Tuesday, November 24, 2020

Why Digital Forensics In Incident Response Matter More Now

Must read

U.S. Justice Department Issues Draft Guidance Regarding Expert Testimony and Lab Reports in Forensic Science

The U.S. Justice Department announced on Friday 3rd June 2016, the release of draft guidance documents governing the testimony and reports of the department’s forensic...

Watch How Maggots Help Solve Crimes

Forensic entomologists study how bugs colonize dead bodies to help establish a time of death. Maggots, which are actually the larvae of flies, have helped...

Your face or fingerprint could soon replace your plane ticket

Headed on a trip? You may soon be able to ditch your boarding pass in favor of your fingers or face. Delta announced, on 31st...

Can digital photos catch criminals in eye reflections

Because the most commonly photographed objects are faces, researchers say it could be possible to mine detailed facial images for hidden information. Human beings are...
Michael Whyte
Crime Scene Officer and Fingerprint Expert with over 7 years experience in Crime Scene Investigation and Latent Print Analysis. The opinions or assertions contained on this site are the private views of the author and are not to be construed as those of any professional organisation or policing body.
- Forensic Podcast -

By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.

In the 1991 movie Backdraft, Robert De Niro plays the part of Donald ‘Shadow’ Rimgale, a fire department detective investigating a series of arsons in Chicago. As a former firefighter himself, De Niro’s character works closely with firefighters to piece together events based on the available evidence, both physical and circumstantial, and relies on his years of experience as both a firefighter and arson investigator.
Today’s practice of incident response (IR) is very similar to De Niro’s Backdraft character: equal parts firefighter (containing and remediating a breach as quickly as possible while minimising damage) and investigator (figuring out what exactly happened, how, from where, and why). Security analysts must first and foremost get things under control, stopping harmful or unauthorised activity as soon as it is discovered. But while a fact-based understanding of exactly what happened is important, without a root cause analysis, similar breaches can and often do simply reoccur. And though threat vectors and tools (think keyboards, computer monitors, and sophisticated software instead of flames, hoses, and fire-retardant jackets) are very different — the use cases for incident response and firefighting are actually quite similar.

Physical vs. digital forensics
Modern forensics is generally practiced in two places: law enforcement and corporate security/IT departments. While physical forensics (fingerprints, bullet trajectories, DNA testing, etc.) is often relevant with law enforcement, it is typically not a major factor in corporate security departments. However, its virtual sibling digital forensics is incredibly important to both constituencies.

With law enforcement, digital forensics has become more commonplace as more crime moves online, and increasingly relevant even with “offline crime” to help corroborate physical evidence and support key elements of a prosecution, like a criminal’s intent, location, or state of mind. Being able to definitively prove that someone did (or failed to do) something is the key goal, with process integrity (e.g. chain of custody) paramount.

In corporate security departments, digital forensics seeks to answer somewhat different questions than where did the malware come and how did it get here. What’s more relevant is determining where the bad guys went, what they did, and what they took after they hacked into the network in the first place. The goal is to understand details of what happened — when, how, and why — to prevent a similar intrusion in the future. (The “who” question is typically less important beyond identifying what type of actor/activity was likely involved, e.g. eastern European crime syndicate vs. state-sponsored espionage.)

Endpoint challenges
But whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult — especially at the endpoint. Challenges in either case include accessibility of systems and data on them (e.g. cellphones), latency when pulling data from a system remotely, erroneously tipping off a user that their system is being accessed, myriad formats and devices, languages, and synthesizing data from multiple sources — to name just a few. This is where corporate security departments enjoy the benefits of decades of laborious work by law enforcement and vendors that supply them with tools: no matter how challenging a scenario may be, law enforcement has seen and handled it before, often with a higher degree of difficulty.

The criticality of rock-solid forensic tool sets becomes even more important when looking at the velocity, volume, and variety of data corporate security departments must sift through on a daily basis. Most large security teams see thousands or tens of thousands of alerts every day. Whether proactively hunting for threats on endpoints, validating alerts from a next-gen firewall, integrating threat intelligence, or correlating log data, network traffic, and endpoint artifacts in a SIEM, forensics is everywhere in today’s IR.

You don’t have to be a fan of Robert De Niro movies to understand how important forensics is to arson investigations… and IR. Just like De Niro’s character in Backdraft, today’s IR practitioner must rely on proven forensics tools in order to nab the bad guy.

Source: Information Week

- Advertisement -

More articles

- Advertisement -

Latest article

Trees and shrubs might reveal the location of decomposing bodies

Plants could help investigators find dead bodies. Botanists believe the sudden flush of nutrients into the soil from decomposition may affect nearby foliage. If...

Are Detectives discounting the associative value of fingerprints that fall short of an identification in their investigations?

Every day, Fingerprint Experts in every latent office across the globe examine fingermarks that they determine to fall short of an identification....

Using the NCIC Bayesian Network to improve your AFIS searches

This National Crime Information Centre (NCIC) Bayesian network is based on the statistical data of general patterns of fingerprints on the hands...

DNA decontamination of fingerprint brushes

Using fingerprint brushes across multiple crime scenes yields a high risk of DNA cross-contamination. Thankfully an Australian study has discovered a quick and easy way to safely decontaminate fingerprint brushes to prevent this contamination risk and allows the brushes to be safely reused even after multiple cleaning cycles.

Detection of latent fingerprint hidden beneath adhesive tape by optical coherence tomography

Adhesive tape is a common item which can be encountered in criminal cases involving rape, murder, kidnapping and explosives. It is often the case...