The stage is set, the objectives are clear, it is time for us to get started. As mentioned in the earlier chapters, we needed to have a plan in place; now is the time the plan goes in to action.
However, before we begin, we need to lay a strong emphasis on the way we go about acquiring the information and evidence. A tiny slip up in the way we handle this can have widespread ramifications. Therefore, we need to focus on how to handle this stage.
As you have learned in the earlier chapters, digital evidence is extremely fragile. In fact, just like medicines, digital evidence comes with a expiration date. The impermanence of data in memory, periodicity of log rotation, volatile storage, degradation of data on media, and the malware itself contribute to the significant loss of valuable evidence unless it is gathered, stored, and handled with due care.
All the investigators need to consider the following points:
- All actions that are performed should be in the purview of the law
- All actions that are performed should be in the purview of company policy
- An attempt should be made to gather all the information related to an incident before starting the evidence-gathering process, this enables a better understanding of the case and helps the investigator to document the possible sources of evidence
- The process of evidence gathering should not, in itself, alter the evidence in any way
- All the evidence that is gathered should be an authenticated copy of the original
- Separate secure storage for the gathered evidence should be made available to ensure integrity and chain of custody
- An emphasis should be made in properly documenting the whole process in a manner that can stand up in a court of law if required
For the purpose of the rest of the chapter, we will assume that our investigating teams took all the necessary precautions while pursuing the case. We also emphasize that all the policies and procedures are adhered to while accessing evidential data.
The first part of the acquisition stage involves gathering all the information related to the case.
The beginning of the investigation involves a study of the trigger to determine the next course of action.
In our case, the e-mail to the CEO was the trigger. Therefore, the e-mail was the first bit of information that was examined to kick off the investigation.
A preliminary discussion with the CXO team as well as a detailed look at the e-mail headers brought the following interesting facts to light:
- The CEO's direct e-mail ID was not known outside the organization. In fact, all the mails sent to the CEO would actually land at his assistant's desk and she would filter and then forward very few critical mails. Therefore, a direct e-mail from a miscreant demanding ransom came as a shock. This seemed to indicate a very high level of intrusion into the corporate systems and/or insider involvement.
- The e-mail under examination was sent with an attachment that contained the sensitive data sample. This was in the form of a ZIP file, which had a size that was about 19 MB. The e-mail system was configured to reject all the files over 20 MB. This could be a coincidence or consequence of an in-depth understanding of the corporate e-mail system. It was the investigator's job to prove or disprove the coincidence.
- The ZIP file contained three confidential files, each of which the CXO team explained was sourced from different systems in the organization. It was also emphasized that the knowledge of the existence of these files was very restricted and known only to a few employees that had actually worked on the project. None of the separate teams were aware of the existence of the other two files, except the members of the leadership team present in the room.
- A preliminary examination of the e-mail headers showed that the mail had originated from the Tor mail. A visit to the Web showed that this service runs over the encrypted and anonymous Tor network and requires a Tor browser to access it. This is used by people who wish to communicate over e-mails in an anonymous manner on the Web.
- Other details, such as email content, date and time, time zones, header IDs, and so on were noted in the e-mail.
- The e-mail content mentioned that the hacker had over 10 GB of data and would expose it unless the ransom was paid.
- The latest versions of the documents were compared with the contents in the ZIP file and it was determined that the files in the ZIP were not more than a couple of days old. This was cross verified by the date and time of the files in the ZIP.
The following image depicts the header of a ZIP file. As seen, the date and time of the ZIP file modification are stored in the header. This usually depicts when the ZIP file was modified in order to add or remove a file to the archive:
All the processes, actions taken, and files examined were duly documented and hashed. The copies were stored in a secure environment.
Based on the information gathered so far, the investigation team could infer a few pieces of information, as shown in the following:
- The attacker(s) had a strong insight into the organization hierarchy as well as the network architecture
- Sensitive data had been successfully collected from specific systems by person or persons unknown
- The data had been exfiltrated from the organizational network as recently as two days prior to the receipt of the e-mail
- The attacker(s) was/were technically savvy and quite aware of the security perimeter around the organization's network
Due to the time-sensitive nature of the exercise, it was decided to adopt a layered approach to the investigation process. Rather than trawling through tons of logs over many months, it was decided that a quick selective first phase would be initiated, followed by a full-fledged collection and analysis of the logs in order to identify the modus operandi of the attackers, understand the breach methodology, and suggest remedial measures.
As part of the initial evidence acquisition process, the following actions were taken:
- The logs for the past one month were collected, as follows:
- Firewall
- IPS/IDS
- Proxy servers
- DNS requests
- Domain authentications
- Anti-virus alerts
- File access
- E-mail server logs
- System memory image acquisition for four different systems was authorized. This included the CEO's system as well as the other three systems that were identified as the potential source of sensitive files sent to the CEO in the e-mail attachment.
- Media acquisition to create disk images of the three systems with sensitive files was authorized. This was to be done during the out-of-work hours to prevent anyone from being alerted about the investigation.
All the preceding information and evidence was forensically acquired for further analysis, with the explicit understanding that the process of analysis of the previously acquired data may reveal more clues that may lead us back to the acquisition stage where we may go about acquiring additional data and information that may have a bearing on our case.
For example, it was understood that a study of the acquired logs may help identify the system from where the exfiltration took place and an acquisition of the memory and media would be required to further the investigative process. Therefore, we need to keep in mind that this is an iterative process and we may be required to go back to gather further data based on the facts uncovered during the analysis phase.