Friday, June 22, 2007

Forensic Incident Response - the groundwork

No this isn't just the name of this blog. It's a concept and a term I proposed about 18 months ago. It would appear that others are using this term as well.

So just what is Forensic Incident Response? I'd like to think it's the application of Digital Forensics [Science] methods and techniques to the art of Incident Response or a blend of the two. For as long as I can remember, Incident Response has been regarded as a black art where the responder arrived on scene, made some people nervous and worked some magic to help determine the cause of the problem, propose resolutions, and keep the enterprise humming along. The role of the incident responder has taken a drastic change in recent months and will continue to do so until a legal precedent is set and demands that we collect volatile data, and not just collect it, but collect it with a forensic awareness. First, the Heckenkamp decision, now the MPAA case regarding RAM. On top of this we are seeing the DOJ state that volatile data must be collected. We must apply forensics to incident response because what occurs during the response may end up in court and we need to move away from being just black artists. The times..they are a changing.


If Incident Response is like being an EMT(and I happen to think it is), then it's time we put on two hats during our response effort and move past being just the EMT. Not only can we no longer be satisfied with the methodology of PDACERF and PICERF, they are both missing what should be a requirement - Investigation. In a Forensic Incident Response we need to be able to respond with the efficiency of an EMT and with the precision of a forensic investigator. Whereas an Incident Responder functions largely with intuition and experience, a forensic investigator needs to apply scientific objectivity and needs to reserve making a conclusion until all facts are known. As such I propose the addition of a formal investigation phase to the incident response methodologies that are common today in an attempt to make the responder more aware of the need for a forensic incident response.

Let's look at the current methods quickly.

Preparation
Detection & Analysis
Containment
Eradication
Recovery
Follow-up

Preparation
Identification
Containment
Eradication
Recovery
Follow-up

My proposal is:
Preparation
Detection & Analysis
Containment
Investigation
Eradication
Recovery
Follow-up

One thing to note, is that I think investigation needs to be parallel to the ERF phases of response in order to be as effective as possible. Basically we need to branch the response in to continued response(ERF) and Investigation.

If you were to use the EMT analogy here, Detection would be arrival on scene and finding the person in need, Analysis would be the situational assessment where you determine the breadth and depth of the incident or if what you're dealing with is actually an incident. Containment[1] is the act of stabilization of the "victim" and the scene. Investigation is immediately moving to identification and collection of artifacts.

So, let's talk a little about just what is included in the investigation phase of a Forensic Incident Response.
So there is no semantic confusion here:
Data - digital information
Artifact - Traces of activity
evidence - Artifacts used to support a claim

1) Identification of data of interest.
Ask yourself where you want to collect data from. Will it be relevant? Can you collect it efficiently? Is it worth it?

2) Collection[2] of data of interest.
Do you have the tools to collect it? Can you collect it in a manner that is documented, explainable and minimally invasive?

3) Preservation of data of interest.
After collection, the data must be preserved. Preservation equates to establishing the chain of custody, validation of the collected data through hashing, and proper storage of the data of interest.

4) Analysis of data of interest.
Once the data has been collected, the responder should begin to analyze the collected data for artifacts.

5) Reconstruction
If artifacts of value are found, then a reconstruction effort should take place. Reconstruction is the act of determining what created the artifact, and crafting an explanation. The knowledge of how artifacts are created is a moving target. If you don't know the answer, don't make one up to support your arguement. Apply a scientific methodology, and remember evidence dynamics.

6) Reporting
A final report is a given. Report your findings accurately and truthfully. Do not speculate or present fact based on assumption.

[1] On containment...Containment during a forensic incident response is a tricky subject. The act of containing a system can lead to loss of useful network based artifacts. As such, before containment I would suggest a few things if possible. Ensure your routers are collecting netflow data. Implement an emergency network based collection system. Ideally this system should be connected to the local switch where the victim system is located on a SPAN port, or by installing a network tap. This system should be capable of matching LAN line speeds and should collect all data in pcap format using something like tcpdump. Just as an image of physical memory is a requirement, so should a network state snapshot. Network based collection should take place during the entire response effort.

[2] On collection...It's a fact that the act of collection will modify the original. It's inevitable and unavoidable. Your collection will not be pristine. The goal is to be minimally invasive or least intrusive and be as efficient as possible. Your tool should accurately collect as much relevant data as possible while leaving the smallest footprint possible. Collection will leave traces on the system, so you must know your tools ahead of time.

0 comments: