In our last article, Keeping Cyber Simplified, we outlined how your organisation can implement a Cyber Security Framework. As part of the Framework, using forensic intelligence in response to an incident (cyber-attack, hack or data breach) is vital, not only in identifying the perpetrators but also to learn from the event and incorporate new measures to mitigate the risk from occurring again.
What is Digital Forensic Intelligence?
Digital forensic intelligence and investigations is a discipline that provides evidence to support an internal investigation, data breach or cyber-attack. The importance of preserving, identifying and gathering digital evidence is key to successful litigation, dispute resolution and the recovery of electronic data.
Digital forensic intelligence investigators are trained to safely preserve and examine data found on digital devices and networks often identifying the root cause of incident and evidence. They have a working understanding of the legalities, best practice and methodologies used in the current corporate digital forensic environment.
Preservation of Evidence in a Cyber-Crime Investigation
During or after a cyber-crime, related attack or unauthorised event, it is essential to identify and secure any known network devices that may contain digital evidence and/or unauthorised access activity.
Investigators must follow evidence continuity protocols, demonstrating appropriate exhibit handling, data collection and preservation, through to forensic examination and investigation.
It should be noted that the preservation of large data sources from networks and devices will take time to preserve, process and filter. Stakeholders should be made aware of this at the start of any forensic intelligence process, so that they can implement operational measures and manage expectations of any relevant external parties. It is not uncommon for large digital data sets to take several days to preserve and process.
Therefore, whilst the device preservation is being processed, the forensic intelligence investigator can turn to the preservation of Windows Event Logs and other audit logs acquired from within online platforms such as Office365, SharePoint etc, as these logs will be paramount to supporting the investigation.
Note that most organisations using Office365 will have their event logs set at a default of 7 days, therefore it is imperative that this forensic intelligence is gathered as soon as possible.
Once the evidence has been seized and preserved, the forensic analysis and examination can begin, including the imaging (producing a working copy) of all digital data from the devices collected using specialised forensic software and hardware. The imaging allows the original devices to be preserved as an evidential exhibit, leaving the imaged version (copy) to be forensically tested and analysed.
During this phase it is important to keep continuous communications with key stakeholders, including senior management, incident response teams, regulatory authorities and if necessary, your cyber-insurance company.
Although, communications should be clear and regular, forensic investigators must also be allowed where possible, to conduct their examination without distraction. The forensic intelligence process can be quite a complex process and many hypotheses will need to be tested to provide factual opinion on what happened during the event.
Testing Cyber-Crime investigation hypotheses
Forensic intelligence investigators will commonly look at the following hypotheses as part of the examination process:
- examine all compromised accounts and systems accessed by the perpetrator/attacker
- identify, secure and analyse relevant support information and data from servers, cloud platforms, routers and other network devices
- identify the root cause of the incident, data breach or cyber attack
- examine event logs for evidence of unauthorised access
- look for any patterns of unauthorised access
- assist in providing evidence around the perpetrator’s profile and how technical defence mechanisms were breached
- undertake traditional analysis of deleted files, browser history, access logs and file sharing
- examine chronological System Services, Windows Event Logs, Log Files, Jump Lists, Shellbags and other digital logs.
Once all reasonable forensic intelligence hypotheses tests have been completed, it is best practice for investigators to provide factual updates to stakeholders outlining the details of each examination that has been conducted, and clearly communicate the key results from each examination in a forensic report. If necessary, these reports can then be shared with the relevant authorities or counsel to enforce any regulatory or legal actions against the perpetrators.
Once all the forensic examinations have bene completed, stakeholders and the forensic intelligence investigators can evaluate how to prevent future incidents, data breaches and cyber-attacks. If necessary, organisations can then work with Protective Technologies partners to implement patch management and remove vulnerabilities and immediate threats to the organisation.
How we can help
Our understanding of cyber-crime threats, data protection, data security procedures and assessing vulnerabilities, allows our Team to provide Clients with measures to mitigate the risk of a cyber-crime, attack and/or data breach.
If you need assistance or have suffered a data breach or cyber-attack, our Forensic Intelligence Team works with a variety of clients, including law firms and Insolvency Practitioners, helping them preserve digital devices and secure data found during a cyber event, investigation or company liquidation.
We assist clients recover and investigate material found in digital devices, including hard-drives, servers, laptops, smart-phones, networks and storage media.
If you need help implementing a cyber-security strategy, contact us at email@example.com for a free 30 minute consultation.
If you need assistance with a forensics intelligence investigation, contact us at firstname.lastname@example.org.
Neil Miller, CFE | Founder and CEO