Digital forensics – the tools you need to investigate a cyberbreach

Every organisation and enterprise around the world is now facing the very real possibility that they may become the victim of a data breach. Intelligent CISO hears from a number of industry experts about why businesses need to consider integrating digital forensics into their security policies.

How important is digital forensics to global organisations and businesses and why? 

Derrick Donnelly, Chief Scientist at BlackBag Technologies:

Firewalls and syslog servers can only do so much. When you have a fraud, HR, criminal, or eDiscovery investigation, you have to look at the endpoints (personal computers and mobile devices) to get the whole story.

Artefacts from the activity on these devices will tell you more of the who, what, where, how and when of your investigation and possibly recover data that has been lost over time or purposely deleted. Each type of device has key information such as metadata and geolocation information you can only get from the device. With the right forensic software like BlackBag’s BlackLight, investigators can get a complete picture of an incident.

Although digital forensics is more commonly associated with law enforcement, an eDiscovery case or HR investigation is not that different from a criminal case. You still need to be able to secure the chain of evidence and go through a process that may be the same, or only a small step down, from a full forensic analysis. Some of the ‘he said, she said’ investigations can only be proven by looking at the data on the end devices.

In addition, have you ever tried to take away an iPhone from a CEO?  They don’t like it. You need to be prepared with the proper tools to minimise the time that iPhone is away from the CEO – or else.

Sebastien Talha, Business Development Manager, EMEA Region at AccessData Group:

Global organisations typically operate at a scale that makes them vulnerable to a wide range of cybercrime incidents. This includes data breaches, employee data theft and of course fraud. In fact, according to our Swiss law enforcement contacts, approximately 3% of any ecosystem — companies, public agencies and even non-profit groups — will eventually engage in some sort of misconduct.

In addition, global organisations operate in multiple countries, so they often must comply with data privacy regulations that differ from one jurisdiction to the next. All of these information risks require the ability to respond to incidents with effective and efficient investigations; this is only possible with good digital forensics systems and tools.

Harsh Behl, Technical Consultant, Credence Security:

Today digital forensics is extremely important to global organisations for numerous reasons. Digital forensics is the collection, analysis, reporting and preservation of digital evidence performed in a manner that will allow the evidence reported to be admissible in a court of law. The basic principle of digital forensics itself makes it highly relevant to global businesses as it is helps organisations:

• understand the possession/handling of digital data
• realise the use/abuse of IT infrastructure and services
• reconstruct past event or activities relating to digital data (timelines)
• produce the evidence of policy violations or illegal activities
• produce supporting data for internal and external incident reports that are required to assist or further other investigations
• ensure brand/reputation protection

Geoff MacGillivray, Vice President of Product Management, Magnet Forensics: 

Digital forensics is a key part of a global organisation’s incident response framework. When we talk about cybersecurity, a lot of focus is put on network security monitoring to detect attackers or intrusions. What isn’t mentioned as often is the investigation that occurs when an intrusion is detected. Digital forensics helps answer the ‘how’. ‘How did they get into our system?’ or ‘how did they steal our IP?’. The answers that come from digital forensics work, allow an organisation to dive deep into an incident to determine how it happened and what was taken.

These are key components to assessing the nature of the intrusion and the steps that need to be taken to both prevent future attacks and notify impacted stakeholders. With consumer privacy concerns rising, this is becoming increasingly critical.

In which scenarios would CISOs require digital forensic support?

Derrick Donnelly, Chief Scientist at BlackBag Technologies

With BYOD workplaces, people are mixing work life with their personal life more than ever before. Important data created by employees may not even be on a device owned by the company. CISOs need to be able to extract that data without interfering with an employee’s personal information, while protecting the intellectual property of their company. Digital forensics can also save the CISO when a backup solution fails and forensic recovery is the only option.

Sebastien Talha, Business Development Manager, EMEA Region at AccessData Group:

The most typical scenario is a data breach incident. CISOs are tasked with overseeing information security protocols and therefore are usually on the front lines with overseeing a post-breach investigation. This requires digital forensic support to investigate exactly what happened, how it happened, what data was potentially compromised and ultimately what clues can be gathered to help determine who was responsible for the breach. This data collection and analysis must be done in a forensically sound manner for it to be useful to investigators and law enforcement professionals, so it’s important to use software tools that are specially developed for this specific purpose.

Harsh Behl, Technical Consultant, Credence Security:

There are numerous scenarios in which a CISO would require digital forensic support. The biggest advantage of Digital forensics is that it not only supports just IT teams, but it helps other teams in the organisation to make decisions. Below are a few examples of how different teams within an organisation would use digital forensics:

• IT/cybersecurity teams:
  • Intrusion analysis, investigation of IT policy violation, intellectual property abuse/infringement, virus/malware analysis etc
  • Verification of corporate disk wiping procedures, implementation of disk/network encryption, data recovery, management of legitimate password recovery requests, assistance with obscure troubleshooting etc
• Legal departments:
  • Ensures compliance and plays a major role in e-discovery investigations
• HR:
  • Helps HR teams produce evidence to support firing/termination, employee misconduct, disciplinary actions and even in extreme cases like death, kidnapping etc.
• Other departments:
  • Other corporate bodies can use digital forensics for risk management, risk control, incident handling and emergency response.

Geoff MacGillivray, Vice President of Product Management, Magnet Forensics:

CISOs require digital forensic support for both insider and external threats. The insider threats consist of IP theft, employee misconduct and fraud. External threats to an organisation consist of server-side attached (vulnerable web servers) and client-side attacks (phishing emails, drive-by downloads, etc.)

Some organisations may require investigations as part of compliance to various industries while others value their IP and need to protect it.

Can you outline how digital forensics supports a company facing an external breach and an insider breach?

Derrick Donnelly, Chief Scientist at BlackBag Technologies:

In any type of a breach, the goal is for the attacker to hide their tracks and conceal the data they have compromised. With today’s technologies, much of this data travels the network encrypted so you need to look at individual systems and devices to determine what really is happening. Do you want to rely on an operating system that may have been compromised to show you the truth? Companies need the ability to see past that and determine what has been added to an operating system or copied from a device to understand the full extent of the breach.

Also, when the exec team does most of their communications via encrypted chat applications, you need to be able to look at the data directly on the devices to determine if it was compromised.  Was an attacker able to install an application during an overseas trip? Is someone monitoring all the executive’s private communications? A digital forensics tool, like BlackBag’s Mobilyze, is your best chance to get the complete picture and determine your exposure.

Sebastien Talha, Business Development Manager, EMEA Region at AccessData Group:

From a technical standpoint, both types of breaches are investigated the same way and with similar tools. The primary difference is the specific data points that will be targeted in the post-breach investigations depending on which scenario is involved.

With an external breach, digital forensics can support by targeting the source of the hack or breach to begin determining who did it, how they did it, etc. With an internal breach, it’s more likely that the crime involved someone who had an inner working knowledge of the IT systems, so digital forensics can support by identifying what data sets were improperly accessed, the extent of the potential damage and what the regulatory implications might be.

Harsh Behl, Technical Consultant, Credence Security:

With the continued increase in the value of intellectual property and business secrets (which in today’s economy regularly surpasses the value of physical corporate assets), information is the most prized asset for many companies. Confidential processes, financial information, customer lists, business plans, vendor lists, marketing strategies, research data, trade secrets, etc are vital to the ongoing success of a business. An employee who steals this information to take to the competitor, for which he/she will soon be working, or uses it to start his/her own competing business, could cause devastating consequences for the company he/she is leaving. Yet stealing digitally stored, business-critical information has never been easier (and most of it is stored digitally these days).

This is where digital forensics comes into play. When a user accesses the internet, copies files to the cloud or a memory stick, sends webmails, burns DVDs or prints documents, he/she leaves a forensic trail for the experienced investigator to follow. Even highly computer literate users often have little idea of the digital traces their actions leave behind. This is especially true with smartphones, tablets and even specialised encryption and deletion tools, which are often used by those attempting to cover their tracks.

If possible, the investigation to identify tell-tale traces of data exfiltration or a planned defection should start before a suspect is aware he/she is under scrutiny. Take, for example, the case of one individual who used a company mobile phone for communicating about a forthcoming defection. The employer did not want to alert the member of staff by taking the phone for analysis for fear that suspect would then destroy other relevant information. Instead, the investigators analysed the phone’s data by retrieving a copy of the phone’s synchronisation on to the employee’s computer, which could be examined remotely without alerting the individual. The incriminating SMS messages found as a result of this analysis then led to other sources of information, which were preserved before the employee knew he was under suspicion.

In what ways do businesses need to integrate forensics into their existing systems and how easy is this to do?

Derrick Donnelly, Chief Scientist at BlackBag Technologies:

Companies need clear policies in place to control things like BYOD and what systems can be used to access company data. Along with proper notification of the company’s rights to protect its intellectual property and sensitive data, this foundation gives businesses the ability to monitor and investigate suspected incidents. Digital forensics needs to then be integrated directly into any response plan or investigative process. Having the tools in place before they are needed, along with properly trained individuals, will give a company the ability to respond quickly and stop a breach or HR incident before it gets worse.

Although these incidents can be scary, forensic investigations don’t need to be. Tools like ours (BlackBag Technologies) are easy to use, intuitive and don’t require years of experience to get to critical data. With a small investment in software and training, a company can be prepared to handle most events. When there is a need to bring in outside help, it will be easy to bolster the team because almost all cybersecurity professionals use the same digital forensic tools that they use.

Sebastien Talha, Business Development Manager, EMEA Region at AccessData Group:

Integration of forensics into an organisation’s existing systems involves the components of people, processes and technology.

With respect to people, information security professionals need to change the way they conduct investigations by leveraging new tools that will give them greater visibility into data and increased efficiencies in the way they process that data.

With respect to processes, there are two ways that forensics needs to be integrated: (1) responding to incidents — understanding the source and nature of an incident faster so that immediate actions can be taken to minimise the damage; and (2) investigating incidents — collecting data related to the incident in a forensically sound manner so it can be properly addressed and repeat incidents can be prevented.

With respect to technology, next-generation software solutions such as AD Enterprise now provide CISOs and their team members with a robust platform for managing internal forensic investigations and post-breach analysis.

Geoff MacGillivray, Vice President of Product Management, Magnet Forensics:

Business need to integrate digital forensics into their existing cybersecurity teams as part of their response procedures. This is easier for some organisations than others. If a forensics team is already in place, it can be expanded to include incident response work. If a team is not in place, then creating a team is the first step. Many organisations will either have one forensics team or split into two teams — one to handle corporate (insider/employee) investigations with the other handling incident response.

Organisations must understand the types of threats that it will likely face when integrating digital forensics teams. This will help the organisation properly staff the team.

Harsh Behl, Technical Consultant, Credence Security:

Digital forensics can be made a part of ISO implementations, IT infrastructure developments, cybersecurity teams, audit teams etc. The good news for organisations looking to implement this technology is that digital forensic solutions are very easy to integrate as they have no major dependencies on other IT teams and can run as an individual unit in an organisation.

Best practices for digital forensics

Sebastien Talha, Business Development Manager, EMEA Region at AccessData Group:

Corporate information security professionals are discovering that emerging digital forensics software technology now feature enhanced post-breach analysis capabilities (including more thorough ‘memory analysis’ searches for malware), targeted data preview and collection of all complex data types directly at the user endpoint and other improvements that streamline investigations.

For example, in May 2018, AccessData introduced AD Enterprise 6.5, which provides even deeper visibility into data, so organisations can investigate the causes and potential implications of a data breach, then act swiftly to conduct their post-breach analysis and execute crucial response actions. This platform allows CISOs to perform comprehensive end-to-end post-breach forensic investigations within a single tool by collecting all sorts of complex data types directly at the endpoint.

Software tools that help manage large-scale forensic investigations can enable deeper visibility into data residing on enterprise networks and employee devices so that IT executives and information security professionals can work with digital forensics experts to investigate possible employee wrongdoing, fact-check a whistleblower’s claims, respond to government inquiries or conduct post-breach analysis.

Here are four specific best practices for leveraging technology tools in post-breach investigations:

1. Live memory analysis — Take advantage of enhanced searching capabilities to conduct more thorough ‘memory analysis’ in the aftermath of a breach, identify possible malware that has been left behind on the network, improve the speed of the response and reduces chain of custody risk during the investigation.
2. Targeted preview and collection — Use a remote agent deployed by the software to preview live data at the endpoint or anywhere across the enterprise, so investigators can then determine what data should be collected. This saves time as well as storage costs, since only data critical to the case needs to be pulled back and ingested into the tool for analysis.
3. Tasking collaboration among investigators — Leverage built-in collaboration features to communicate seamlessly with investigators and other colleagues across departments so you can share notes, tasks and escalate incidents, directly within the same software platform.
4. Parsing additions — Put new parsers to work in order to analyse even more data types. A few of the new parsers available include Windows registry activity, several SSH Parsers, Net Logon events and parsers for Android including Google Hangouts, Kik, contacts from address books, calendars, SMS and call logs.

CISOs occupy a crucial role in responding to incidents as well as overseeing post-incident investigations. This is a high-pressure job with serious responsibilities to fulfil, but making use of next-generation digital forensics software tools can lighten the burden by enhancing investigative capabilities and more efficiently managing the workflow.

Morey J Haber, Chief Technology Officer – BeyondTrust

The art of forensics is science wrapped in detective work, legal ease, and a passion for the truth. To be fair, I am not a forensics or digital forensics expert. I have broad internet security knowledge from years of experience and have authored two books.

One on how privileges can be used as attack vectors and another on how to successfully implement a vulnerability management program within an organisation. My expertise is around vulnerabilities, asset exploitation, identity governance, and privileged access management. All of which generate a plethora of data, logs, reports, and attestations for situational awareness.

These disciplines generate information that supports a digital forensics investigation and provide information to ascertain indicators of compromise. These specific data sources are a small puzzle piece in a digital forensics investigation and represent three critical pillars of an investigation:

• An identity– The digital determination of a user’s identity (threat actor), account, and credentials that are a part of a forensics investigation
• Privileges– The permissions, privileges, entitlements, and access control for an identity or account that may have been compromised or misused and are under suspicion during an investigation
• Assets – The assets, devices, data, or resources targeted, compromised, or breached by an identity

While a full digital forensics investigation goes beyond these silos to include firewall logs, access control events, log on log off events, etc. they also pattern match and correlate into these three pillars as well. This is where I will draw the line of being a digital forensics expert and a security expert.

There are no security experts for every information technology security discipline and this is also true of digital forensics. It is mentally impossible to be an expert in vulnerabilities, exploits, identity governance, privileged access management, malware, firewalls, intrusion detection, threat intelligence, etc. It is just like being a medical doctor.

You have a discipline and you are the expert in that field from radiology to paediatrician or oncologist. Security experts operate in silos too, but digital forensics experts operate at a higher level in all silos with enough knowledge about each one to be extremely good at bridging the gap between them.

They need to understand the relationship between identities, privileges, and assets and how various vendor specific tools generated log information to conduct a successfully digital forensics investigation and correlate information between the silos.

They need to understand that each vendor can generate data differently and that the linkage of information from one vendor to another may have faults purely based on the implementation of the technology. In addition, digital forensics is much like real world criminal forensics. Information can be spoofed, threat actors can create red herrings in the form of bad digital log data and the data itself can be altered, deleted, or tampered with much like using a photo editing software to implicate someone else or to hide a threat actors movement.

This is where the search for truth and mental wisdom comes from that makes it so intriguing. Security tools and detective style insights can help build advanced correlation but bad data intentionally entered into the investigation stream can skew the results. This is where a security expert comes into play to help the investigation. They can help the digital forensics expert decide if the datum is valid or if it has been spoofed or tampered with.

Much like a threat actor will spoof their email address in a phishing attack of obfuscate their real IP address in order to hide their country of origin, a digital forensics expert may not have the siloed expertise to know if the information can actually be trusted. For example, a penetration testing security expert will have an opinion if the log files from a specific solution can be altered or a specific vendor may indicate their encryption levels and the likeness that the application was compromised. A digital forensics expert can pull the pieces together but the security expert will validate the ballistics of each component when they are linked in the storyline.

These concepts are critical for an investigation. The digital forensics team used to investigate an active directory breach will be very different than the team used to investigation a breach based on IoT technology. Granted they will share some of the same traits and methodologies in log review but being a security expert in active directory technology and hardening is different that a firmware expert familiar with a wide variety of IoT devices.

In addition, a basic digital forensics investigation for an employee that is performing malicious activity on illegal (or questionable) websites to steal information is different than potentially that same employee infected with an advance form of malware.

Digital forensics teams will have specialised areas of expertise, know what security professionals to pull in and when, and for an organisation, they need to know the capabilities and limitations of the resources under their control. If you do not have the expertise for a specific threat or use case, there is no shame in admitting you are not an expert in that area.

It is perfectly normal to seek outside or additional help. After all, no one can be an expert in everything and even Einstein was rumoured to keep phone numbers written down, so he would not forget it. The art of digital forensics is a technology science wrapped in detective work and a passion for the truth for both digital forensics and security experts. Much like a doctor, there will be experts in various disciplines and for digital forensics investigation; there will be security experts that can assist them along the way.