We’ve simplified the process in this article, but make no mistake – there is no cookie-cutter approach to cybercrime investigations. As cybercrime investigators, we must plan out each investigation based on the events of the intrusion.
As we move into the future, new technologies will emerge, new devices will be deployed, and new methodologies will be put into place. This is an ever-changing field, where you must constantly stay current. Ultimately, it is you, the client, who has the biggest impact on the outcome of the investigation.
This should give companies considering a cybercrime investigation some idea of the steps taken when conducting an investigation, such as that provided by our sister company, eForensix in New Jersey.
As a victim company hiring cybercrime investigators, it is important to understand what you need to expect from the individuals conducting the investigation for you.
Step 1: You will be advised on the need for a timely engagement.
Because of the volatile nature of potential evidence stored on some devices, evidence must be preserved or collected immediately. It’s also possible that the hacker is still accessing the network, ransomware is still encrypting data on computers, or the infection could spread to other third-parties, making you potentially liable. Therefore you should expect that your forensics team would like the project to start immediately due to the threat of these issues.
Step 2: You will be asked to identify all resources assigned to the response.
Prior to going onsite, the digital forensics company will want to know who else you have retained, and who will be working with their company. This allows them to identify the chain of command, as there can only be one leader. For example, if you have retained a cyber attorney, then the attorney should take the lead. They may look to the digital forensics firm for technical guidance, but the cyber attorney will make all the strategic and legal decisions.
Step 3: Digital forensics team will request all network documentation from you.
This includes, but is not limited to: network diagrams, inventory sheets identifying the number of workstations, the number of servers both physical and virtual, identification of all resources in-house or at a colocation facility, intrusion detection system (IDS) or intrusion prevention system (IPS) software, and virus mitigation.
Step 4: First day onsite.
The first day onsite is paramount to the investigation. Aside from digital forensics experts, those who need to be present include the cyber attorney if retained, IT personnel, and top company executives. If you have contracted with third-party support, make sure you have the IT support technicians onsite and not over the phone. The digital forensics team will then document all responses and identify the name of the person responding. A good intrusion consultant verifies everything they are told and we will certainly do that, taking nothing for granted..
Step 5: Identification of all network devices.
Networks can grow rapidly, and technicians are not always good at keeping their documentation up to date. Digital Forensics will not accept network diagrams and other documentation at face value. They must physically review the network and its resources, noting any corrections on the documentation.
Step 6: Digital forensics team will initiate the collection of evidence.
The collection of volatile evidence should be done immediately, preferably by the IT staff before someone from digital forensics arrives on site. Once the collection of evidence is initiated, they will start first with the most volatile devices, such as the firewalls and routers, then move to other devices, such as workstations and servers. Then, they will thoroughly assess the security level of each device, and export a full report and all of the public and private IP addresses to a CSV file for further review.
Step 7: Evidence review.
The company you hire will then review all the logs taken from the various sources and attempt to identify external and internal IP addresses that fit into the timeframe of the intrusion/infection. Next, they will place a timeline together that documents the initial point of entry and subsequent access/infection of other computers. After careful consideration, you may want them to forensically image the drives, and analyze the evidence for malware or hackerware.
Step 8: The Digital forensics team will conduct interviews of your employees and IT staff.
Employee interviews are one of the last stages of the investigation, just before digital forensics issues a report of their findings. It’s essential they have all the facts surrounding the intrusion/infection before interviewing your staff, so they know what questions must be asked. Talking with your employees and any outsourced IT company will not only yield new information, but will also provide new perspectives on the investigation.
Step 9: The final report.
The final stage of the investigation is for the digital forensics team to issue a report based on the services rendered to you. The report should be broken down into three broad sections. First, the reason you engaged that company’s services. Second, what services and activities they performed. And third, what the findings were.
If you need to consult with a digital forensics expert regarding a cybercrime investigation that is impacting the state of your business, contact eForensix today. If you are not the target for a cyber intrusion and would like to keep it that way with a secure IT support, please give Network Security Group, Inc. a call or visit our website for more information: https://www.nsgi.com/
*This article includes excerpts from “Pocket Guide for Investigating Ransomware and Network Intrusions” written by John Lucich, the Founder and CEO of Network Security Group, Inc and eForensix.
