Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

SIEM Dashboards
'\\%{/ )+ » SIEM dashboards visualize actionable data from various log events that
\f_/' assist investigators in analyzing current log data and identifying abnormal
behavior patterns

Sensors
»* Sensors aggregate logs from various neighboring sources and correlate them
with device data, which are then used by investigators to identify patterns
that deviate from the normal activities of a user or the usual traffic flow in a
network

Sensitivity
*» Security specialists apply correction rules to assign sensitivity levels to
aggregated data; it can also be achieved by implementing Al and ML
capabilities in security solutions
* This type of segregation based on the sensitivity level facilitates log analysis
during investigations

ARutomated Alerts Correlation
v’ Alerts are generated by the sensors implemented in v’ Security solutions apply correlation rules to integrate
security solutions and network hardware appliances multiple log sources and transform the data into useful
when they encounter attack signatures information
vv’ They are classified based on the threat severity level
v
v’ Correlated logs help investigators to track the timeline of
(low, medium, and high), which includes warning
the events that led to a security incident
alert, critical level alert, compliance alert, action
object alert, alert overview, and alert rules
I Y
Y = Copyrigh
© byt EC-Coumcil
Copyright EC-omcL ANAX Rights Reserved. Reproductionis
Reproduction i Strictly
Stricty Prohibited.

Digital Evidence Sources: Security Solutions
== SIEM Dashboards
S|IEM Dashboards
SIEM dashboards visualize actionable data from various log events and represent the
information in a chart or graphical format. These dashboards contain the auto-update or
auto alert feature that assists security specialists or investigators in analyzing current log
data and identifying abnormal behavior patterns.

Module 20 Page 2232 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Sensors

Sensors are important components of security solutions such as Intrusion Prevention
System (IPS) and Intrusion Detection System (IDP), which can actively identify unusual
behavior patterns. These sensors aggregate logs from various neighboring sources and
correlate them with device data; this information can be used by investigators to
identify patterns that deviate from the normal activities of a user and the usual traffic
flow in a network. The potentiality of sensors may depend on the internal architecture
of the network and their deployment.
Sensitivity

One of the major challenges in security solutions involves assigning sensitivity levels to
minimize false incidents from being reported as risky events. When the SOC of an
organization implements security solutions such as SIEM on premise, it generates
everything as an event when the sensitivity is not tuned, which can make it difficult to
analyze high-risk incidents. Security specialists apply correction rules to assign sensitivity
to aggregated data; this can also be achieved by implementing Al and ML capabilities in
security solutions. This type of segregation based on sensitivity level will facilitate log
analysis for investigating an incident.

Automated Alerts

Alerting is a process that automates the evaluation of correlated events and triggers
security alerts to notify security specialists via a dashboard or email. Alerts are
generated by the sensors implemented in security solutions and network hardware
appliances when they encounter an attack signature. They are classified based on the
threat severity level (low, medium, and high), which includes warning alert, critical level
alert, compliance alert, action object alert, alert overview, and alert rules. Depending on
the severity level of an alert, security professionals or investigators analyze the events
and take necessary actions to defend and remediate the cyberattacks.
Correlation

Correlation is a method that determines generic attributes and merges events into a
meaningful package. Security solutions apply correlation rules to integrate multiple log
sources and transform data into useful information. These correlation rules allow
security specialists to take appropriate actions (such as turning off the system and
limiting system availability) to mitigate cyberattacks when an adversary event is
triggered. Correlated logs help investigators to track the timeline of events that led to a
security incident.

Module 20 Page 2233 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: Bandwidth
Monitors and Metadata
Bandwidth Monitors Metadata

| » Network traffic analysis using
| bandwidth monitors provides insights
into incidents and evidence, discovers
the footprints of attackers, and
identifies the degree of damage

» Using tools such as SolarWinds
Network Bandwidth Analyzer Pack,
investigators can perceive the events
in a network by comparing the
network behavior with the standard
baseline

Copyright
Copyright ©© by
by All
All Rights
Rights Reserved.
Reserved, Reproduction
Reproduction sIs strictly Prohibited.
Strictly Prohibited. |

Digital Evidence Sources: Bandwidth Monitors
Bandwidth monitors are tools used to evaluate the available bandwidth from the allocated
bandwidth on a local system. Bandwidth monitoring is a familiar method to obtain a better
perspective of the actual range of the network traffic. Using these tools, investigators can
perceive the events of a network by comparing the network behavior with the standard
baseline.

Network traffic analysis using bandwidth monitors provides clear insights into an incident;
moreover, it provides evidence, discovers the footprints of attackers, and identifies the degree
of damage. Unintended bandwidth utilization can be an indicator of data exfiltration. Flow
collectors generally create this bandwidth utilization report for analysis.
Network traffic analysis using bandwidth monitors assists an organization in recreating an
outline of an attack and understand how the attacker progressed across the network. This type
of analysis discloses timestamps, port numbers, and malicious packets. Using this information,
security professionals can understand the scope of breach, mechanics of the initial exploitation,
and the possible damage caused by the breach. Investigators can use tools such as SolarWinds
Network Bandwidth Analyzer Pack, NetFlow Traffic Analyzer, and PRTG Network Monitor to
analyze the bandwidth usage.
Digital Evidence Sources: Metadata
Most computing systems, applications, and storage media create some type of long-lasting
metadata that might be investigated during incident analysis. The metadata present in file
system snapshots can help in easily understanding incidents during the investigation process,
which might include unapproved deletion and modification of files. With the combination of
digital forensic software and scanning tools, file systems provide information about the

Module 20 Page 2234 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

potential malware, auditing data, and access management systems. They also assist in retracing
previous activities with a subset of information. Investigators can use tools such as Metadata
Assistant, Paraben P2 Commander, and Metashield to analyze metadata.

Metadata can be acquired from various data sources such as:
Email: Email is one of the most familiar communication formats that is becoming an
increasingly significant source of investigative data for intelligence analysts. The analysis
of emails is often considered to be a task that requires forensic expertise owing to the
challenges encountered in converting and modeling this type of data. An email sent or
received contains an internet header that provides detailed information regarding the
message, recipient, sender address, and hosts it has transmitted through. Because an
email is routed through multiple Message Transfer Agents (MTAs), every MTA appends
significant information in each received header such as spam results and other
metadata, which can be analyzed during the investigation process.
Mobile: Mobile devices contain information including incoming and outgoing call
history, contacts, SMS, pictures, videos, app data, system files, usage logs, and other
metadata. Incident responders perform mobile forensics to discover digital evidence
from mobile devices. The device location history (a sort of metadata) can be identified
by the used cell tower, which can help in analyzing malicious insider attacks. Mobile call
details can be accessed by specific law enforcement agencies based on a set of policies
and with the consent of device owner. Following the right procedures and guidelines is
an important prerequisite for the inspection of mobile devices.
Web: The internet provides a significant challenge to the collection and preservation of
metadata. A webpage is a file that comprises content and links, which are structured
with HTML. The accessible webpages are situated on a webserver and can be with a
website address. For an investigator, webpage artifacts that are stored on a device may
act as evidence in an investigation. These artifacts include internet browser history,
downloaded files, and cookie files.

Based on the investigation, an investigator might inspect servers for evidence. Server-
side information might constitute files, which include log files, software codes, and
databases. This information might connect to webpages or files on a device.
An investigator can inspect server-side headers, their properties, and other files by
examining the relationship between the webpage and browser on the user device. The
header contents can also be investigated by the standard tools implemented on the
browser. The investigator might also examine server logs for information such as IP
address and user account activities.
File System: File system tracing has the widest capability of providing investigators with
information related to the events in a system. File systems leave a forensic footprint
that might contain data that include a modification in a file, creation or deletion of a file,
increase or decrease in space utilization, and log of process events.

Module 20 Page 2235 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

The collection of file system data depends on the OS used and the state of the system.
In all cases, a file system must be preserved as close to the condition where it was first
impacted as possible. Changes are indefinite; when a system boots, it can significantly
change the file system access times, file size, and other essential information during
reconstruction. File system activities on files will not delete a file entirely; they are
forensically available for a certain period.

Module 20 Page 2236 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Digital Evidence Sources: NetFlow
O NetFlow is a network protocol used to ;) itor, and flow as it passes
through load balancers, switches, and other routing devices

QQO It inspects the traffic flow and
Itinspects istics
i that help investigators in bandwidth monitoring,
threat detection, aggregation, and forensic analysis

NetFlow-enabled
Device
Traffic flow Device Traffic flow

o4 B § =g AFFy
Traffic Traffic flow

----'5_. B N

* Source/Destination 1P NetFlow cache
addresses
dd = =
RS Flow information Packet Packet/Bytes
* IPversion
== Source/Destination
Source/Destination Addresses, ports.. (11003 1435
port numbers Next entry..
Next entry..
= Source Interface
Source Interface
Creating a flow record
* Packets
Packets or bytes

Copyright © by E

Digital Evidence Sources: NetFlow
NetFlow is a network protocol used to gather, monitor, and analyze the network traffic flow as
it passes through load balancers, switches, and other routing devices. Instead of analyzing each
packet, NetFlow helps security investigators to analyze the entire traffic flow. These flows
include a group of unidirectional sequence of packets or datagrams that have some common
traits such as source/destination address, port number, or other fields. Consequently, instead
of maintaining the record of every single packet, a single record for the entire flow or
conversation is recorded. NetFlow-enabled network devices (such as routers) process all IP
datagrams entering and exiting their interface. Then, NetFlow inspects the traffic flow and
generates flow statistics that help investigators in bandwidth monitoring, threat detection,
aggregation, and forensic analysis. NetFlow utilizes matching criteria to detect new flows in the
network. For each flow, it collects and records packets into flows depending on the following
criteria:

= Source/destination IP address
= |P protocol version
»= Source/destination port number (such as TCP/UDP)

= Source Interface
= Packets or bytes
Each data packet that is ready to be processed is analyzed for the aforementioned criteria. The
initial packet generates a flow record in the NetFlow cache. The packet is then transmitted from
the NetFlow-enabled device. The remaining packets matching the same criteria are

Module 20 Page 2237 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

accumulated to this flow record and the byte/packet counter is incremented for each additional
entry until the communication between the hosts involved in a flow is terminated.
NetFlow-enabled
Device
Traffic flow
Traffic flow Traffic flow
Traffic flow

----E_.- [00 [0OO [0 T

* Source/Destination IP NetFlow cache
addresses T; ”
Flow information Packet Packet/Bytes
* |Pversion
|P version
s Source/Destination Addresses, ports.. (11003 1435
port numbers Next entry..
* Source Interface
Creating a flow record
* Packets or bytes

Figure 20.4: Working of NetFlow

Module 20 Page 2238 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.