Prepare for Cyber Defense Forensics Analysis

Learning Objectives

After completing this unit, you’ll be able to:

List the phases of cyber defense forensics.
Define cyber defense forensics techniques.
Identify the different types of cyber defense forensics.
Determine the objectives of a cyber defense forensics investigation.

Phases of Cyber Defense Forensics

The cyber defense forensics investigation process typically follows five phases.

Identification

During the identification phase, you as a cyber defense forensics analyst identify and respond to after-the-fact cybersecurity breaches and network attacks. You assist in tracing the source of the attacks, and detect what happened.

Preservation

Once you identify the evidence, the next step is to preserve the information. This phase is where you make forensic images of devices, such as making a digital copy of a device so you can work from it. The goal of the preservation phase is to protect a system or device from further tampering. You may recover hidden, deleted, or encrypted data for further analysis later. You make a forensic copy of the evidence via a hard drive image or files. You then perform active analysis and run tools on the copy to ensure the original evidence is not tampered with. This step allows for multiple teams to work off of official copies, and it’s a requirement in all cases where the prosecution and defense require access to perform analysis.

Analysis

In the analysis phase, you review digital evidence for signs of a crime. You use this information to determine how the cybercriminal breached the system, and what data they stole or modified. You might use reverse steganography or memory captures. We discuss these and other methods in further detail a little later. When analyzing the data, you can use a range of forensics tools and software (examples include Autopsy, The Sleuth Kit, and X-Ways Forensics). You also use tools to help in forensics imaging such as an imaging laptop, encrypted disks for image storage, and so forth.

Documentation

Like any detective, you document findings throughout the entire cyber defense forensics process while avoiding any assumptions and following the evidence. If you make a mistake during this process, the evidence may be unreliable, affecting the validity and accuracy of your conclusions. Here are some precautions you can take to avoid that outcome.

Seal physical evidence into evidence bags noting the current date and time.
Lock up all evidence with limited access; this helps prevent evidence tampering.
Maintain a chain of custody log for each piece of evidence.
If you must share the evidence with other investigative personnel, note the date and who possessed it.

Presentation

In the final phase, you present your findings without bias and in chronological order. You can plan on providing a technical summary of the investigation process and, if required, testifying in court as an expert witness.

Define Cyber Defense Forensics Techniques

Cybercrime continues to evolve in technique and sophistication. As more organizations experience cyber events, the need for cyber defense forensics becomes more important for protecting computer networks and systems.

When a cybercriminal commits a cybercrime, they store most of the evidence in digital format. Therefore, as a cyber defense forensics analyst, you must know a variety of techniques for how to collect, preserve, analyze, and report on evidence. Some of these techniques include reverse steganography, stochastic forensics, cross-drive analysis, live analysis, deleted file recovery, and more. Let’s learn more about these techniques.

Reverse Steganography

Cybercriminals use steganography to hide information within digital files, with the purpose of avoiding detection. They conceal data such as files, messages, images, or videos within another file, message, image, or video. Cybercriminals often use steganography in phishing emails because the hidden file looks exactly like the original, which makes detection difficult.

As a cyber defense forensics analyst, you use your skills and forensics tools to analyze these files and detect the hidden data. One such way to accomplish this is comparing the hash values of the original file to the suspicious file. A hash value is a numeric value of a fixed length that uniquely identifies data. If the file in question has a different hash than the original file, this may indicate an attempt to conceal data.

Stochastic Forensics

Woah this a big word! Let’s break it down. Stochastic (pronounced [STUH] + [KAST] + [IK]) forensics allows you as a cyber defense forensics analyst to reconstruct activities without digital artifacts. You use this technique during data breach investigations where the attacker is thought to be an insider.

Insider attacks are much harder to forensically investigate than external ones. When cyber attacks initiate from the outside, they leave the digital equivalent of broken windows in a house burglary. However, insider attacks often leave little to no trace as the insider is an authorized user. As a result, these types of attacks typically do not create any artifacts. Nevertheless, insider data theft can affect the statistical distribution of a file system’s metadata. By analyzing this distribution, you can use stochastic forensics to reconstruct timelines, which provides you with clues into the insider’s behavior. Let’s look at this technique in action.

Ryan is a cyber defense forensics analyst hired to investigate the theft of data from a company. His client asked him to find out if a former employee walked off with sensitive information about the company’s customers. Ryan received no other information about the suspected theft other than the name of the ex-employee and access to the computer suspected in the attack.

Upon coming onto the scene, Ryan makes a forensic image of the computer’s hard disk. Using his forensics laptop that holds his analysis tools, he begins looking at the timestamps (date and time) where the individual accessed directories and subdirectories. He uses stochastic forensics to analyze the distribution of the timestamps. He knows that typical file systems have a heavy-tailed distribution (in other words, the tail looks fatter) of file access. Copying in bulk disturbs this pattern. By investigating this anomaly, Ryan notices that a large file was recently copied off the computer onto a removable media device. He traces the activity back to the account and informs his client that the ex-employee did indeed steal data.

Cross-Drive Analysis

Cross-drive analysis (also known as anomaly detection) correlates and cross-references information found on multiple computer hard disks. This allows you as a cyber defense forensics analyst to search for, analyze, and preserve information relevant to an investigation.

It’s crucial that you look for and correlate evidence across multiple drives, in order to ferret out all possible locations where a malicious actor may have hidden or stored evidence. You compare events that raise suspicion with information stored on other drives for similarities, which provides context of what really happened. By correlating events and looking for evidence across multiple drives, you build a full picture, and minimize the chance you’ve missed evidence hidden in other drives.

Live Analysis

Using live analysis, you analyze a computer while it is running. You use the computer’s internal system or endpoint detection and response (EDR) tools to look at volatile data, which is often stored in cache or random access memory (RAM). Many tools used to extract volatile data require the computer to be in a forensics lab to maintain the legitimacy of a chain of evidence.

Deleted File Recovery

Deleted file recovery (sometimes known as file or data carving) involves searching a computer system and memory for fragments of files that were partially deleted. Any time a file is deleted, it leaves traces of the file on a machine, which you can uncover and preserve for evidence.

Identify the Different Types of Cyber Defense Forensics

There are various types of computer forensics examinations. Each deals with a specific aspect of information technology . Here are some of the main types.

Technique	Description
Database	You examine data and metadata information contained in databases.
Email	You recover and analyze emails and other information contained in email platforms, such as schedules and contacts.
Malware	You sift through code to identify possible malicious programs and analyze their payload. Such programs include Trojan horses, ransomware, or various viruses.
Memory	You collect information stored in a computer’s RAM and cache.
Mobile	You examine mobile devices to retrieve and analyze their information, including contacts, incoming and outgoing text messages, pictures, and video files.
Network	You search for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.

A cyber defense forensics analyst examines different types of data, symbolized by a cylinder for database, a mobile phone, memory, and so on.

Determine the Objectives of the Investigation

Keep in mind that computer forensics investigations are not always tied to a crime. The forensics process has a variety of applications such as recovering data from a crashed server or a failed drive. As a cyber defense forensics analyst, you may also use digital forensics to reformat an operating system (OS) or to assist in other situations where a system has unexpectedly stopped working. For this reason, before you begin identifying and preserving evidence, it’s important that you determine the objectives of your investigation and gain approval either from legal counsel or your organization’s leadership.

Sum It Up

Now you understand more about cyber defense forensics preparation. In the next unit, you learn more about how to verify that a cyber event occurred and how to collect and recover evidence.