This document provides an introduction to cyber forensics. It defines key terms like forensics science, digital forensics, and cyber forensics. It also discusses cyber attack and malware trends, GDPR requirements, core principles of cyber forensics investigations, and presents an overview of the goals, actions, and scope of activities in a cyber forensics investigation. Finally, it provides a case study example of a client database leak investigation.
3. {elysiumsecurity}
cyber protection & response
3
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
DEFINITIONS
Public
FOREENSIC SCIENCE
THE APPLICATION OF SCIENCE TO CRIMINAL AND CIVIL LAWS, DURING CRIMINAL
INVESTIGATION, AS GOVERNED BY THE LEGAL STANDARDS OF ADMISSIBLE
EVIDENCE AND CRIMINAL PROCEDURE.
Definitions from Wikipedia
DIGITAL FORENSICS
A BRANCH OF FORENSIC SCIENCE ENCOMPASSING THE RECOVERY AND
INVESTIGATION OF MATERIAL FOUND IN DIGITAL DEVICES, OFTEN IN RELATION
TO COMPUTER CRIME
CYBER/COMPUTER FORENSICS
A BRANCH OF DIGITAL FORENSIC SCIENCE, THE APPLICATION OF INVESTIGATION
AND ANALYSIS TECHNIQUES TO GATHER AND PRESERVE EVIDENCE FROM A
PARTICULAR COMPUTING DEVICE IN A WAY THAT IS SUITABLE FOR PRESENTATION
IN A COURT OF LAW
5. {elysiumsecurity}
cyber protection & response
5
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
GDPR REQUIREMENTS
Public
ARTICLE 33
72H REPORTING
NATURE OF THE BREACH?
(WHO? WHERE? HOW?)
POTENTIAL IMPACT?
WHAT HAS BEEN DONE TO PREVENT THE BREACH?
(CONTROLS? PROCESSES?)
Icons from the Noun Project unless specified otherwise
6. {elysiumsecurity}
cyber protection & response
6
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
CORE PRINCIPLES
Public
PRESERVATION OF INTEGRITY
CHAIN OF CUSTODY
ONLINE/OFFLINE ?
NEVER FORGET THE « S »!!
ACTIVITY GOALS
7. {elysiumsecurity}
cyber protection & response
7
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
OVERVIEW
Public
CONTEXT LOGS FILESYSTEM CONFIG NETWORK MEMORY ADVANCED
ACTIVITY
SCOPE
ACQUISITION ANALYSIS REPORTINGACTIONS
GOALS
IDENTIFICATION
Impact/Target/Technique
ATTRIBUTION
Source of Attack
COLLECTION
Evidence of compromise
Copyright ELYSIUMSECURITY LTD, please refer to us if reusing this diagram: https://www.elysiumsecurity.com
8. {elysiumsecurity}
cyber protection & response
8
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
GOALS
Public
IDENTIFICATION
Impact/Target/Technique
ATTRIBUTION
Source of Attack
COLLECTION
Evidence of compromise
WHAT?
WAS COMPROMISED?
WAS STOLEN/MODIFIED?
WHERE?
THE CONTROLS FAILED?
THE DATA WENT?
HOW?
THEY HACKED?
WAS IT STOPPED?
WHY?
THEY TARGETED YOU?
WAS IT SUCCESSFUL?
WHO?
WAS TARGETED?
WAS RESPONSIBLE?
9. {elysiumsecurity}
cyber protection & response
9
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIONS
Public
ACQUISITION
REPORTING
ANALYSIS
IDENTIFICATION OF EVIDENCE
PRESERVATION OF EVIDENCE
COLLECTION OF EVIDENCE
ANALYSIS OF EVIDENCE
DOCUMENTATION OF EVIDENCE
PRESENTATION OF EVIDENCE
10. {elysiumsecurity}
cyber protection & response
10
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - CONTEXT
Public
CONTEXT
TIMELINE
LOCATION
MEDIUM
INDIVIDUALS
ACTIVITIES
READ-ONLY
COPY OF
EVIDENCE
!
INTERVIEWS
11. {elysiumsecurity}
cyber protection & response
11
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - LOG
Public
LOGS
ENDPOINTS
SERVERS
NETWORK DEVICES
CLOUD SERVICES
EVENT VIEWER, WEBTOOLS
START WITH
TIMELINE RANGE
READ-ONLY
COPY OF
EVIDENCE
!
12. {elysiumsecurity}
cyber protection & response
12
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - FILESYSTEM
Public
FILESYSTEM
SUPER TIMELINE
FILE/APP/KEYWORD SEARCH
PLACES OF INTEREST
VIRUS SCANS
LOG2TIMELINE, TSK
HUGE
AMOUNT
OF DATA
READ-ONLY
COPY OF
EVIDENCE
!
13. {elysiumsecurity}
cyber protection & response
13
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - CONFIG
Public
CONFIG
REGISTRY KEY HIVE
SYSTEM FILES
APPLICATION CONFIGURATION
RECENT CHANGES/INSTALLATIONS
REGEDIT/HIJACKTHIS/GREP
READ-ONLY
COPY OF
EVIDENCE
!
14. {elysiumsecurity}
cyber protection & response
14
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - NETWORK
Public
NETWORK
SOURCE / DESTINATION ACTIVITIES
PROTOCOL USED
TRAFFIC CONTENT ANALYSIS
IDS ANALYSIS
WIRESHARK / TCPDUMP
READ-ONLY
COPY OF
EVIDENCE
!
15. {elysiumsecurity}
cyber protection & response
15
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - MEMORY
Public
MEMORY
DUMP MEMORY / PAGE FILES
RUNNING PROCESSES
BINARY INSPECTION
HIDDEN DATA
VOLATILITY / REKAL
READ-ONLY
COPY OF
EVIDENCE
!
16. {elysiumsecurity}
cyber protection & response
16
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
ACTIVITY - ADVANCED
Public
ADVANCED
USER ACTIVITY SIMULATION
MALWARE REVERSE ENGINEERING
MALWARE SANDBOXING
HONEYPOTS
HACKER COMMUNICATION
DANGEROUS!READ-ONLY
COPY OF
EVIDENCE
!
17. {elysiumsecurity}
cyber protection & response
17
CASE STUDYFRAMEWORKPRINCIPLESCONTEXT
CLIENT DATABASE LEAK INVESTIGATION
Public
CONTEXT LOG FILESYSTEM CONFIG NETWORK MEMORY ADVANCED
- EXECUTIVE ATTENDED A
CONFERENCE;
- LOGGED TO WEBMAIL;
- WARNING IGNORED;
- CLIENT DB LEAKED;
- 29/05/18 @ 09:09
- TROJAN FILES FOUND;
- HIDDEN PARTITION
IDENTIFIED;
- BAD WEB PLUGIN
DELETED;
- USB CONNECTION.
- PROCESS SENDING DATA
TO IP EVERY 5 MINUTES;
- ENDPOINT ACTING AS A
PROXY FOR INTRANET;
- IDS FLAG ALERTS.
- MALWARE SOURCE
CODE IN FRENCH;
- IP TRAIL FROM KNOWN
GROUPS;
- HACKER FOR HIRE
FROM EX EMPLOYEE.
- EMAIL LOGING FROM
SUSPICIOUS COUNTRY;
- EMAIL DELETED TO DB
SUPPORT;
- VPN ACCESS FROM
CONFERENCE.
- WEB HISTORY TO FAKE
WEBMAIL;
- FIREWALL TURNED OFF;
- AV WHITELIST OF
SUSPICIOUS DIRECTORY;
- SUSPICIOUS SERVICE.
- HIDDEN PROCESSES;
- TROJAN DETECTED IN
MEMORY;
- REMOTE CONNECTION
LIVE;
