Case Study: Incident Response and Forensics Analysis

We are experts in Incident Response and Forensics Analysis. When electronic invasion occurs we:

  1. Evaluate the type of attack to accurately identify its origin,
  2. Contain the attack so that it cannot affect other systems, and
  3. Provide step-by-step analysis and incident documentation.

In addition, we have the following capabilities to perform forensics analysis services more efficiently for our clients:

  1. For data residing at the Security Operation Center (SOC), we provide forensics analysis services remotely such as forensics analysis via remote access sessions,
  2. We respond to security event and perform forensics analysis at the client site, and
  3. Service Level Agreement (SLA) for incident response time is within 2 hours for phone support and within 8 hours for onsite analysis.

We develop client-specific prevention programs to deter future attacks and ensure the integrity of our client’s sensitive information. We perform incident response and forensics analysis on both network and web applications. Our growing client list includes law firms, financial institutions, and healthcare companies.

Incident Response and Forensics Analysis Methodology

Our staff holds professional certifications in CISSP, CSSLP, CISA, CRISC, CIPP, and CIPP/G, and are well versed with the regulatory compliance requirements of HIPAA, GLBA, FFIEC, SOX, PCI, FISMA, DIACAP, and other Federal and State privacy regulation requirements. Our methodology for computer incident handling / forensics analysis is listed below, and all steps are documented in detail by the forensics expert assigned to the case.

1. Identification Phase:

  1. Verify the authority of the investigating officer.
  2. Consult with the investigating officer on the scene to understand the situation and determine the necessary equipment to bring to the scene.
  3. Identify the incident’s sequence of events and respective dates/times.
  4. Identify actions that were performed to resolve the incident
  5. Identify who has been contacted (i.e. law enforcement, third-parties, internal corporate officers)
  6. Identify evidence that has been preserved
  7. Identify available logs(web server, database server, firewall, intrusion detection/prevention system (IDS/IPS),and router logs)
  8. Identify and understand the details of any third party complaints.

2. Seizing Evidence:

a. Consult with the Investigating Officer on the scene for

  1. any special instructions
  2. situational awareness (what happened, who is involved, other additional information and circumstances)
  3. contact information
  4. the goal of the investigation / examination
  5. estimate duration of the forensics analysis
  6. establish deadline for the analysis report

b. Assist client with contacting and relaying incident details to client’s legal counsel when appropriate.
c. Review legal authorization to seize evidence, and obtain additional authorization when necessary for the execution of seizure when evidence is outside the scope of the search.
d. When it is impractical to remove the evidence from the scene, the evidence items are copied or imaged according to the procedures within the client organization.

Capture forensic image(s) using forensics hardware/software capable of capturing a “bit stream” image of the original media.

  • Utilize methods of acquiring evidence that are forensically sound and verifiable.
  • Ensure the integrity of the digital evidence to be submitted for examination is properly preserved.
  • Archive forensic image(s) to media and maintain it consistently with departmental policy and applicable laws

e. Gather the network and data flow diagrams where available
f. Gather all available logs (web server, database server, firewall, intrusion detection system (IDS), and router logs).
g. Remove all suspects, witnesses, and by-standers from the proximity of digital evidence to preclude their access to potential evidence.
h. Solicit information from potential suspects, witnesses, LAN administrators, etc. to ascertain knowledge of the system to be seized (e.g., password(s), operating system(s), screen name, email address).
i. Search the scene systematically and thoroughly for evidence.

3. Forensics Analysis/Examination:

a. Review documentation provided by the client to determine the processes and legal authorization required to complete the examination.
b. Understand the client’s need:

  • Urgency and priority of the client’s need for information
  • Additional types of forensic examination that may be required to be carried out on the evidentiary item.
  • Identify the items that offer the best choice of target data in terms of evidentiary value

c. Agree upon examination strategy.
d. Conduct examinations on forensic copies or via forensic image files and not on the original evidence media whenever possible.
e. Conduct examinations of the media logically and systematically – and consistently with the client organization’s Standard Operating Procedures (SOPs).
f. Reconstruct the “crime scene” for investigation when possible.
g. Correlate and analyze logs when available
h. Identify exact exploitation and vulnerabilities related to the incident.
i. If the incident is related to internet hacking, research related exploitation and incidents to identify if this is a targeted attack or an attack due to a virus in the wild.

4. Evidence Handling Documentation:

a. Obtain copy of legal authorization
b. Establish chain of custody – document the following detail on evidence

  • What is the evidence?
  • How did you get it?
  • When was it collected?
  • Who has handled it?
  • Why did that person handle it?
  • Where has it traveled, and where was it ultimately stored?

c. Determine the initial count of evidence to be examined
d. Assess the packaging and condition of the evidence upon receipt by the examiner
e. Write a description of the evidence
f. Document communications regarding the case

5. Analyze and Report:

a. Analyze all data gathered
b. Complete and submit investigation report

Case Study 1: Users can not logon to domain, corporate network is inoperable…

  1. Client: Major International Law Firm
  2. Incident: At 2:00 am the corporate network went down.
    • Users could not log onto the network or Windows domain
    • The entire corporate network was inoperable
    • All email services went down
  3. Additional information shared:
    • The client is a large law firm with a prominent public profile.
    • The breach was initially suspected to be a targeted attack.
    • Multiple media sources had written accounts of a specific group’s sophisticated hacking capabilities.
  4. Actions taken during the Forensics Analysis:
    • An Incident Response and Forensics Analysis Team was deployed to the client site within 4 hours.
    • All available evidence was imaged and backed up.
    • Logs were gathered from the internal/external web servers, firewall, routers, IDS/IPS, Windows event logs.
    • Evidence files obtained from server hard drives were analyzed.
    • All collected logs were correlated and analyzed.
    • Services and processes on the effected computers were analyzed.
    • Windows Server, Router and firewall configurations were analyzed.
    • Every step of the investigation was documented in detail.
  5. Results:
    • The KLC team discovered a sophisticated botnet with command and control software installed.
    • The botnet changed the security policies on the servers preventing authorized users from logging in.
    • The botnet was a brand new form of malware, and no public information was available until 5 days later.
    • The root cause of the vulnerability was determined by the KLC team to be due to a mis-configuration of the firewall.
    • The KLC Team provided an analysis report and recommendation on root cause remediation.
    • The KLC Team assisted the client with the root cause remediation process and restored the network and email operation.
    • Based on the evaluation, The KLC team concluded this instance was not the result of a targeted attack.

Case Study 2: Evidence of hacking was discovered on a web server with HIPAA data…

  1. Client: Major Healthcare Company
  2. Incident: After the original web application development firm departed for a new project, the newly hired web development firm discovered traces of evidence from hacking groups.
    • The web server had been compromised.
    • The database and the web server were on the same physical server, and HIPAA regulated data was involved.
    • The incident happened 4 months prior and over the course of a 5 day period, based on the initial findings of the new development firm.
    • No logs were available other than the web server logs for those 5 days.
    • The client needed to know the extent of the damage, and whether they were required to take legal measures such as provide breach notification(s) and report the breach(s) to the attorney general.
  3. Actions taken during the Forensics Analysis:
    • Web server technology, development platform and programming language were gathered.
    • Database server information and a backup copy of the database were provided.
    • Limited web server logs were gathered.
    • KLC researched the attacks perpetrated against the web application.
    • KLC built a forensics analysis environment to analyze the web application and database.
    • KLC analyzed the database to determine the origination and scope of the attack.
    • KLC correlated the web server logs against the database activities.
    • Every step of the investigation was documented in detail.
  4. Results:
    • Based on the research of the web server technology and development platform, a malware was targeting these types of servers during the period of the incident.
    • Several files were intentionally left behind by the hackers.
    • The server was hacked more than once because multiple hackers (or hacking groups) left their files.
    • The hackers appear to be of overseas origination as identified through the language of the files.
    • Database activities were inconclusive due to the limited logs available; but since health information and social security numbers could easily have been retrieved, breach notification steps were recommended.
    • KLC consultants worked with the client’s legal counsel to share information discovered.
    • KLC team delivered a report with detailed database activity and web server log analysis.
    • Recommendations were provided to remediate web server situations and data protection on the database.

Check out these FREE resources and tools from CISA (Cybersecurity Infrastructure and Services Agency) to assist with your Incident Response and Forensics Analysis needs

Scroll to Top