A leaf out of Digital Forensics adventures- Part 1

-

What is digital forensics?

A specialized branch of forensic science that works to recover and investigate digital devices in the world of cybercrime. The aim of this work is to identify, preserve, analyze, and document digital evidence in order to present it to the relevant law authorities as and when required.

Who is a Digital forensics investigator? 

A person who has a mindset to discover evidence and trace back the storyline to solve the case. It can range from discovering: 

How attackers gained access to the network- or the point of breach

Lateral movement on the network- or affected systems discovery

Information stolen or backdoors planted- Corporate Espionage 

Recover data that were attempted for deletion, damage as well as manipulation.


Let’s now analyze the different phases across a digital forensics investigation:

Phases:

1. First-line incident response

The focal point right after a suspected breach /security incident is known as the first response. These initial steps lay the foundation of SLAs and a plan of action.

2. Collect and secure the evidence

Here the forensic investigator searches for the infected devices and takes custody of the systems to proceed with forensic methods for evidence gathering and ensure it is accurate, authentic, and accessible.

3. Perform data analysis

Under this phase, the acquired data is used to unearth the evidence and structured into a storyline having the observations as an output from thorough assessments

4. Reporting and lessons learned.

The post-investigation phase covering documenting the finding with adequate and acceptable evidence and the lessons learned.

To deep dive further into evidence analysis phases: 

1. Identification and Acquisition  – This phase is focused on capturing the current state of a system for detailed analysis and investigation. A major focus is to isolate, secure, and preserve the system for data extraction. This includes preventing people from possibly tampering with the evidence.

2. Analysis – Post having a copy of the system image (acquisition of the system state) the evidence needs to be investigated for the breach and the Indicators of compromise 

Three kinds of evidence emerge as a possibility:

Inculpatory Evidence –  These are the evidence that supports a possible theory.

Exculpatory Evidence – This is any evidence that negates a possible theory.

Evidence of Tampering – These are the traces on the system which point towards attempted tampered to evade identification. Forensic investigators draw conclusions based on evidence found.

3. Presentation – This phase presents the conclusions and their corresponding evidence that the digital investigator has deduced. The concept of “chain of custody” comes into play here. The chain of custody refers to the complete ownership and handling of evidence to ensure those are protected and preserved and any modification to the evidence is prevented or recorded.

What kind of career can you expect as a digital forensic investigator?

Cyber Forensic Investigator

Cybersecurity Forensics Consultant

Security Forensics Analyst (SOC)


Required skillsets as a digital forensic investigator

Knowledge of Incident response lifecycle phases (such as SANS, NIST, etc.)

Knowledge of anti-forensic techniques

In-depth knowledge of hard disks and file systems

Investigating email crimes (such as business email compromise)

Ransomware incident handling/ Malware analysis

•       Mobile device forensics and data acquisition

Part- 2 will focus on the tools and techniques of the trade.


Check out my other articles on incident response:

https://securitywarrior9.blogspot.com/2021/05/incident-response-handling-for.html

https://securitywarrior9.blogspot.com/2021/04/researching-difference-between-siem-and.html

https://securitywarrior9.blogspot.com/2021/01/network-forensics-overview.html



Comments

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more