
Blog Post
April 20, 2023 | Cyber security education
With contributions from Ted Raymond.
When it comes to cybersecurity, we tend to focus more on the things we should do to avoid a cybersecurity incident. While those things are certainly important, cyberattacks are happening more often and with more sophistication, and an incident happening at your organization is now a matter of "when," not "if."
Because of this, it's a good idea to also focus on the steps to take during and after an incident. How do you recover? How do you prove that a cybercriminal attacked your business and address the resulting impact?
The answer is simple: digital forensics and incident response (DFIR).
In this blog, you’ll learn:
DFIR is a specialized field focused on identifying, remediating, and investigating cybersecurity incidents. As the name suggests, DFIR consists of two components:
DFIR fuses traditional incident response (IR) activities—such as response planning and rehearsal, IT architecture documentation, and playbook development—with digital forensics techniques.
While traditional IR usually carries some investigative elements, DFIR takes it to another level by emphasizing digital forensics.
With DFIR, businesses can return to business after a cyberattack while also improving their resiliency against future attacks. What's more, DFIR gives you the evidence you need to press charges against the criminals who targeted your operations or support a cyber insurance claim.
And given just how expensive and damaging a single attack can be, it’s more important than ever to know how to respond to a cybersecurity incident and what your legal options are if you’re targeted.
Now, let's dive deeper into the two individual components.
Digital forensics is a branch of forensic science that covers digital technology. Analysts focus on the recovery, investigation, and examination of material found on digital devices.
The end goal of digital forensics is to gather and preserve evidence to aid in prosecuting cybercrime, should the culprits behind an attack face criminal charges.
There are generally four major reasons why an organization engages in digital forensics:
Like any forensic investigation, speed is critical, especially if an attack is ongoing. Acting fast can help stop active cyber incidents and reduce the overall damage to a victim organization.
Computers, networks, and devices are continuously producing data that may be crucial to an investigation, even while sitting idle. Over time, the risk that this data is deleted, overwritten, or otherwise altered increases.
Many forensic artifacts are highly dependent on the state of a computer in the immediate aftermath of an incident. Forensic investigators need to move quickly to ensure they capture all this information before it's lost.
Get this cheat sheet to learn the key indicators of email, mobile device, and host or server compromises, and what to do if you've been compromised.
Incident response (IR) is a set of activities a business engages in during a cybersecurity incident. For the purposes of IR, a cyber incident can be defined as any event that compromises information confidentiality, integrity, and/or availability—core principles of information security that are often referred to as the “CIA triad.”
IR activities are typically informed by an IR plan designed to get IT infrastructure back up and running as quickly as possible while mitigating the overall damage of an incident.
First and foremost, these frameworks are designed to support recovery efforts. In a broader sense, they also help organizations build cyber maturity and proficiency. This may help enhance defenses, stopping attacks and incidents from affecting businesses in the first place.
For businesses targeted by a cyberattack, recovery is the top-of-mind concern—but beyond getting back up and running, it’s also important to understand the how and why behind an incident.
DFIR delivers that deeper understanding through a very comprehensive and intricate forensic process. DFIR specialists gather and inspect a wealth of information to determine who attacked them, how they got in, the exact steps attackers took to compromise their systems, and what they can do to close those security gaps.
The digital forensic process is the accepted method investigators follow to gather and preserve digital evidence, with the express intent of maintaining a chain of custody. It consists of three key steps:
In this step, investigators create an exact duplicate of the media in question, usually using a hard drive duplicator or specialized software tools. The original media is secured to prevent any tampering.
Forensic specialists then analyze the duplicated files or technology, logging all the evidence they discover that supports or contradicts a hypothesis.
Ongoing analysis is conducted to reconstruct events and actions in an incident, helping them reach conclusions about what happened and how hackers compromised systems.
Once a digital forensics investigation is completed, the findings and conclusions analysts uncovered are delivered in a report that non-technical personnel can understand.
These reports are passed on to those who commissioned the investigation and usually wind up in the hands of law enforcement.
During the acquisition phase of the digital forensic process, analysts look for a variety of forensic data to help them in their investigation:
According to the National Institute of Standards and Technology (NIST), the chain of custody is a “process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers.”
Basically, the chain of custody is documentation that proves that the evidence used to prosecute a cybercrime is, in fact, legitimate evidence and was not placed fraudulently or edited for malicious purposes.
Think of every police procedural story you’ve read or seen on TV. Detectives catch the bad guys by uncovering and documenting evidence that helps them recreate the exact circumstances surrounding a crime. Digital evidence is no different: it comprises significant information transmitted or stored on a digital device during a crime.
Broadly speaking, digital evidence should meet five key criteria:
DFIR investigators will gather this information and store it safely to prevent contamination in order to ensure it remains admissible in court.
But it’s not the only sort of evidence they collect; investigators may also assess and document:
In theory, gathering digital evidence should be as simple as pulling out a hard drive infected with ransomware. In practice, it’s not quite so simple.
Some types of digital evidence are deemed volatile, or non-persistent, because the data is only accessible when that device is plugged in or connected to power. Non-volatile or persistent digital evidence, meanwhile, is stored permanently in memory. This may include read-only memory, data in flash memory, or even data on a CD-ROM or other disc.
In many cases, investigators cannot and will not power down affected technology in order to preserve digital evidence.
Because of these challenges, DFIR investigators will typically start by duplicating a hard drive via drive imaging, a process that creates a bit-to-bit perfect duplicate of a drive affected by an attack. As a rule, investigators will operate exclusively on this duplicate drive when conducting an investigation. This allows them to explore and test hypotheses on the drive without impacting the actual evidence.
The imaging process will also generate cryptographic hash values, which are used to further verify the authenticity of a drive image. Wherever possible, evidence gathered will be stored in a secure location where it can be preserved and accessed for reference later, with added physical security to ensure no item can be compromised.
Because DFIR is a multidisciplinary field that combines soft skills with specialized technical ones, team members will generally have a unique mix of skills, traits, and experience they bring to bear in their role.
By no means a complete list, those skills and experience may include:
This is a long list of skills and areas of expertise, and organizations are often hard-pressed to find qualified individuals with relevant experience that will also be a good fit for your business.
Many organizations are turning to external consultants or third-party providers to handle their digital forensics and incident response needs.
Our team of experienced cybersecurity experts can work with you to help you build your capabilities and ensure your organization can recover in the event of an attack—while making sure you’re able to track down who targeted you.
Interested in taking the first step? Check out our Incident Response Planning page to learn more about how Field Effect can help you prepare for and conduct DFIR investigations.