Tuesday, July 23, 2013

Enterprise IT Forensic Process - Analysis

In the last two months, I have talked about the first two processes - Approval and Acquisition. Now, let's us move to the next process - Analysis. 

You may have heard of PPT - People, Process and Technology.  While the Approval and Acquisition are more about Process and Technology, Analysis is really about People. No matters how good your processes or technologies are, without the "People" factor, those processes or technologies would not yield much tangible outcome. One needs to have a very good analytical skills and adequate experience to be a good forensic examiner. One gains experience by doing more forensics in different scenarios and solving more technical issues etc. Bottom line, it's all about experience. 

Nevertheless, there is one vehemently crucial element for the Analysis process. Even the most experience forensic examiner will need to have this prior to any investigation:

Knowing what to look for - You can't find anything if you don't know what to look for.  For example, one cannot just tell the police to look for a "murderer" in a big shopping complex. The police would need more detail descriptions of the murderer - male or female? Hair colour? What type of clothes etc.  It is the same in IT forensic, one cannot just throw a laptop to a forensic examiner and tell him/her to look for something criminal on this laptop. It needs to be more specific than that. For example - "look for any trace of child pornography in this laptop" is specific. 

This info about "What to look for" shall be obtained prior to Approval process, ideally it should be part of the Request for Investigation

Once you know what to look for, the next steps will be:

How to look for - There is no fix procedure or formula for this. It's really depends on situation and it is case by case. This is when one's experience really make a hell lots of difference. However, as a start, in most cases a forensic investigator or an examiner can use a certain forensic tool such as Encase or FTK to do a search based on relevant keywords. The search results would give more hints or clues on what or where to look deeper. In a nutshell, here are the basic steps:

1. Develop basic keywords
2. Perform search based on those keywords
3. Review search results
4. Refine keywords or develop new keywords
5. Repeat 2 - 4 until tangible results are obtained. 
6. Mark, note or extract those relevant evidence for reporting later. 

Of course, the above approach may not be always valid or applicable. For example, if you are investigating a DoS attack, you'll need to use a completely different approach. Using Encase or FTK to review firewall, routers, webservers logs are not effective and I will say it doesn't even make sense to do so. For this one, manual reviews of the logs with some customised filtering scripts is the best way forward. Needless to say, every investigator has his/her own favourite tools and methods.