The objective of this article is to illustrate all the different types of digital data that should be collected when searching a crime scene or the location of a computer intrusion. This document was written with the law enforcement community in mind, but is applicable for anyone investigating a computer intrusion within a company. Each crime scene or intrusion is different and will pose different challenges.
It is essential in each case to ensure that all the necessary digital data is collected. When investigating a computer intrusion that affects a company or organization, the hard drives imaged or the computers targeted in the intrusion do not always tell the whole story. Extra data may need to be collected to help fill in the missing pieces and to decrease the turnaround time of the analysis. It is easier to collect data while onsite, rather than having to return and collect it. It should also be noted that upon returning to collect the any data, the desired data could have been deleted or overwritten through normal operations.
Scoping the Digital Crime Scene
When investigating a company that was the victim of a computer intrusion it is necessary to understand the type of business or the services provided and available. Understanding the type of business you’re working with will help identify the motive. Understanding the services provided and available to the public can help identify the possible intrusion vector. Those on the scene will want to have a good understanding of how data or information is flowing in and out of company’s internal network. This will help to identify which system(s) needs to be imaged and analyzed first.
What Evidence Needs to Be Collected?
An intrusion is usually identified by an alert from a monitoring device, odd computer or network activity, or the obvious loss in company assets. These assets could be financial, intellectual property, or computer resources. After it has been suspected or determined that a breach has occurred, what information or data needs to be collected for analysis? This question is usually preceded by knowing the right questions to ask when interviewing the victim. The complexity of the victim’s infrastructure determines the type of questions to ask. For example, does the victim have a single business location or multiple locations with network connections between them? Are there business partners who connect to the network through VPN connections? Does the victim have a DMZ that houses Web, e-mail, or DNS servers? Does the Web server connect to a backend database that is behind a firewall? These are the types of questions that need to be asked when determining the intrusion vector.
The next set of questions center around trying to determine what part of the network infrastructure might have logged all or parts of the intrusion activity. Below are key questions to ask when interviewing the victim:
o Intrusion Detection Systems
o Web Servers
o Proxy Servers
o SMTP Servers
o DHCP Servers
o DNS Servers
• What time zone are the logs in? If a company has multiple locations ask if the time settings are synced using NTP or are based on local time of that location.
• Have any changes recently occurred to the network, public facing systems, or applications?
• Are there any network maps? All the network maps need to be reviewed, even older copies.
The next round of questions will cover how the intrusion was discovered and time of the occurrence? When the intrusion was detected and when it actually occurred can be two different timeframes. This can occur for several reasons. If malware was used to help facilitate the intrusion or exfiltration of data, the anti-virus signature could have been created after the intrusion occurred. The same holds true for any intrusion detection signature that was created. Anti-virus and intrusion detection signatures are created after the malware or intrusion set has been identified in the wild. Even user detection might not occur when the suspicious or odd activity was first noticed. Below are some questions to consider:
• How was the incident detected?
o Networking monitoring
o Detection on the system through anti-virus or other monitoring application
o Identified by the user
• How prevalent is the intrusion or malware infection? If it’s malware based, was more than one computer system affected?
• If an attacker manually obtained access through a scripted application, gained access to a system on the internal network through the firewall, how many systems have now been compromised?
• How many different times was the intrusion detected?
o Was the intruder accessing the internal network on multiple occasions?
o Was data being exfiltrated on more than one occasion?
o Was the infected system identified re-imaged and placed back on the network with possibly the same vulnerabilities?
• Has the intrusion been contained?
These are all important questions when identifying the scope of an intrusion. All of these questions lead up to the issue of what data needs to be imaged or acquired for analysis. When you are onsite to collect information for analysis it is better to collect more than what might be initially needed. The scope of the investigation could easily expand, and it is much harder to obtain network logs or computer artifacts that might have been overwritten. This is a challenge for those in the law enforcement community who have to deal with the scope of the investigation or search warrants. Below is a list of data sources that could potentially contain evidence of an intrusion.
- Logs: All logs from networking systems should be collected. This list should comprise the previously referenced list of logs. Unless the intrusion occurred as the result of physical access to the machine, traffic at some point passed through a network device going from one system to another carrying intrusion artifacts.
- RAM: The memory from any computer system suspected of being involved in the intrusion should be collected before shutting down the system to image. The benefit of analyzing RAM far outweighs the potential to overwrite data during the acquisition phase. If the computer has already been shutdown the RAM can still be collected using tools like Virtual Forensic Computing.
- Hard Drive Images: Images from any devices that are suspected of being involved in the intrusion. This includes the mail server that might have propagated the malware to an end user, or the Web server that was compromised allowing backend access to the database residing behind a firewall. If the complete physical image is not possible of a certain system, a logical copy should be obtained. If DCHC is in use at the victim site the logs from a DHCP server should also always be collected or at least queried to determine if the correct systems are being imaged and analyzed.
If malware was discovered, one of the most prevalent vectors is e-mail. If malware was detected, the mailboxes from the mail server should be collected, not just the infected user system. Sometimes a user’s e-mail resides on the mail server and not the desktop. If the end user’s computer was imaged and analyzed, the e-mail containing the malware might not even reside on drives, but on the mail server. One important question that should also be asked is if the user’s desktop obtains IP addresses from a DHCP server. This is important because if the intrusion was detected via network traffic and an IP address was identified, it is important that the correct system is imaged for analysis. If the attack occurred two weeks prior and the DHCP lease expired three weeks ago, the incorrect system will be imaged and the compromised system will still remain on the network. The logs from the DHCP server must be acquired and analyzed.
These are many of the factors that need to be considered when investigating the site of an intrusion. It is important to remember that network devices are logging traffic that traverse the network, and any intrusion that does not occur from physical access to the machine will be logged by one of these network devices. It is critical to get an understanding of the network infrastructure to best identify a networking device that might have logged the malicious network traffic. Obtaining network maps is always a great place to start. It is also very important to capture the RAM from any suspected system involved in an intrusion. It is not uncommon for malware to be encrypted or packed while resident on the drive. When the malware is executed it must decrypt itself in memory. At this point a forensic analyst can identify the malicious capabilities of the malware. A checklist of the different types of logs produced by the different operating systems should be maintained to use as a reference when you are onsite dealing with an intrusion.
Mark Wade is the Vice President of EdgePoint Forensics. In past careers Mark has performed digital forensics for a Federal Law Enforcement agency as a government contractor. The forensic work performed was investigating computer and network intrusion, user profiling and various other Internet investigations. Other prior work included computer/network security for the past twelve years with specific focus in penetration testing, IDS and firewall management, incident response, and malware analysis. EdgePoint Forensics specializes in computer and network forensics, and Operational Investigative Support for cyber-crime. EdgePoint Forensics also offers computer forensics training. www.edgepointforensics.com; email@example.com