search

Data Collection & Analysis From The New Leads & Impacted Systems

hashtag
1. Data Collection Approaches

Purpose: To collect and preserve evidence from systems identified as impacted or containing IOCs.

  • Why: Proper data collection ensures that valuable artifacts are preserved for analysis while maintaining the integrity of the evidence.

hashtag
2. Live Response vs. System Shutdown

Purpose: To decide between live response and system shutdown based on the investigation goals and potential loss of volatile data.

  • Why: Live response preserves volatile data (e.g., RAM), but risks altering the system state. Shutting down a system preserves disk-based artifacts but loses volatile data.

  • Technical Example:

    • Live Response:

      • Collect predefined artifacts from a running system:

        # Collect running processes
ps aux > processes.txt

# Capture open network connections
netstat -anp > network_connections.txt

# Export Windows Event Logs
wevtutil epl Security security.evtx

      • Use tools like FTK Imager or CyLR for automated live response:

        CyLR.exe --output C:\Evidence\LiveResponse.zip

    • System Shutdown:

      • Power off the system only if RAM-based artifacts are not critical:

        sudo shutdown -h now

      • Create a forensic disk image using tools like dd or FTK Imager:

        dd if=/dev/sda of=/mnt/external/evidence.img bs=4M

hashtag
3. Minimizing Evidence Alteration

Purpose: To ensure that the collection process does not alter or destroy evidence.

  • Why: Any interaction with the system can modify timestamps, logs, or other artifacts, potentially compromising the investigation.

  • Technical Example:

    • Use Write-Blocked Devices:

      • Connect external drives with write-blocking hardware to prevent modifications during imaging:

    • Minimize Commands Executed:

      • Limit commands to essential ones and document all actions taken:

hashtag
4. Analyzing Collected Data

Purpose: To examine collected data for new leads and answers to investigative questions.

  • Why: Analysis uncovers attacker activity, persistence mechanisms, and lateral movement, helping to reconstruct the attack timeline.

  • Technical Example:

    • Malware Analysis:

      • Analyze suspicious files using static and dynamic analysis tools:

    • Disk Forensics:

      • Examine disk images for deleted files, registry changes, or hidden artifacts:

    • Memory Forensics:

      • Extract and analyze volatile data from memory dumps:

hashtag
5. Updating the Incident Timeline

Purpose: To incorporate new findings into the incident timeline for a comprehensive understanding of the attack.

  • Why: The timeline provides a chronological view of events, helping to identify gaps and correlate evidence.

  • Technical Example:

    • Add New Events to the Timeline:

hashtag
6. Maintaining Chain of Custody

Purpose: To ensure the integrity and admissibility of evidence in legal proceedings.

  • Why: A documented chain of custody proves that evidence has not been tampered with.

  • Technical Example:

    • Document Evidence Handling:

    • Verify Integrity with Hashes:

      • Generate and verify hashes for collected data:

hashtag
Conclusion

Data collection and analysis are critical steps in uncovering new leads and answering investigative questions. Whether performing live response or shutting down a system, it is essential to preserve evidence while minimizing alterations. Tools like Volatility, FTK Imager, and dd enable efficient collection and analysis of artifacts.

Updating the incident timeline with validated findings ensures a comprehensive understanding of the attack. Maintaining a proper chain of custody guarantees that evidence remains court-admissible if legal action is pursued. By leveraging advanced techniques like memory forensics and malware analysis, investigators can uncover sophisticated attack patterns and strengthen the organization's defenses against future threats.

Last updated