How Digital Forensics is used in Incident Response
Understanding the Scope of the Cyber Incident
After an incident has occurred within an organization’s network, such as a breach or a ransomware attack, it is important to determine what exactly happened. What was the source of the incident, how did the incident occur, and what activity was performed during the incident? An understanding of the scope of an incident may be required from a legal standpoint, as well as for infrastructure improvement, and digital forensics is the tool through which these questions can be answered.
The first step of any digital forensic analysis in response to an incident is to identify the source of the incident. Digital forensic organizations like Vestige frequently assist organizations in this identification phase. Was the organization network infected by a ransomware attack and if so, which variant of ransomware? Was an employee the victim of a phishing attack? Once the cause of the incident has been identified, the initial thrust of forensic analysis forms in relation to that specific incident. For example, a business email compromise consists of preservation and analysis protocols that differ significantly from those of a ransomware attack.
A real-world scenario that required a specific analysis geared to the incident was the recent HAFNIUM exploit. The HAFNIUM exploit, initially disclosed by Microsoft in early March 2021, targeted several vulnerabilities on Microsoft Exchange servers. The HAFNIUM exploit exhibited a known series of actions and behavior on an Exchange server, which required specific analysis to accurately identify.
When the Cause Cannot Be Quickly Identified
Outside of specific scenarios, or when the cause of the incident cannot quickly be identified, a general incident response forensic analysis can be performed to cover the gaps. A generalized analysis focuses on two main categories, malicious activity and malicious software (“malware”) presence. These main pieces of analysis help the organization to understand the impact of the incident, what “next steps” need to be taken as a result of the incident, and how to improve defenses and properly educate employees.
Malicious post-incident activity can include a variety of actions performed by the attacker. This can include actions like expanding the incident to other devices on the organization’s network (also known as lateral movement), password harvesting, and data exfiltration, among others. Data exfiltration can be particularly damaging, as this type of activity can quickly turn into legal ramifications for the victim organization.
Additionally, the presence of malware is also an important piece requiring a proper investigation. Oftentimes, subsequent to an incident, malware is hidden within the organization’s network, potentially leading to continued or additional compromise. When most malware is run on a target system, it will attempt to establish persistence, allowing it to survive on the system unless completely removed.
The Benefits of a Digital Forensic Analysis after an Incident
A thorough forensic analysis will review all aspects related to an incident. Whether the incident is a known attack or a zero-day malware, a forensic analysis will answer the many questions such an incident can pose. Vestige has the experience of working hundreds of incident response matters to provide clients with the intelligence required to navigate the ramifications of an incident and create a plan moving forward. CONTACT VESTIGE to learn more.
By Ian Finch, BS, GCFA,
Senior Forensic Analyst
Vestige Digital Investigations