Your company is hit with a data breach. What is your plan of attack? Where is the data you can use to assess the damage and identify the vulnerability? I attended the Convergence Forensics session at Enfuse 2016, presented by Heather Mahalik and Rob Lee. They explained various scenarios that exemplify how multiple skillsets are needed to be successful in Digital Forensics Incident Response (or DFIR). They then answered and explained the most common questions examiners would seek after viewing evidence.
Incident response is not just about knowing your way around a digital device; it is as much a science as it is an art. Network forensics, memory forensics, and malware detection are all instances in which having tunnel vision can limit your success, so it’s best not to approach two situations in an identical manner. For example, memory forensics can provide access to previously exited processes, terminated network connections, and application data. Knowing where to find information in the memory is the hard part. Nothing can hide from you if you know where to look, so it is important to remain focused and methodical. Everything traverses memory – from encryption keys to passwords. Smartphone forensics is similar, but the key is knowing how artifacts are created on top of knowing where to find them. Every time a phone thinks, information is stored. Even if you deny your smartphone apps the ability to gain access to your location, your location at that time is still stored on your device.
The Biggest Problem is Encryption
The biggest problem with smartphone forensics is encryption. Each smartphone is a gold mine: you can gain access to a ton of information that will prove extremely useful in any form of investigation. However, most of that data is locked up tight behind encryption that gets more advanced with each new iteration of development. The trick is figuring out how to get behind it. As far as Windows forensics go, data synchronization is very important. When looking at the files of interest on a Windows system, you have to differentiate sync time and access time. A timestamp could appear to show that a file was modified during a certain time, but that timestamp could have been updated at the time that it was last synced onto another device. The key is to look at the encrypt time. If a file’s encryption time is zero the last operation was it being synced to another device, not accessed. Mac forensics is relatively new, as forensic investigators have mainly focused on Windows machines, however that does not make it any less important.
Macs Have Brains?
Macs can capture memory; you just have to know where to look. With Apple’s continuity, you can gain a lot of information about a device with their help. Network forensics was also discussed as device communication is involved in all manners of digital investigations. Network operations that end up on an investigator’s short-list include time-lining, profiling and legality. The first and most important step with network forensics is to know how to examine the evidence you are presented with. It is very easy to overlook crucial information so it is important to know exactly what you are looking for. Threat intelligence was the last topic discussed: in order to effectively consume or gather threat intelligence, a robust Incident Response program is needed. It is important not to mistake a “feed subscription” for a threat intel program, meaning you have to make sure that a program is truly on the device and poses a threat and is not just a notification (such as on a social media newsfeed, other websites, etc.) asking the user if they wanted to download an app.
The main thing I took away from this session was that changing your approach when examining digital media has a positive effect on your success rate. Don’t get used to doing the same thing every time when you examine digital evidence! Digital media is always changing and developing tunnel vision can seriously affect an investigation.
If you’re interested in more information regarding Enfuse sessions we attended or our ongoing research, head to the LCDI blog! We also constantly communicate updates through our website and Facebook page!