Chapter 10. Closing the Deal – Solving the Case
| | "The end game is what really counts!" | |
| | --Samir Datt |
Our journey, so far, has been an interesting one. As we traversed this ocean of network forensics, we stopped at numerous stops and islands on the way to enhance our understanding of the environment. These stops have helped us understand the various tools, technologies, and techniques that are required to conduct a network forensic investigation. We have seen the use of memory forensics that allow us to create images of RAM contents, how packet sniffers allow us to grab network data, and also how various intrusion detection and prevention servers play a role in the defense of the network. An analysis of the logs generated by proxies, firewalls, and intrusion detection and prevention systems have helped us gain an insight into networks, their behavior, and the various forensic artifacts left behind for us to find as evidence of malicious activity. We have also studied about malicious software...
Revisiting the TAARA investigation methodology
Let's do a quick review of the TAARA network forensics and incident response methodology.
As we learned in Chapter 1, Becoming Network 007s, TAARA stands for the following:
Trigger: This is the event that leads to an investigation.
Acquire: This is the process that is set in motion by the trigger; this is predefined as part of the incident response plan and involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
Analysis: All the evidence that is collected is now collated, correlated, and analyzed. The sequence of events is identified. The pertinent questions relating to whether the incident actually occurred or not; if it did, what exactly happened, how it happened, who was involved, what is the extent of the compromise, and so on are...
A fairly large multilocational organization implemented a Call Data Analysis &
Management System, or CDAMS in short, (this is a telephone log data analysis solution.). As a part of the setup process, the team of implementation consultants were requested to ingest and analyze a very large volume of calls received by the in-house IT help-desk. The year long data of call logs from the existing organization-wide electronic private automatic branch
exchanges (EPABX) system were ingested by the system. Calls were filtered on the basis of call direction and destination (incoming calls to the IT help-desk) and were geolocated as well as classified based on the department. A preliminary look showed the following interesting trends:
Calls from some cellular numbers (similar to the series owned by the company in particular geographies) at odd hours from a senior personnel
Calls from Computerized Numerical Control (CNC) manufacturing/machine departments requesting assistance...
Acquiring the information and evidence
The stage is set, the objectives are clear, it is time for us to get started. As mentioned in the earlier chapters, we needed to have a plan in place; now is the time the plan goes in to action.
However, before we begin, we need to lay a strong emphasis on the way we go about acquiring the information and evidence. A tiny slip up in the way we handle this can have widespread ramifications. Therefore, we need to focus on how to handle this stage.
Important handling guidelines
As you have learned in the earlier chapters, digital evidence is extremely fragile. In fact, just like medicines, digital evidence comes with a expiration date. The impermanence of data in memory, periodicity of log rotation, volatile storage, degradation of data on media, and the malware itself contribute to the significant loss of valuable evidence unless it is gathered, stored, and handled with due care.
All the investigators need to consider the following points:
Analyzing the collected data – digging deep
Analysis of the gathered data is a long and time-intensive process. As network forensic experts, we need to work towards the goals defined for us within the available time frame. In this specific case that we have been discussing, the situation is extremely time critical. Looking at the huge volume of potential evidence available to us, we have to take a call on the triaging process and decide what we wish to focus on first.
One very valuable input that we deduced was that the data had been exfiltrated just over two days before the receipt of the mail by the CEO. The process of exfiltration of data by any criminal actually involves a chain of events. These links in the chain or steps are shown in the following:
Reconnaissance
Compromise
Setup of command and control
Data identification, acquisition, and aggregation
Exfiltration
While each of these stages will leave some traces on the victims systems, the major role of a forensics investigator comes into...
Once the iterative process of network forensic investigations is complete, the real tough part begins. This is the time when all the effort that was put in to maintain the meticulous documentation pays off.
Reporting a case is a lot like narrating a story. The only difference is that stories can be fictional or modified to create a better tale; whereas, an investigation report allows no such artistic liberty. It has to be thoroughly grounded in fact. Every statement should be backed by solid evidence. Every conjecture should be backed by circumstantial evidence and should be clearly identified as such.
A case report should be the following:
Keep the audience that the case report is aimed at in mind. Very long reports are seldom read and the action points are hardly ever implemented, therefore, the structure is very important.
Most reports should begin with a case summary.
Following this, the report should at a minimum have the following structure:
Once any incident is over and done with, the team needs to focus on the lessons learned. From an incident response perspective, the focus is on answering questions such as the following:
How did this happen?
What can we do to prevent it from reoccurring?
What preventive measures can be put into place?
How can monitoring and alerting be improved?
From a network forensics perspective, the additional questions to be answered include the following:
Which artifacts exist that can help us identify such an incident in the future?
What are the lessons learned?
How can we improve the investigation process?
What IOC can be identified that can be shared with the Incident Response team to help prevent a reoccurrence of such an incident?
While the attackers constantly evolve and innovate in order to keep coming up with newer ways to compromise the networks without getting detected, network forensic investigators too have to keep pace. This means constantly updating oneself, learning from...
Future of network forensics
While it is difficult to predict the future, some trends are self-evident. Let's take a look at them.
Organizations are moving to higher speed and bandwidth networks. More and more data is traveling over the networks and to and from a variety of devices.
IPv6 is here to stay! It brings along a proliferation of Internet-connected devices, right from your toaster, TV, refrigerator, photocopier, and coffee machine to your security and alarm system. This is known as the Internet of Things or IoT for short.
It does not require much crystal ball gazing to determine the trends of things to come in the network forensics domain. As a large number of devices get networked, there is going to be larger roles for Network Forensic 007s. We will be looking at more and more connected devices, the evidence that they store, the way that they act, and the way they are affected by different compromises. We will be collecting, handling, preserving, and analyzing large volumes of data...
This final chapter sums up our journey in developing an understanding of network forensics. Along the way, we have seen myriad sources of evidence, artifacts created by attacker activities, as well as techniques and processes required to acquire and analyze them. You have learned how to put a report together to present our findings and also act upon your learning's from the investigation.
While this book acts as a starting point and helps in building a foundation in the network forensics area, remember that it is a big world out there and there is no end to the knowledge that one can and should gather as we boldly proceed forward in this field.
Thanks for being a part of this journey. I hope that it has been an interesting one and that I have been successful in kindling your interest in a very exciting new field.
