Imagine a murder scene: a broken window, muddy footprints, a knife and a body.
Now imagine a computer incident: Hundreds of encrypted files. A ransom text file. A remote connection from an external Internet Protocol (IP) address.
How does someone investigating such a security breach wind back the clock and peer into the past? What stories can voiceless clues tell? How can we separate evidence from background noise? What should an IT team do, or not do, to assist an investigation?
Locard’s Exchange Principle, summed up as “every contact leaves a trace” is as intuitive as it is mind-opening. At the time of early crime labs, it applied to physical evidence: broken glass, fingerprints, footprints, hairs, fibers, tool marks and the like. Two bodies coming into contact will exchange material and affect one another. By discovering and interpreting such evidence, an investigator can peer into the past. While eyewitnesses might misremember what they saw, physical evidence simply is what it is.
This principle also applies in the world of digital technology. We are surrounded by complex, interconnected computer systems such as the phones in our pockets, the computers on our desks, the circuit boards in our cars. But instead of the physical traces left by physical objects, the digital world is one of digital traces.
A typical laptop runs on a complex suite of software. Computers are constantly at work writing debug data, recording user logons, updating system files and adjusting configurations in response to user activity. Whether for diagnostics, improving the user experience, incidental side-effects or a myriad of other reasons, to the forensic analyst it boils down to one principle: every contact leaves a trace.
The simple operation of opening a desktop folder leaves behind a timestamped record. Whenever a user opens a folder, it records and updates display preferences (such as icon size) for when that user views that specific folder. To Windows, it’s a display preference. To the forensic analyst, it’s evidence of folder interaction.
Whether it’s a visit to an e-commerce site, opening personal webmail, copying a file to a thumb drive or installing malware, traces of activity will be left behind. Web browsers keep a treasure trove of data, from a detailed history of website visits to auto-completion text to stored passwords to cached content snippets. Connecting to a network file share or remoting into another desktop will leave distinct tracks. Plugging in a thumb drive leaves traces behind indicating when it was first connected as well as its serial number. Even connecting to a wireless network leaves evidence of the connection behind.
This data, scattered throughout the hard drive, is a boon for the forensic investigator. Be it a cybersecurity incident or an internal fraud investigation, the hard drive is littered with hidden evidence, waiting to be extracted like artifacts buried in the sand. Each artifact on its own might not tell the full story, but a trained investigator can piece together the sequence of events just as well as a discarded hammer, broken glass and footprints in the mud.
The same properties that make digital environments so abundant with evidence can also work against an investigation. Imagine someone stumbles upon a murder scene after coming in from the rain. They leave muddy footprints throughout the room, then pick up the knife and move the body. Only then do they leave to report what they found, knocking over a vase in the process. When the forensics team arrives, they find it wasn’t just the perpetrator who left a trace!
Too common is the story of the helpful manager or IT personnel who boots up a laptop to “look around” before the investigators are called. By simply turning it on, they have already altered it. Windows has already written dozens of log entries and registry settings. Merely opening a folder overwrote metadata that might never be recovered. Opening a document triggered an auto-save, changed internal metadata and created multiple references in the operating system. Deleting an odd-looking file removed the last trace of malware. Even leaving the computer on for two weeks can lead to full log files being idly overwritten by the operating system.
The investigator must contend with these digital muddy footprints. At best, it adds noise that must be filtered and ignored during analysis. At worst, it can overwrite critical evidence and render the original unrecoverable. For this reason, it’s important to involve the investigator from the start.
Prepare for the digital investigation
A top priority in any investigation is to properly gather evidence. Preserving data early mitigates the risk of critical data points being intentionally or accidentally overwritten, manipulated or otherwise lost. This can be as simple as extracting system logs and as comprehensive as performing a bit-for-bit forensic image capture of entire hard drives. Once evidence is safely preserved, the investigation team can examine the data without worrying that the well could turn up dry tomorrow. This often involves processing the collected data with powerful analysis software in the lab. Besides the evident value in logs, full computer hard drives are a treasure trove that reveal user and system activity. Investigators weave each individual data point into a cohesive tapestry, tracing each event back through the past.
While digitally-stored logs and other artifacts are fragile, there are many things an organization can do to proactively position itself for a successful forensic investigation.
- Establish and maintain policies for how evidence should be handled during internal investigations and incident responses.
- Train staff involved in investigations (such as human resources, information technology and cybersecurity) to understand the importance of preserving evidence and to follow policies.
- Engage IT in initiatives to ensure sufficient logs are centralized, stored and retained for when needed.
- Assemble a team, comprised of internal staff, external consultants or both, to respond in the event of an investigation.
When a cyber incident occurs or staff act inappropriately, it becomes more challenging to react with the speed and care an investigation demands. Preparing in advance helps ensure data is not lost forever. Planning, training and logging can increase the likelihood the evidence is still there, instead of being covered in your own well-intended muddy footprints.
To learn more about our cybersecurity and third-party risk management solutions, contact us.