Analyze and Document Forensics Data

Learning Objectives

After completing this unit, you’ll be able to:

Describe how to extract forensics data from evidence.
Identify steps to analyze digital evidence.
Explain how to reconstruct a cyber event.

Extract Forensics Data from Evidence

Cyber defense forensics analysis involves looking at digital evidence to determine how something (a policy violation, a data breach, and so on) happened. Just like a scientist extracts DNA from genetic material, cyber defense forensics analysts extract data for building a timeline of criminal activity. Maybe it’s a hack from an external actor, or maybe it’s an insider carrying out fraud. Regardless, someone has to go through the system logs, hard drives, and other data associated with the event in question to gather evidence.

A scientist looking through a microscope focused on a DNA image

Let’s follow along with Ana, a cyber defense forensics analyst investigating possible malware on a computer. Before conducting an in-depth and systematic analysis of the evidence, she revisits the objectives of the investigation. This allows her to focus her investigation on specific types of data during analysis. In this case, her objective is to determine if malware is present on the computer, and document any actions or changes the malware takes.

Next, Ana turns to capturing a forensic image of the computer’s hard disk. She needs to extract data from the computer and transform it into a format that forensics tools can process. She creates this duplicate copy of the content of the hard disk before she conducts a static acquisition, to maintain the integrity of digital evidence. Static acquisition refers to acquiring nonvolatile data, which does not change its state after the system shuts down. It involves extracting and gathering unaltered data from storage media, such as hard drives.

Ana captures the image of the hard disk by using imaging software and a write blocker, which is a tool that permits read-only access to data storage devices without compromising the integrity of the data. This is crucial since data duplication can sometimes overwrite the data fragments and damage their integrity, compromising Ana’s ability to analyze it.

To verify whether the duplicate is an exact copy of the original, she calculates a cryptographic hash value (a numeric value of a fixed length that uniquely identifies data) for the original and duplicate using mathematical computations. If they match, the copy's contents are a mirror image (duplicate) of the original content.

The acquisition process described above applies mainly to computers. When acquiring data from mobile phones and similar devices, where the memory storage cannot physically separate from the device to make an image, you follow a different procedure.

Analyze Digital Evidence

The analysis phase of the cyber defense forensics process involves analyzing the results of the examination to derive useful information that addresses the questions that were the impetus for performing the collection and examination. Analysis transforms data into information. The analysis should include identifying people, places, items, and events, and determining how these elements relate so that cyber defense forensics analysts can reach a conclusion. This is much the same as when a detective seeks to determine the perpetrator and location of a crime, the weapon used, and how the events unfolded.

Pay Attention to Time

When using analysis tools, cyber defense forensics analysts must be aware of the value of using system times and file times. Knowing when an incident occurred, when a file was created or modified, or when an email was sent can be critical to forensics analysis. This information can reconstruct a timeline of activities.

To rule out any unintentional or intentional discrepancies in time settings among systems, Ana compares the operating system (OS) clock to the basic input output system (BIOS) clock, noting any discrepancies in the date, time, and time zones. BIOS is firmware used to perform hardware initialization during the booting process and to provide runtime services for OSs and programs. It’s the first software to run when powered on.

Begin the Search

After confirming the timelines are in sync, Ana references the investigation’s objectives and begins searching areas where malware commonly resides, including critical system files, temporary files, user folders, registry keys, and more. First, she looks in the Downloads folder and internet browsing history but doesn’t find anything significant. She then searches critical systems files such as dynamic-link libraries (DLLs) because she knows these files contain code that multiple files use in parallel, which potentially spreads the malware faster.

Dig Deeper

Having thus far found little evidence of malware, Ana performs a deeper inspection of the image looking for deleted or concealed data. She searches the image’s registry settings for areas that malware often manipulates. The registry stores settings and options for the Windows OS. It contains information and settings for all the hardware, OS software, non-OS software, users, and more.

Ana knows that some malware can modify the registry in an attempt to conceal itself or integrate into existing processes. In some cases, malware even modifies the registry so it can launch itself after a system reboot. Using her forensics scanning tools, Ana searches the registry’s transaction logs for evidence of the malware. Ana knows that Windows creates a transaction log every time information is written to the registry. Upon reviewing the output of her scan, she notices a newly created registry value that appears suspicious.

Ana traces this value to a hidden folder buried with another file using reverse steganography, and uncovers the original malware file. She wants to understand more about how the malware operates, so she configures a sandbox and loads the malware files. She knows that within the sandbox, she can execute the malware in an isolated environment and see how it reacts.

Document Everything

As she performs these tasks, Ana takes detailed notes of her actions including the date, time, and time zone in which she performs these steps. Once she uncovers evidence of malware, she generates a report detailing any suspicious indicators of compromise (IOCs). She records the running malware using her forensics tools, noting files that it creates or deletes, as well as configuration changes it makes to the system or network. Ana documents every action or change the malware performs along with any attempts to send data out over the internet. This helps her build a step-by-step process of the malware’s actions, which helps her hypothesize on the malware event’s execution timeline.

Reconstruct Event Timeline

After extracting data from evidence, the cyber defense forensics analyst next reconstructs the cyber event. As a cyber defense forensics analyst, you use the findings from this phase to prepare reports for your organization or for presentation in court. The findings identified in this phase must be reproducible and verifiable, so it’s important that you use event reconstruction methods that are rigorous, strict, and repeatable. Let’s take a look at the methods for correlating a sequence of events.

Time-Frame Analysis

Cyber defense forensics analysts use time-frame analysis to create a timeline or time sequence of actions using timestamps (date and time) that led to an event—or to determine the time and date a user performed some action. Forensics analysts review logs for indications of when a user last modified files, folders, directories, and more. Reviewing security logs for when a user logged in to the system is an example of this type of analysis.

Data Hiding Analysis

As the name implies, cyber defense forensics analysts use data hiding analysis to search for hidden data on a system. To conceal their illicit activities and identifying information, criminals use several data-hiding techniques such as encrypting data, password-protecting devices and specific content (for example, files), and changing file extensions. During the analysis phase, the investigator needs to address the data-hiding techniques that perpetrators could have used to conceal their identities and activities. Hidden data can reveal knowledge of a crime, ownership of content, or intent to commit a crime.

Application and File Analysis

Cyber defense forensics analysts perform application and file analysis, which helps the analysts determine the perpetrator's knowledge, intent, and capability to commit cybercrime. For example, the perpetrator may label the file as the cybercrime victim’s name.

Ownership and Possession Analysis

Ownership and possession analysis establishes ownership of files created, modified, or accessed. You can then supplement this information to demonstrate that the subject of the investigation had access to the computer at a particular time via time-frame analysis.

Let’s revisit Ana and her investigation of the malware infection. After Ana extracts data from the malware, she must now build a timeline of events leading to the malware infection. Because she has verified the BIOS and OS date are in sync, Ana rules out any timeline discrepancies.

Considering the timestamp on the malware files, Ana works backwards looking at the computer’s system, application, and security event logs. Since she knows how the malware works from observing its behavior and IOCs in the sandbox environment, Ana checks relevant logs on the image, looking for the IOCs found during the data extraction process. For each item discovered, Ana documents when it was created, accessed, modified, and so forth.

Ana continues working backwards until she determines how the malware propagated to the system, why security mechanisms failed to catch it, and if any person acted with malicious intent. She next turns to drafting the forensics investigation report.

Analyze and Document Forensics Data

Learning Objectives

Extract Forensics Data from Evidence

Analyze Digital Evidence

Reconstruct Event Timeline

Resources