Wednesday, September 30, 2009

How Is Computer Forensics Different from Incident Response?

In response to my last post, All Computer Forensics Professionals Are Not Created Equal:

Christa M. Miller said...
Larry, if you keep computer forensics distinct from IR, doesn't that in some ways throw the baby out with the bathwater? There is really not all that much that forensic practitioners could learn from IR practitioners, compared to other "pure" forensic sources?
I was going to respond to that in a comment, but decided it would be too long to do it justice.

There is a significant difference between incident response and computer (digital forensics).  However, it only becomes apparent when you analyze the different uses for the two disciplines and how they are applied.

Incident response encompasses a wide range of specialties as does digital forensics.  Do they have overlap, yes.  But the more specialized one becomes in one field, the more they diverge.

Incident response is actually a discipline within traditional information support services.  If you look at the different jobs in information security, you begin to see how the specialization occurs and is needed:

Information Support
     Network Administration
         Server administration
             Domain, DHCP, DNS, Mail, File, Application, Database, Collaboration and Terminal servers.
         Network infrastructure
             Switches, Routers, Endpoint Security, Cabling, WAN, Internet, VPN, Wireless etc.
         Disaster recovery
             Backup and Recovery
          Telephone, VOIP
         Network Security
             Malware detection and prevention
             Perimeter protection (firewalls, etc.)
             Data leakage protection
             Intrusion detection and prevention
Everything up to this point are the parts you need to administer a network and to prevent a need for incident response.  When all of that is defeated and you have a breach, you call for the incident response person or team.

An incident response professional should have a strong foundation in all of the above since their job is to find where the breach occurred, plug the hole, get the affected server or servers back into service, and then if possible, gather evidence on the intruder for further action.  Where the incident response professional differs is that they need to truly understand the low level working of a network, how breaches occur, how to locate the method of the breach, and how to mitigate the breach, i.e. kill it and close the hole.

This requires a deep understanding of hacking techniques, log analysis, malware, root kits, social engineering, hooking, terminate and stay resident (TSR) programs, port scanning, service profiling, packet forensics, routers and firewalls, daemons, hidden services, etc.

The objective of most intrusions or malware attacks on a network are to:

  1. Steal data (intellectual property, operating or financial information)
  2. Steal systems (Subvert control by gaining root or administrator access)
  3. Steal storage and bandwidth (rogue FTP servers, spammers)
  4. Steal identity information (credit card numbers, client information...)
  5. Disrupt operations (DoS attacks, sabotage, destroy data, logic bombs, prevent access to the system by users)
  6. Just be a nuisance by vandalizing systems.
In any event, attacks on networks are serious and have to be dealt with immediately to protect the enterprise and its clients.  The larger and more complex the network, the more difficult this is to do. This is the role of the incident response professional.

Digital forensics as a discipline is more concerned in finding and documenting the actions of a person or persons in relation to other people or places or activities.

A digital forensic professional must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.

Acquiring Data:  Where data is stored and how to get it.

There are basically two types of data that a digital forensics examiner must collect:  Data from a physical device and data from other sources.

Physical Devices (Short list)

  1. Computer Hard Drives
  2. Solid State Devices (USB Sticks, Memory Cards, Digital Cameras, DV Cameras, etc.)
  3. Cell Phones
  4. Back up devices (Tapes, etc.)
  5. GPS Devices
Other sources of data (not inclusive)

  1. ISP records
  2. Cell phone records
  3. Network activity records
  4. Off-site storage
  5. Email databases
  6. Email providers
  7. Social networking sites.
The other sources of data are places where data may be stored that the examiner does not have direct access to the devices for collection, but must rely on others to provide that data.

How data is created

  1. User created data (documents, spreadsheets, pictures, text messages, chats, web pages, social network pages, financial information...)
  2. Program created data (software logs, registry entries, activity databases (i.e. Kazaa,  Limewire, Internet browsers, VOIP programs, application software...)
  3. User received data (email, internet downloads including pictures, programs, etc.)
  4. Activity records (call logs, IP accesses, social networking activity, hosted email account creations, cell carrier records, GPS...)

User created data is by far the easiest to recover and analyze since it is normally the least obscured.  Documents, pictures, spreadsheets, etc.

Program created data becomes more difficult to recover and analyze because most programs store information in several places, use non-human naming for data storage, and use many different formats for the data that is stored.

However those very characteristics make it very difficult for a person to completely eliminate all the artifacts that a program will leave on a system's hard drive.

What triggers a need for a digital forensic examination is typically the result of something someone has been accused of doing to someone else.  It is very much a people to people examination.  While incident response is mostly concerned with stopping and clearing an action, digital forensics is primarily concerned with finding out if a person committed an action.  In the world of digital forensics, user attribution is the end goal.  Did the person do this and can I prove that it was this person who did it?  While incident response can be successful without ever identifying a person, without user attribution, digital evidence has little to no value.

To simplify it, the digital evidence trail looks like this:

This artifact (email, chat, picture) was created by this person and is connected to that person.  Remember, we are looking for evidence that connects people to other people or actions.

To successfully do this kind of work, a digital forensic examiner must understand not only the technical side of the process, they must also be able to work within the legal system to ensure that the data they recover was legally obtained and can stand up to the scrutiny of a court of law, whether it is civil or criminal.

The more people and devices and evidence, the more complex the process becomes.

Hopefully this post illustrates why, as you get deeper into each of these disciplines the knowledge needed diverges significantly.

Reblog this post [with Zemanta]


  1. Larry, I think your focus is too narrow. You are discussing skillsets, but not big picture. Let's start with the three industries that need qualified digital forensic expertise.

    Three broad industries need qualified digital forensic expertise on a daily basis.

    1. Information Security Industry
    2. Litigation Support Industry
    3. Law Enforcement/Defense Industrial Base

    Respectively the industries goals are unique:
    1. Stop hackers, computer based attacks, and recover from data breach incidents.
    2. Win civil and criminal cases involving electronically stored evidence.
    3. Arrest and prosecute criminals/Deter enemies

    As a result, there are three distinct careers.

    InfoSec Crime Investigator, The hardest, of course, is the InfoSec crime investigator/Forensic Expert that requires knowledge in exploit techniques, incident response, computer forensics, and reverse engineering malware.

    #1 InfoSec Crime Investigator/Forensic Expert – This expert analyzes how intruders breached the infrastructure in order to identify additional systems/networks that have been compromised. Investigating traces left by complex attacks requires a forensic expert who is not only proficient in the latest forensic, response, and reverse engineering skills, but is astute in the latest exploit methodologies.
    Industries include:
    • Law Enforcement
    • Intelligence Community
    • Information Security

    #3 Forensic Analyst – The Forensic Analyst focuses on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation. eDiscovery civil litigation, intellectual property theft, disgruntled employee causing damage, and inappropriate use of the internet are the types of cases a Forensic Analyst might encounter.
    Industries include:
    • Law Enforcement
    • Litigation Support
    • Information Security

    #4 Incident Responder – When the security of a system or a network has been compromised, the incident responder is the first-line defense during the breach. The responder not only has to be technically astute, he/she must be able to handle stress under fire while navigating people, processes, and technology to help respond and mitigate a security incident.
    Industries include:
    • Law Enforcement
    • Information Security

    Incident response focuses on event mitigation, but you overlooked the InfoSec investigator where they need to find/recover evidence of a data breach on not just a single system, but on 100s of systems simulateously. It requires the in-depth knowledge of a forensic analyst coupled with the knowledge of hackers, network forensics, and reverse engineering malware. Id like to see an average forensic analyst accomplish that. A forensic analyst is a step to becoming a InfoSec investigator.

    Thanks for the thought provoking article.

    --Rob Lee

  2. Hey Rob,

    While I agree with you in principal, I would probably have issues with some of the specifics.

    I think we just have naming problem. I see digital forensics as different from network forensics, or what you guys call the Infosec Crime Investigator.

    I guess my issue is that each of the three fields, to be truly an expert, requires a tremendous depth of knowledge and expertise in that particular field.

    Kind of like doctors, while they all have medical degrees, there is a significant difference in training and expertise in different specialties.

    You wouldn't find a brain surgeon operating a optometry practice, or vice-versa.

    I appreciate your well thought out comment. Keep 'em coming!

  3. Thanks Larry and Rob both, this post and comments were extremely helpful to my understanding of the field. Larry, I really appreciate the follow-up!


I have moderated my comments due to spam.