Though cyber forensics or incident response has become a vital need for the
growing cyber threats against the enterprises, it is generally overlooked until
a major security breach occurs. These result in an unnecessary time and monetary
loss, not to mention the stress associated with crisis management.
As enterprise networking environments continue to expand in diversity, scope,
geography and the size of digital information progresses from a few hundred
megabytes per workstation to terabytes of local storage, the number of cyber
attacks or crime targeted towards enterprises grow manifold.
For an enterprise, the initial response time following an attack or incident
is the most crucial. Therefore, a calculated and planned response is an
organization's best line of defense to prevent the compromise of critical
business systems. An enterprise that lacks an internal team of cyber forensics
investigators may not be able to quickly stabilize its network and data or
preserve forensic evidences.
Tools of Trade |
Few list of tools used Coroners Tool Kit: Few more lists of |
Best Approach
At a broader level cyber forensics can be broadly classified under four
steps
- Acquisition: This is a practice of digital evidence collection
process, establishing specific steps for guaranteeing integrity of digital
evidence and memory information collection. - Examination and Querying: In this phase computers should not be
simply turned on as every time a computer is powered on the access times of
certain files is altered; this may be crucial information to the
investigation. Ensure the protected media is write-protected. There are
several methods that can be used to do this. The preferred practice will
depend on experience, available tools, and company policy. The next step is
creation of a bit-for-bit copy of seized data followed by identification and
separating of potentially useful data from the imaged dataset. - Normalization and Analysis: The purpose of this phase is to present
only the necessary and relevant facts, to the proper people only. This helps
them understand what occurred and what might need to be done. The extracted
relevant data is normalized to a format or nomenclature that is easily or
commonly understood by investigators. - Reporting: This is the final stage where the analyzed data is
presented in a persuasive and evident form, which can be understood by human
investigators and can be produced in the court of law.
In a big enterprise the ability to rapidly detect and classify malicious
activity contained within network traffic is a challenging problem exacerbated
by large datasets and functionally limited manual analysis tools.
Cyber crime has forced the computer and law enforcement professionals to
develop new areas of expertise and avenues of collecting and analyzing evidence.
As network intrusions, malicious insiders and criminal/terrorist organizations
take aim at corporate networks, the ability to investigate these incidents is
becoming imperative. Corporates should seriously look for implementing internal
Incident Response team who can effectively address any kind of cyber attack.
Debasis Mohanty
mail@dqindia.com
The author works for an MNC as a senior security researcher