How to preserve forensic evidence in the golden hour after a breach - By Martin Roots
Most IT managers focus on providing their users with a good level of service and support, for example keeping the network up and running and making sure the systems are free from malware.
But what should their response be when the boss comes into the office and tells them that one of their PCs or similar devices may have been involved in some inappropriate activity and needs to be examined for an investigation? How many IT managers would know what to do to preserve as much digital evidence as possible?
The golden hour
The earliest stage of any investigation is the most important one to get right. Very much along the lines of medical trauma care, there is a "golden hour" at the very outset, where a clear head and well thought out planning can make or break any subsequent forensic investigation.
Given the near-certainty that something bad will happen in your organisation, it makes sense to consider these possible scenarios now and figure out how to deal with them before they actually happen. Developing standard operating procedures (SOPs), having the right – and up to date – forensic assistance to hand, as well as keeping your knowledge up to date are essential.
The circumstances of the incident might be such that you can rush down to the third-floor office where an incident has been reported and get there before anyone else has interfered with the machine or the disk deletion tool has finished its work.
Sadly, this situation is unlikely to be the one you’re faced with. It’s more likely that the machine is at some distance from your office and that you will initially be talking to a non-technical person, seeking your advice.
So, what are you going to do?
This is where your pre-planning comes into its own. By having a set of simple questions and corresponding actions already set up, in a logical step-by-step process, you can question and possibly instruct the non-technical person in order that your golden hour of the investigation gets off to the best possible start.
Furthermore, this stage will enable you to confirm whether the legal aspects of the situation are such that you can continue with the work. For example, who owns the equipment and by whose authority you are carrying out your investigation? You should also establish whether the work is to be carried out openly or covertly.
My colleagues recount incidents where, even when dealing with a local technician, lack of forensic knowledge on the caller’s behalf has damaged the outcome of the subsequent investigation.
Hence it is ideal to assume the caller has no knowledge of computing or forensics and to stick to your SOP.
It is also a sensible idea to involve and inform as few people as possible. The suspect may have accomplices or loyal friends who may be able to misdirect or even prevent your investigation.
The Scene of the Crime
Your next concern is for the crime scene itself. Ideally, you’ll want to collect any and all items that may be related to the incident.
We all know users who leave their password stuck inside their top drawer or bring in their own USB drives. If possible, you should attempt to take control of at least the immediate area. If it will be some time until you can get to the scene it is also wise to ask that nothing is removed – even if it means the cleaners are excluded from the area (who knows what evidence might be in the waste bin?).
The most important item relating to any investigation is the record that you keep of what is done by whom, when and to what equipment. If you don’t already keep a formal logbook, a notepad will do for now as long as your records are accurately dated and timed.
To further understand what needs to searched for on the device by the forensic analyst, keep notes relating to people involved, the alleged offence, dates and times and so on.
You will also need to know that the work you are about to do is legitimate, for example who is the legal owner of the equipment in question? If in doubt, always take legal advice.
Regardless of whether the equipment is on or off, the most important thing to do is to isolate it from any network it may be connected to. Remove any network cables and turn off any Wi-Fi or Bluetooth connections.
As a suggestion, use your own laptop or mobile phones to see if there are any wireless connections running in the area. There is a free Android app that can be downloaded and used on an Android smartphone to scan for wireless routers in a local area, which we find useful.
Determine the state of equipment
Next thing is to determine the current state of the equipment. If you think it’s off (or told it’s off by the caller) just check by looking for any disk or other activity, for example a disk active light or mouse light. If it’s off, leave it off and never switch it on. Just to be safe, pull the power cable from the back of the unit or remove its battery.
If the device is on and you can see the desktop, record and make notes of the screen and Task Bar display (for Windows PCs). Consider taking a picture using a digital camera (or mobile phone in an emergency) but remember that the picture may need to be produced as evidence, so use a new storage card if possible. If the equipment is on but in stand-by or screensaver mode, jiggle the mouse to display the screen and record it.
If you’ve got the right software (we use Nigilant32 or Mandiant’s Memoryze) you can safely and forensically recover RAM but only if you know how to do it correctly. RAM analysis is useful as malware is often RAM-resident, with few or no traces left on the hard disk and some web browsers can be set to private browsing, so most of the usual traces of web activity will not be committed to the machines records and thus potentially lost. Evidence of this sort of activity can be difficult to discover later.
Depending on what appears to be running on the device the next step might vary. If it’s evident that a file scrubber (that is a tool that will delete data on a hard disk) is running, or that data is being manipulated by a running program, it is normally advisable to shut the machine down. Do this by pulling the power lead from the case or remove the battery, so that any uninterruptible power supply (UPS) is disconnected as well. With this approach, it’s common for the operating system (OS) to save some of the current state of the machine which the forensic analyst may then be able to examine back in the lab using a Virtual Machine or other facility.
Seek advice from forensics expert
Otherwise leave the machine on as now is the time to seek advice from a forensics expert to provide input to any further steps to be taken.
As well as notes of actions you take with a device, it is also advisable to photograph, record and label any and all connections that might be in place. Record all connected devices and make note of equipment/asset numbers (if used in your organisation), model and serial numbers and seize all additional items that you are legally allowed to, for example any storage devices, laptops, cameras, phones, CDs, and paperwork.
The advice of the client’s HR department or lawyers can be valuable in this regard.
You will need to know if the investigation is covert or overt. If it’s covert, things may start to get interesting as you will need some ready answers to questions such as “Why are you doing this?”
Even if it’s overt, you should still operate on a need-to-know basis and responses to questions should be pre-agreed with the client. We always work on the basis that the fewer people that know about the situation the better.
You should also, if at all possible in the context of the investigation, take control of the crime scene. Further sources of background information might be in the most innocuous of places, such as waste bins and post-it notes.
Now this is all done, it’s time to call in the digital forensic folk for the next part of the process.
Hopefully you have seen that your incident management and golden hour preparatory work has been worth it, so well done you!
The next step is to go back to your office and reflect on why this whole sorry mess happened and how it can be best avoided in future.
Martin Roots is a security consultant and forensic lead at security consultancy Incoming Thought