monitoring is in place
- Logging is disabled or reduced to save space
- No secondary network controls are in place
- Sensitive data is retained on an encrypted database
- Sensitive data was found on websites known to be hosted by malicious individuals
- There is an inherent lack of security controls in place. This implies that the extent of the breach is likely to have expanded to encompass the entire network.
- Infiltration could be either RDP (port 3389) or VNC (5900).
- Given the lack of network security controls and default TCP ports for remote access devices, there is a good chance the passwords are either non-existent or not complex and have been compromised.
- A/V is not up to date implying a lack of monitoring.
- Lack of logging means the root cause might never be identified.
- Lack of egress filtering means the data could have left the environment using virtually any method of data exfiltration.
- The sensitive data is retained secured "at rest". This means that there is a good chance malware is installed at the data ingress points or the network layer to capture the data before it reachs the database.
For those "CSI" fans out there you will recognize that virtually every episode includes this key step at least once if not multiple times throughout. I should also mention that while the initial hypothesis is very important, the examiner must be willing to accept what the evidence indicates and update the hypothesis accordingly. The hypothesis must fit with the evidence and not vice versa. At this point it is acceptable to be wrong, I do not wish to suggest the hypothesis must be perfect, simply that is must provide a starting point.
Create a Timeline of Triage
With a solid background of information and a at least one hypothesis, the next step is to start filling in some of the missing variables. Now many examiners would read this and think "ok time to jump into the evidence"... not yet. This step is geared towards refining the information provided and starting to "technically" layout the events of the investigation. In my experience one of the easiest ways to begin organizing evidence is to establish a timeline of the events. The timeline of events is based on conversations, commentary, logs, tangible time references, and anything else that can help establish an event with a specific point in time. I would strongly urge that the timelines be outlined graphically in a linear fashion. I have found that by simply taking the time to plot out each event on a graphical representation, allows me to create a clear picture of events according the information gathered and the hypothesis created.
Create a Profile
This is the phase where the rest of the information collected during interviews and background gathering is organized. Often investigations are thought of as a puzzle. The evidence is all the pieces. The examiner has to find the pieces and figure out where they all fit together. In this phase the pieces gathered thus far are put together. The pieces related to timelines and events are already put together in the previous steps so now the rest of the pieces can build from there. When putting the pieces together you must take the timeline and hypothesis and a template and organize the information. There will be pieces of information that are missing. These gaps or holes can be filled later by finding evidence on the forensically imaged data. I often find it is the gaps and holes that are of the most value as they lead me towards specific types of analysis on the forensically imaged data. For instance one common example is "off business hours". Even though there is nobody at work the computers remain online. The best place to figure out what happened while nobody was at work, is to dig through the systems collected and focus on time periods outside of standard business hours.
Create an Action Plan
The final step is to create an action plan. All the information, assumptions, missing evidence, questions, hypotheses, etc. used thus far can be converted into an action plan. By taking each of the previous steps the examiner is much more informed as to "who", "what", "where", and "why" of the investigation and can now drive towards the "how" and "when" by digging into the collected evidence. In my experience the amount of time put into creating a solid and effective action plan will directly lead towards increased efficiency and accuracy of the investigation of collected data and finalization of the investigation.