Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics

Define Objectives  Well-defined objectives help achieve better results  It is important to determine who will define the objectives  Objectives are usually defined as a series of questions.  Some objectives are hard to achieve  Example: Proving that the system has not been compromised  Stay focused - do not run after tempting artifacts

Know Your Data  Data available in many formats and locations  Explore possible data sources and know how they can be used  It will help you decide what to collect

Where is Data Stored?  Desktops and laptops  Hard drives and external storage  OS, Applications, and associated data  If virtualized, data in central infrastructure  Servers  Hard drives - OS  External storage solutions – (likely) Application and other data  Mobile devices  Small amount of storage, normally nonvolatile (flash) memory  Cloud (??)

Where is Data Stored?  Storage solutions and media  USB flash drives, USB hard drives, CDs, DVDs, Network Attached Storage (NAS), Storage Area Networks (SAN)  Network Devices  Firewalls, switches, routers  Cloud services  Data belonging to organizations and individual users  Backups  On-site and off-site storage

What is Available  Operating System  File systems, State information (info on processes, ports, etc.), OS Logs, etc.  Application  Application specific artifacts (logs, s, browser cache, etc.)  Some artifacts are left behind even after the application is removed  User data  Documents, s, source-code, etc.  Network service and instrumentation  DHCP, DNS, proxy server information, firewall, etc.

Access Your Data  Issues: data formats vary, storage media are different, data may have been encrypted, compressed, etc.  Disk images  Which system? How was it obtained? etc.  What does it look like?  How was data encoded? Things looking different may have similar information  What to search and how to search? Example: a string may appear disconnected and search may not work

Analyze Your Data  Outline an approach  Where to start, what to look for  Network and hosts Abnormal user activities Abnormal connection durations Abnormally high CPU activity Recently installed or modified services Programs that automatically start Integrity of system binaries …

Select Methods  Use of external resources  Using methods and tools developed by others  Manual inspection of data  Particularly when amount of data collected is small  Use of specialized tools  Can help in data visualization, malware identification, browser artifact analysis, etc.  Data minimization through sorting and filtering  Helps in focusing on a subsection of data

Select Methods  Statistical analysis  Helps in discovering patterns or anomalies  Keyword searching  Be careful of cases such as encoding or formatting  Search unallocated spaces and slack spaces as well  File and record carving  Searching for file information based on content – not based on metadata  The method works even if a file is deleted or renamed

Evaluate Results  Evaluate results periodically  Can correct or change the method early enough, if results are not satisfactory  After finishing data analysis, evaluate how well the result answers the investigative questions  If result does not help, try a different method or sources of evidence