Wednesday, September 30, 2009

How Is Computer Forensics Different from Incident Response?

In response to my last post, All Computer Forensics Professionals Are Not Created Equal:

Christa M. Miller said...
Larry, if you keep computer forensics distinct from IR, doesn't that in some ways throw the baby out with the bathwater? There is really not all that much that forensic practitioners could learn from IR practitioners, compared to other "pure" forensic sources?
I was going to respond to that in a comment, but decided it would be too long to do it justice.

There is a significant difference between incident response and computer (digital forensics).  However, it only becomes apparent when you analyze the different uses for the two disciplines and how they are applied.

Incident response encompasses a wide range of specialties as does digital forensics.  Do they have overlap, yes.  But the more specialized one becomes in one field, the more they diverge.

Incident response is actually a discipline within traditional information support services.  If you look at the different jobs in information security, you begin to see how the specialization occurs and is needed:

Information Support
     Network Administration
         Server administration
             Domain, DHCP, DNS, Mail, File, Application, Database, Collaboration and Terminal servers.
         Network infrastructure
             Switches, Routers, Endpoint Security, Cabling, WAN, Internet, VPN, Wireless etc.
         Disaster recovery
             Backup and Recovery
          Telephone, VOIP
         Network Security
             Malware detection and prevention
             Perimeter protection (firewalls, etc.)
             Data leakage protection
             Intrusion detection and prevention
Everything up to this point are the parts you need to administer a network and to prevent a need for incident response.  When all of that is defeated and you have a breach, you call for the incident response person or team.

An incident response professional should have a strong foundation in all of the above since their job is to find where the breach occurred, plug the hole, get the affected server or servers back into service, and then if possible, gather evidence on the intruder for further action.  Where the incident response professional differs is that they need to truly understand the low level working of a network, how breaches occur, how to locate the method of the breach, and how to mitigate the breach, i.e. kill it and close the hole.

This requires a deep understanding of hacking techniques, log analysis, malware, root kits, social engineering, hooking, terminate and stay resident (TSR) programs, port scanning, service profiling, packet forensics, routers and firewalls, daemons, hidden services, etc.

The objective of most intrusions or malware attacks on a network are to:

  1. Steal data (intellectual property, operating or financial information)
  2. Steal systems (Subvert control by gaining root or administrator access)
  3. Steal storage and bandwidth (rogue FTP servers, spammers)
  4. Steal identity information (credit card numbers, client information...)
  5. Disrupt operations (DoS attacks, sabotage, destroy data, logic bombs, prevent access to the system by users)
  6. Just be a nuisance by vandalizing systems.
In any event, attacks on networks are serious and have to be dealt with immediately to protect the enterprise and its clients.  The larger and more complex the network, the more difficult this is to do. This is the role of the incident response professional.

Digital forensics as a discipline is more concerned in finding and documenting the actions of a person or persons in relation to other people or places or activities.

A digital forensic professional must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.

Acquiring Data:  Where data is stored and how to get it.

There are basically two types of data that a digital forensics examiner must collect:  Data from a physical device and data from other sources.

Physical Devices (Short list)

  1. Computer Hard Drives
  2. Solid State Devices (USB Sticks, Memory Cards, Digital Cameras, DV Cameras, etc.)
  3. Cell Phones
  4. Back up devices (Tapes, etc.)
  5. GPS Devices
Other sources of data (not inclusive)

  1. ISP records
  2. Cell phone records
  3. Network activity records
  4. Off-site storage
  5. Email databases
  6. Email providers
  7. Social networking sites.
The other sources of data are places where data may be stored that the examiner does not have direct access to the devices for collection, but must rely on others to provide that data.

How data is created

  1. User created data (documents, spreadsheets, pictures, text messages, chats, web pages, social network pages, financial information...)
  2. Program created data (software logs, registry entries, activity databases (i.e. Kazaa,  Limewire, Internet browsers, VOIP programs, application software...)
  3. User received data (email, internet downloads including pictures, programs, etc.)
  4. Activity records (call logs, IP accesses, social networking activity, hosted email account creations, cell carrier records, GPS...)

User created data is by far the easiest to recover and analyze since it is normally the least obscured.  Documents, pictures, spreadsheets, etc.

Program created data becomes more difficult to recover and analyze because most programs store information in several places, use non-human naming for data storage, and use many different formats for the data that is stored.

However those very characteristics make it very difficult for a person to completely eliminate all the artifacts that a program will leave on a system's hard drive.

What triggers a need for a digital forensic examination is typically the result of something someone has been accused of doing to someone else.  It is very much a people to people examination.  While incident response is mostly concerned with stopping and clearing an action, digital forensics is primarily concerned with finding out if a person committed an action.  In the world of digital forensics, user attribution is the end goal.  Did the person do this and can I prove that it was this person who did it?  While incident response can be successful without ever identifying a person, without user attribution, digital evidence has little to no value.

To simplify it, the digital evidence trail looks like this:

This artifact (email, chat, picture) was created by this person and is connected to that person.  Remember, we are looking for evidence that connects people to other people or actions.

To successfully do this kind of work, a digital forensic examiner must understand not only the technical side of the process, they must also be able to work within the legal system to ensure that the data they recover was legally obtained and can stand up to the scrutiny of a court of law, whether it is civil or criminal.

The more people and devices and evidence, the more complex the process becomes.

Hopefully this post illustrates why, as you get deeper into each of these disciplines the knowledge needed diverges significantly.

Reblog this post [with Zemanta]

No comments:

Post a Comment

I have moderated my comments due to spam.