I realized very early on in my Digital Forensics and Incident Response (DFIR) career that most folks in the industry seemed to have fallen into it inadvertently. My trajectory into the world of cyber investigations is not all that different. As a child, I was perpetually glued to the television screen and quickly developed an inclination towards true crime shows (and horror flicks). And so, the pathway into the field of forensic science was an organic decision. Before I knew it, I found myself in a lab coat, squinting down the eyepiece of a microscope, getting well-acquainted with eighty-plus cadavers over the next five years.
It wasn’t until I started my graduate education years later that I found my true calling in digital forensics. I’ll never forget that fateful day — it was like discovering the doorway to Narnia.
I was sitting in the front row of orientation, ready to pursue a master’s program in forensic biology at The George Washington University. I listened nonchalantly to each of the introductory presentations by the program coordinators of the various forensic tracks, including forensic biology, forensic chemistry, forensic toxicology, and crime scene investigations. Then, it was time for the final presentation, which was the grand introduction to the track of digital forensics. At first, it seemed so far removed from my career path that I didn’t pay too much attention. But once the presenter started diving into the details, it was game over for the forensic biologist.
I’m a sucker for a good story (hence my propensity towards unhealthy TV habits), so what followed left me on the edge of my seat. The presenter proceeded to tell us about how she had leveraged Photoshop to crack open a child trafficking ring. The more she spoke, the more intrigued I became. How was it possible that a field existed where forensic science and technology merged in this way? How have I gone this long without ever having heard of it? Immediately after the presentation, I demanded a change in major even though I had no technical background. Lucky for me, the most important characteristic for an aspiring digital forensic investigator is curiosity, and I had no shortage of that.
As I progressed in my master’s education and got my first taste of working as a digital forensic investigator in the real world, I came to appreciate my background in traditional forensic sciences even more. Many of the skills are transferable from physical to cyber investigations. I’m talking about the scientific process, analytical methods, report writing, and an affinity for sleuthing and solving puzzles. The parallels between traditional forensics and computer forensics are abundant — let’s explore.
As a newly minted student in forensics, you’ll learn the Locard’s Exchange Principle. “With contact between two items, there will be an exchange.” This principle is the foundation on which the entire field of forensics lies. According to Locard’s Principle, whenever a perpetrator enters or leaves a physical crime scene, they will inevitably leave something behind and take something with them. DNA, latent prints, fibers, and hair, for example.
The same principle persists in digital forensics. System artifacts, registry keys, metadata, and logs serve as the digital counterparts to fingerprints and cigarette butts.
As with physical evidence, our capacity to obtain evidentiary value from these artifacts are significantly dependent on the technology available at the time of the incident. Examining a device or network and reconstructing the incident from the vantage point of Locard’s Exchange Principle is fundamental in determining investigative conclusions from digital evidence as well as physical.
True to any investigation — the importance of understanding the scope. In a burglary investigation, it’s critical to have a detailed ‘checklist of thoroughness’ every step of the way. Who called the police, what time did they call, whom did they call, was anyone else notified? Every question may subsequently torrent into a series of sub-questions. Additionally, investigators strive to map out the physical scene: location, number of rooms, entryways, etc. Furthermore, we’d want to learn as much as possible about witness accounts of the incident. How was it discovered, who stumbled across the crime scene, was anyone working in the office at the time, any disgruntled ex-employees?
The same objectives are present in digital investigations and incident response. In a post-breach situation where data was stolen, an investigator may ask the victim to address similar questions. What did you observe, what prompted you to check your systems, have you contacted the threat actor, and is there a presence of malware?
Similarly, a major step in the scoping phase is to gather as much detail as possible about the IT landscape. For example, the number of servers and workstations, the number of users, the network perimeter architecture, the email platform being used, and the security solutions and protocols in place.
Ultimately, the scoping phase is to triage the scene and learn as much as possible about the incident at the time that it was discovered.
One of the most fundamental steps in the investigative process is forensic preservation. In our burglary scenario, responders would aim to identify the scene dimensions and quickly establish a perimeter, ensuring that the crime scene is “frozen.” This is because any type of interaction with the crime scene can taint and corrupt the state of the evidence. Any access to the scene thereafter is stringently controlled, even for the bosses. Everyone who comes into and leaves the scene must be authorized, permitted, and logged.
As you may have guessed, preservation is equally important for a digital crime scene. When responding to a breach incident, we encourage users to have as little interaction with the impacted systems as possible until forensic preservation is complete. This is because any type of user activity can affect the quantity and quality of the digital evidence. This includes the possible overwriting of evidentiary data, the rolling over of logs, the smearing of metadata, and the permanent loss of deleted files.
Remember Locard’s Exchange Principle? We want to preserve the physical and digital crime scenes as much as possible.
The next step in our investigative protocol is to conduct a primary survey, then document and process the scene. Unlike what’s depicted on CSI (the TV show), we do not do this in high heels. We’re probably donned head to toe in coveralls. Investigators aim to identify and collect all potential evidence while keeping detailed documentation. The burgled scene is likely thoroughly videotaped or photographed, from entry to exit, from every angle, including an extensive analysis of the perimeter.
Don’t forget to dust the window for fingerprints. Was anything dropped in the dumpsters? Does the office have an alarm system? We also look out for biological evidence such as hair and fluids, footwear and tire tracks, trace evidence, tool marks, etc. The goal is to gather enough information to reconstruct the incident and determine the entry point, the perpetrator’s activities while they were in the environment, and whether anything was stolen.
When responding to a data theft incident, from a cyber investigator’s perspective, we have the same goal of collecting as much evidence as possible.
Starting from the perimeter of the network, we look for firewall logs, IDS/IPS logs, VPN logs (yes, logs are the trend here). Depending on how thorough the investigation will be, we’ll often collect forensic images of the impacted systems, which are bit-by-bit copies of the original digital media or system snapshots. Other items on our radar include malware samples, phishing emails, audit logs, amongst others. If we’re lucky, we may have access to a network capture, like a surveillance camera at the office’s entryway.
Although it’s probably the least sensational part of our investigative process, one of the most important skills to be equipped with as a forensics expert is reporting. The journalistic approach of answering who, what, when, where, why, and how is a central part of forensic execution in both physical and digital scenarios. Investigators create thorough descriptions of pretty much everything taken at the scene and leverage inventory logs to account for all evidence. It is also critical to follow a clear chain-of-custody throughout the investigation. And of course, as we progress with the actual analysis, detailed investigator notes that are legible and clear are key.
There aren’t many differences between the reporting techniques when investigating physical and digital crime scenes. Except, in our physical burglary scenario, we probably become very intimate with our notepad. Whereas in our digital breach scenario, we become very intimate with Notepad++.
Now that you have a foundational understanding of how physical forensic investigations compare with digital ones at a high-level, let’s dive into the actual analysis.
Everyone wants to know the root cause. How did the bad actor get into the office or the network in the first place? Depending on the complexity of the intrusion and the stealth-level of the perpetrator, addressing this objective may be glaringly obvious or quite a challenge.
In our burglary scenario, investigators evaluate the perimeter for signs of intrusion. Most burglars break in through an unlocked door or window. Some burglars simply kick the door open.
While an unlocked window may be the issue in many physical scenarios, unlocked Windows is the issue in most digital scenarios. See what I did there? Unsurprisingly, the most frequent vector of intrusion is the publicly exposed RDP port that essentially allows an unauthorized actor to waltz right into the network. Not unlike kicking the door down, cyber actors commonly launch brute-force attacks to crack their way into a target network.
In the same way that you wouldn’t leave your doors and windows unlocked, don’t leave your digital assets vulnerable and exposed to bad actors. If you simply close your RDP port — just that one step — you may block the attackers from going after low-hanging fruit.
If you close your RDP port, there is a good chance the garden-variety opportunistic burglar will move onto your neighbor who has their doors and ports wide open.
Analyzing evidence from objects that were handled or touched by the burglar can be very difficult. Any burglar worth their salt wears gloves and is careful not to leave behind trace evidence. Investigators look out for evidence of ransacking and rely on custodians to recognize disturbances to their property.
Believe it or not, determining unauthorized data and file access may be easier and more apparent in digital investigations than physical. Thankfully for us, digital footprints can be abundant. The operating system houses many artifacts that indicate data access by a user. For example, registry evidence stores information about the most recently opened files and folders.
The operating system may also hold evidence of keyword searches performed across the filesystem, indicating whether the threat actor was seeking specific types of content. Furthermore, registry and filesystem artifacts could signify whether programs or applications were executed and for how long they were running. There are also system artifacts that present the first and last time a file or folder was opened, as well as the number of times an application or item was accessed. A lot easier than dusting for fingerprints, eh?
The most sought-after objective in a forensic investigation is to determine what was stolen. Unfortunately, this is also the most challenging objective to fulfill.
When items are physically stolen, there is a heavy reliance on witnesses to ascertain what was taken. In the physical world, tracking down stolen items often goes beyond the crime scene. Burglars are likely to take stolen items to local pawn shops, thrift stores, post them on sites like Craigslist and eBay, and share on social media.
Similarly, cybercriminals tend to sell off stolen data on dark web markets, or publicly release the stolen data as a shaming tactic to elicit a ransom payout from victims. The hard part is that evidence of what was exfiltrated from a computer system is not clear-cut most of the time in post-breach investigations because the original files are still on the system. Theft of digital data involves the duplication of the target files and their subsequent egress from the system. So if the original files are still in the same location, how on earth do we determine what portion of data was exfiltrated?
We may be able to confirm that a burglar shuffled through a filing cabinet in the office, flipping through confidential folders, reading the file contents. If they took several of the folders, or perhaps even the entire filing cabinet, it would be obvious. Now, what if instead of taking the actual files and folders, they whip out their camera phone and start taking photos of all the file contents, leaving the original files in their place. A careful eye may be able to tell that the filing cabinet was opened, but what method is there to determine whether the contents were copied?
In the absence of surveillance or network monitoring, the only way to determine the contents of exfiltration forensically is by considering the circumstantial evidence and studying the behavioral patterns of the threat actor. In many cases, if a threat actor possessed the intent to steal data, there would be circumstantial evidence to support this.
We may observe the threat actor running keyword searches across the filesystem looking for specific types of files with valuable content. We may also observe the threat actor opening up a bunch of files and folders in rapid succession, scoping out the contents. Perhaps one of the biggest indicators of data exfiltration is the creation of ZIP or RAR archives where files are pre-positioned or packaged for easy egress. And, of course, we may identify software being leveraged for data transfer, such as FTP clients.
While we may be able to pinpoint the occurrence of data exfiltration, eliciting the entirety of the stolen digital contents is near impossible unless we get very lucky and very creative.
If you’ve ever watched the TV show Dexter (yes, the one about the super meticulous serial killer), then you know how stealthy a cognizant perpetrator can be at hiding their tracks. In the real world, burglars wear gloves and masks to maintain anonymity, cover their heads to make sure hair isn’t left behind, and wipe away fingerprints, stains, and shoe prints.
Dexter took this to the extreme by encapsulating entire crime scenes in plastic wrapping and then discarding the whole package after the deed was done. While this sounds farfetched in the physical sense, it may not be difficult to pull off in the digital realm.
Cybercriminals are becoming more and more masterful at being stealthy. They use VPNs and proxies to obfuscate their identities, perform log clearances to delete their tracks, and securely wipe evidence beyond recovery using tools like CCleaner. Threat actors also leverage solutions like webshells and exploit frameworks such as Cobalt Strike, which is file-less, resides entirely in memory, and writes very little forensic data to disk. Additionally, it is typical for digital perpetrators to use fake and stolen identities when setting up bank accounts for fraudulent wire transfers.
I know we focused primarily on the similarities between physical and digital investigations for most of this blog, but I’d like to end by discussing the notable differences. One huge difference between physical and digital investigations is the duration of the timeline. As you can imagine, investigative tasks in the physical world are significantly lengthier than in the digital world. Running scientific experiments in the lab is much more time-consuming than processing digital evidence. Digital investigations need to move fast.
Unfortunately, in cyber investigations, catching the external culprit is very rare. This is because attribution in digital investigations is incredibly challenging, especially if the perpetrator resides halfway across the globe. Talk about being outside the jurisdiction!
Digital investigations also often lack eyewitnesses that can account for the incident and these cases lack identifiable information due to technological obfuscation by the threat actor. Digital perpetrators often hijack and use legitimate user accounts, which can make it challenging to delineate the activities of the custodian from those of the attacker. Similarly, digital investigations often lack concrete evidentiary trails beyond that of the immediate crime scene.
But don’t get me wrong — while we may not have the satisfaction of seeing the culprit in handcuffs, it is still an incredibly rewarding field of work — especially if you’re someone who understands it’s less about the final destination and more about the (digital) journey.