One can detect something automatically or look for it. So, the investigation (incident response and digital forensics) can either start from a security alert or threat-hunting. What are artefacts, and how are they different from evidence? What types of artefacts are there, and how to look them out? Let’s dive deeper into what techniques are used to spot the attacker.
Knowing your artefacts and attacks is very useful, but how do you really USE that knowledge to the full potential? This section will combine information from the attacks and artefacts section to suggest possible approached to the investigation.
Before copying evidence or making a disk image, one needs to sterilise the target media to ensure that data on that disk before this operation would not meddle with the evidence data. Several rounds of writing 0
s are usually enough.
During live and dead acquisition, it’s important not to mess up with the evidence. Write blockers protect the evidence from accidental tampering the evidence making sure it will be admissible in court.
There are two types of acquisitions: live ๐ and dead โ ๏ธ. Choosing based on the system’s initial state in question is usually preferable. So, for example, if the system is turned on, perform live acquisition first, capturing all volatile data that will be deleted after reboot. Otherwise, jump right to the dead acquisition (if the system is shut down).
This type of acquisition can only happen on a live system. It’s quicker and easier than imaging the drive, but you will miss some data. It’s sometimes the only way to collect data from a mobile device.
In order to detect and response to incidents in a short time, there are playbooks which are basically guidelines. Some IR frameworks have these included in order to ease the process.
Attackers will attempt to conceal their presence or even plant bogus artefacts to complicate the investigation and potentially lead to incorrect conclusions.
As if investigations needed to be simplified, we must contend with various timestamp formats. There is a wide range of time formats available, and it is crucial to understand the differences to create an accurate timeline.