This section discusses concepts related to supporting security investigations. You should be familiar with the processes in an investigation. You should know all the fundamentals of collecting and handling evidence, documenting your investigation, reporting the information, performing root cause analysis, and performing digital forensic tasks.
- Evidence collection and handling. Like a crime scene investigation, a digital investigation involving potential computer crimes has rules and processes to ensure that evidence is usable in court. At a high level, you need to ensure that your handling of the evidence doesn’t alter the integrity of the data or environment. To ensure consistency and integrity of data, your company should have an incident response policy that outlines the steps to take in the event of a security incident, with key details such as how employees report an incident. Additionally, the company should have an incident response team that is familiar with the incident response policy and that represents the key areas of the organization (management, HR, legal, IT, etc.). The team doesn’t have to be dedicated but instead could have members who have regular work and are called upon only when necessary. With evidence collection, documentation is key. The moment a report comes in, the documentation process begins. As
part of the documentation process, you must document each time somebody handles evidence and how that evidence was gathered and moved around; this is known as the chain of custody. Interviewing is often part of evidence collection. If you need to interview an internal employee as a suspect, an HR representative should be present. Consider recording all interviews, if that’s legal.
- Reporting and documenting. There are two types of reporting: one for IT with technical details and one for management without technical details. Both are critical. The company must be fully aware of the incident and kept up to date as the investigation proceeds. Capture everything possible, including dates, times and pertinent details.
- Investigative techniques. When an incident occurs, you need to find out how it happened. A part of this process is the root cause analysis, in which you pinpoint the cause (for example, a user clicked on a malicious link in an email, or a web server was missing a security update and an attacker used an unpatched vulnerability to compromise the server). Often, teams are formed to help determine the root cause. Incident handling is the overall management of the investigation — think of it as project management but on a smaller level. NIST and others have published guidelines for incident handling. At a high level, it includes the following steps: detect, analyze, contain, eradicate and recover. Of course, there are other smaller parts to incident handling, such as preparation and postincident analysis, like a “lessons learned” review meeting.
- Digital forensics tools, tactics and procedures. Forensics should preserve the crime scene, though in digital forensics, this means the computers, storage and other devices, instead of a room and a weapon, for example. Other investigators should be able to perform their own analyses and come to the same conclusions because they
have the same data. This requirement impacts many of the operational procedures. In particular, instead of performing scans, searches and other actions against the memory and storage of computers, you should take images of the memory and storage, so you can thoroughly examine the contents without modifying the originals. For network forensics, you should work from copies of network captures acquired during the incident. For embedded devices, you need to take images of memory and storage and note the configuration. In all cases, leave everything as is, although your organization might have a policy to have everything removed from the network or completely shut down. New technologies can introduce new challenges in this area because sometimes existing tools don’t work (or don’t work as efficiently) with new technologies. For example, when SSDs were introduced, they presented challenges for some of the old ways of working with disk drives.