Identifying Network Attackers with Forensics
Forensics is a scientific approach to determining the who, what, when, where, how, and why of a crime. For our purposes, it specifically deals with investigating the causes and timeline of a network security incident. Applying forensic processes during containment may not be practical. As discussed earlier, there are often more important considerations. However, this is a good place in the process to begin thinking about how to balance damage control with collecting the information necessary to prevent or deter future network attacks.
It’s outside the scope of this article to go into detail on investigative techniques. There are several good books available that address forensics in general and computer forensics specifically. But reviewing the following considerations provides a rough foundation.
Retain your objectivity – Collect data and evidence, conduct interviews, and leave your conclusions until you have enough information to clearly see what actually happened. Jumping to conclusions early in the process usually results in the investigator ignoring anything that seems irrelevant, because it doesn’t fit with his mental picture of what happened.
Ensure the proper collection and handling of evidence – Much of the evidence you collect may be volatile and difficult to preserve. Be sure to have at least one person on each IRT trained in proper evidence collection, tagging, and storage. Some types of evidence to consider include:
When collecting evidence from personal areas, be sure to maintain compliance with corporate privacy policies.
From the time evidence is collected to the time it’s no longer needed to support criminal or civil action, it must be properly handled. Proper handling begins with collection. As a piece of evidence is initially collected, the following information should be recorded in a chain of custody form (sample):
- Model number
- IP address
- MAC address
- Serial number
- Any other distinguishing characteristics
- Name, phone number, title, and signature of the person collecting the information and of each subsequent individual who takes possession of the evidence. This entry should also include the time and date of taking possession as well as the location where the evidence was securely stored.
If a computer is seized as evidence, image the hard disk as soon as possible. Never run computer forensics software on any original storage media. This diminishes the value of the evidence.
The image should be created with a “bit level" copy. This ensures that every piece of information is extracted from storage, even data intentionally hidden.
Now that you have the threat under control, it’s time to eliminate it from your environment and recover lost data.