Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Computer forensics follows the bread crumbs left by perpetrators

Ryan Francis | May 9, 2017
As investigators, these security pros let the clues lead them. See in a few examples how commercial software helps these techies solve the crime.

He said the companies will employ a service that records all actions and functions and simply request a review of the logs. All information will be stored forensically to ensure reliability.


An example of forensics

Tanium provided an example where a network monitoring device issues an alert indicating that a corporate workstation, "Alice," has communicated with the IP address of an internet host associated with an attacker, "Eve."

An investigator first needs to figure out why Alice communicated with Eve's IP address. Is the host infected with malware? If so, how did it get on the system, and what artifacts can be used to find similarly impacted systems? Was Alice used to access other systems or resources, or was the incident contained to a single host? What was Eve's ultimate objective?

If Alice already has an EDR product that provides continuous recorder capabilities, an investigator might first review its telemetry feed and search for Eve's IP address ( This can identify the context (time, associated process / malware, associated user account) for each connection event.

forensics 1 
Analyst performs a deep dive on AlphaPC via Tanium Trace to investigate the IP address belonging to Eve. Credit: Tanium

Next, the analyst can pivot on these findings and conduct timeline analysis to identify the events that preceded the malware's introduction to the host, and malicious activity associated with it (which may be "manually" driven by Eve or fully automated). For example, the investigation might indicate that the malware was introduced to the system through a malicious email that uses a document containing malware. Following the infection, telemetry may have recorded that Eve used the malware to steal the user's credentials and attempt lateral access to other systems within Alice's corporate environment.

forensics 2 
The malicious Excel document drops the malware Z4U8K1S8.exe. The attacker then interacts with the system through a command and control session. Tanium Trace records the processes and activity performed by the attacker. Credit: Tanium

If Alice's system doesn't have an EDR "flight recorder" running, an investigator can still piece together the same sort of timeline summarized above using the system's native sources of evidence. However, this incurs a greater level of effort and higher likelihood of gaps in the timeline.

forensics 3 
Analyst will then create IOC's (Indicators of Compromise) from information identified during investigation. Credit: Tanium

After the incident has been triaged on Alice's system, an investigator likely has numerous artifacts or Indicators of Compromise that describe Eve's tradecraft -- i.e., her tools, tactics, and procedure. These can be used to search forensic evidence and telemetry across the entire enterprise in the hopes of identifying additional systems that the attacker has impacted. This leads to further deep-dive forensic analysis on newly discovered hosts. The process repeats until an investigator feels they have comfortably scoped the incident, understands its root cause and impact, and is prepared to remediate.


Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.