What is Computer Forensics?

Computer forensics is the examination of evidence found on computers and digital storage media to identify whether an incident has taken place, or to identify exactly what has happened. I am talking in this article mainly about Cyber Incidents involving business rather than a criminal based investigation, but the concept is still the same.

Computer Forensics in Incident Response

Following an incident an examination is conducted in a forensically sound manner to preserve evidence and identify the key facts. This includes:

Scope of the incident - What devices and user accounts have been affected by the incident. This is essential to identify how many and which devices have been affected, and what level of privileges the attacker has. If the attacker has been able to achieve Admin level credentials the potential for serious damage is greatly increased.

Length of time incident has been ongoing - Some incidents can last weeks, months or even years. Computer forensics can be used to find out how long the incident has been ongoing and whether it is still ongoing.

Root cause - Computer forensics are used to identify the attack vector, or how the attacker managed to initially breach cyber defences. This is essential in any investigation to make sure that the door is firmly shut.

Systems affected - This identifies what type of information could be accessed and allows us to understand the attacker’s methodology.

Breakdown of TA activity - Following the trail of breadcrumbs and placing the pieces of the jigsaw together allows an investigator to identify what data may have been accessed, whether personally identifiable information has been viewed or exfiltrated, and exactly what the attacker’s actions were whilst in the network or system.

Data affected - As mentioned above it is important to identify whether personal data has been viewed or accessed during an incident. Computer forensics can identify whether data has been viewed, exfiltrated or both, or whether the attacker has failed to access and personal data.

Ultimately forensics also allows us to answer the most important question, has the attacker been eradicated from the system.

What evidence is available on a computer?

Each computer is different depending upon its setup but most devices contain a wealth of information if you know where to look. This is an enormous topic with constantly evolving content but a handful of examples are:

Evidence of program execution

Evidence of incoming and outgoing connections

Account logins/logouts

Internet browsing activity

Emails

This is literally the tip of the iceberg but thorough analysis allows a forensic investigator to follow the trail of breadcrumbs and provide a very good idea of the attacker’s activity whilst inside the network or device, and more importantly how to shut the door and make sure it stays shut.

What makes the job of computer forensics more difficult is that sophisticated attacks can often incorporates Anti-Forensic techniques.

What are Anti-Forensics techniques?

Anti-forensics is, in layman’s terms, the minimising or complete removal of evidence from a digital crime scene which is done to make the analysis and examination of evidence difficult or impossible to conduct. The subject can be broken down into sub-categories for easier understanding:

1. Data hiding
2. Artifact wiping
3. Trail obfuscation

Data hiding

Encryption - Attackers often encrypt contents of files that they are stealing

Steganography - This is the practise of hiding information inside innocuous files such as images, video and audio. Steganography is used by attackers to hide payloads and malicious files inside files which appear to be harmless, hence the terms Trojan.

Fileless malware - Attackers often use techniques that do not run executables and therefore leave only leave a trace in the memory of the computer which is lost when the device is powered off.

Hiding data in the registry - Fileless malware scripts can be stored in the registry, for example PowerShell scripts, which are then encrypted or obfuscated to prevent detection. These changes are often only identified through complex memory forensics methods or registry key forensics which require specialist skills to conduct.

Transmography - This is the practise of hiding of files by the changing of format and is often seen in investigations. This can be easily detected by carrying out signature analysis but again requires specialist knowledge to investigate, e.g. docx altered to appear as a .jpg file.

Artifact Wiping

Disk cleaning - Ccleaner and other tools are often used by attackers to not only delete files or evidence from victims computers, but also completely remove any residual data by overwriting it with a byte level default value such as ‘00’ or ‘FF’. If tools like these are used to cover the attackers tracks there is no way of getting that data back and investigators rely on other aspects of investigation.

Trail obfuscation

Log cleaning - There are potentially hundreds of logs available to forensic investigators on the average computer, however, attackers can target these logs and remove them or alter their settings.

Timestomping - Attackers with the prerequisite skills can use tools to modify metadata resulting in the alteration of time stamps. This can make investigation extremely challenging, but with the relevant skills and knowledge there are usually additional locations where timestamps are stored for several artifacts. This just means specialist knowledge is required to carry out an investigation where ‘timestomping’ is suspected.

Why do Threat Actors use Anti-Forensic techniques?

Attackers use these techniques for their own reasons but in personal experience from law enforcement and dealing with many of these high-profile attackers they have said:

• To make themselves hard to find
• Because if we know how attackers get in the attack vector is publicised, patched or remedied, and the method will cease working.
• If victim doesn’t know or appreciate the effects of what has occurred, they may be naïve about the subsequent response.
• If it is difficult to identify what has occurred a level of persistence may remain, i.e. a backdoor might remain in place and allow them to access again, or to sell the access on to another attacker.

Not forgetting the insider threat who may use anti-forensics techniques to remain inside an organisation whilst they continue to act against the organisation or individuals.

The majority of incidents use some form of Anti-Forensics techniques to conceal details of the attacks and without specialist Forensic analysis there is a strong chance that key evidence may be deleted or concealed.