Most job descriptions list demonstrated written communication skills under the requirements section.
Students in cyber degree programs with little or no relevant work experience often only need examples to help guide their research for assignments.
Paying it forward by publishing this research paper meets both of the objectives above.
Do you publish? Because our voices are needed in this space.
Breach Scenario Case Study:
A Fortune 500 health care company received complaints from users about their systems acting cray cray after opening an email attachment from HR.
Cray cray was not a typo 🙂
An initial incident analysis uncovered some inconsistencies in the Snort IDS logs, so a digital forensics firm was hired to analyze the network, DB server, and impacted workstations for evidence.
The database server is a Microsoft Windows 2003 Server running Microsoft SQL Server 2008. They also use Linux and Windows XP in their environment.
Here is the link to Part 1, which covered evidence identification, acquisition, preservation, and workstation forensic analysis.
This is Part 2 of this 2 part series describing how I would approach the a breach investigation per the given scenario. This post will cover database forensics, DB server evidence, witness preparation, and ethical considerations.
Processing the DB Server:
The team will take a similar approach to the one that was used to image the database administrator’s drive to securely image the server’s drive.
A Forensic Analysis Log will be used to document each step to ensure the process complies with the requirements set forth for admissibility in the Federal Rules of Evidence.
Per Part 1 of this series, I used tables instead of a numbered list or bullet points because professors like to see tables and it makes it easier to think through all the necessary steps with a visual.
Bosses also like tables too, so this is a good habit to develop.
Some of the columns in the tables are not visible on mobile devices, so I recommend viewing on a regular screen.
Database Server Forensic Analysis Log
|Obtain drive image of suspect’s computer tower hard drive||Document whether powered on or off state|
|2||TBD||Initiate Open VPN session||Use secure authentication to virtual machine that contains Autopsy digital forensics platform|
|3||TBD||Authenticate to https://aerocenter.aeronomy.com/cloud/org/umuc||Secure center hosting virtual machine|
|4||TBD||Authenticate to external IP address provided using secure session within VNC viewer||Facilitates access to local drive, file retrieval, and Autopsy digital forensics application on Helix|
|5||TBD||Open Applications/Forensics & IR/Root terminal||Password TBD|
|6||TBD||Run command mount –t ntfs3g –o rw \c:\windows\system32 hit enter,
Repeated command, hit enter
|This will mount drive icons on the desktop|
|7||TBD||Run command ls –lah \c:\windows\system32||This will create evidence file|
|8||TBD||Run command cd c:\windows\system32 hit enter;
then run command mkdir –p \c:\windows\system32\evidence\autopsy, hit enter
|This will populate drive info|
|9||TBD||Run command autopsy, hit enter||This will reveal http://localhost: 9999/autopsy|
|10||TBD||Open Firefox web browser application and browse to http://localhost:9999/autopsy||This will open Autopsy Forensic Browser 2.20|
|11||TBD||Click Open Case||This will open a new case|
|12||TBD||Enter case details:
Case name: HCC_DB_Server
Description: Keirsten Brager
Investigator Names: Keirsten Brager
|New case identification details|
|Click Add Host, then enter hostname and description details.
Then click add host
|This will add the new host to the case|
|14||TBD||Click Add Image File, then enter Location, Type, and Import Method. Click next:||This will add the new image to the host|
|15||TBD||On Image File Details page, calculate hash value for image, designate Mount Point, and choose File System Type. Click add, then ok after hash calculation process finishes.||Record MD5 Hash value here.|
|16||TBD||Select drive, Analyze, File Analysis Tab, and Add Notes||It is important to keep notes through the process to capture noteworthy details throughout the process.|
|17||TBD||Clicked Generate MD5 List of Files||Recorded all MD5 hashes for report|
|Review results in FileType, Image Details, MetaData, and Data Units tabs|
|19||TBD||Analyze contents of pagefile|
|21||TBD||Analyze user files|
|23||TBD||Document remaining items of interest in Notes|
|24||TBD||Power device off||End of investigation.|
Potential Database Server Evidence
The team will attempt to capture a raw image, which is a sector-by-sector copy of a disk image (Garfinkel, et al., n.d.). Raw images allow the disk to maintain the exact structure and content, so it helps to preserve the integrity of the evidence.
Next, investigators will evaluate active system memory (RAM), pagefiles, and BIOS, listed in order of volatility (volatile à non-volatile) (Case, et al., 2014). In addition, the contents of c:\windows\system32 folders will be analyzed based on what is detected within memory and the registry.
[RELATED: Forensics Sources in System Memory]
Further, the team will enumerate any suspicious listening ports or evidence of data exfiltration. Antivirus protection status and associated logs will be evaluated as well.
Another item of interest is the $LogFile because system logs provide digital footprints and timestamps of exactly what occurred on a device at any given time, actions taken, and can usually tie actions back to specific users. It also contains file system and metadata information that is pertinent to investigations
Other Potential DB Server Evidence
The team will evaluate host and network firewall logs if available for suspicious network traffic from the suspected host. As mentioned in the workstation evidence section, there will also be an analysis of IDS/IPS for suspicious events from the suspected host.
While evaluating the /var/log/snort and /var/log/messages logfiles to look for evidence of tampering or changes to the configuration of the IDS/IPS to the user’s workstation, the analysis will include the server too.
[RELATED: Digital Forensics: Can You Find Hidden Data?]
Other forensics sources would include Windows system, application, and security logs for anomalies. The team would evaluate database logs/activity for evidence of data exfiltration. There would also be an analysis of database security for existence of unknown or new accounts created.
Afterwards, the team would assess the database for evidence of unauthorized dropped tables, altered tables, or added tables. Finally, the team will review browser history and deleted files to rule out malicious user behavior.
Expert Witness Preparation
We learned early in our graduate program that evidence must be admissible, authentic, reliable, and complete in order to be considered legally valid under the Federal Rules of Evidence.
Additionally, proper evidence handling is critical to maintaining the integrity of the forensics, and preparation plays an integral role in ensuring it meets the Federal Rules of Evidence (U.S. Department of Justice, 2009). Maintaining a repeatable documentation process ensures that these standards are met.
In order to ensure admissibility, the team will perform the following:
- Review the workplan.
- Study detailed notes of the acquisition and storage process used, noting any deviations from the work plan.
- Review chain of custody documentation and accurately document the date, time, and source of the sample.
- Have another team member quiz through work plan to determine any inconsistencies with delivery or enumeration.
Court Testimony Preparation:
Depending on the severity of the breach, this could end up in federal court. As a cautionary measure, the team will ensure that expert witnesses can satisfy the requirements of the Daubert challenge.
That is, candidates will be vetted for the pertinent education and expertise standards as mandated by evidentiary rules for certain cases (Zatyko and Bay, 2011). Background checks will be conducted out of precaution so that opposing counsel cannot challenge witness credibility.
The team would begin court testimony preparation by reviewing videos and other multi-media sources of past digital forensics court testimonies that were successful. This will ensure that members are aware of how court proceedings are usually carried out.
Next, the team would participate in mock cross-examinations using attorneys from outside firms. This will ensure that there is no bias in the process and that witnesses are not familiar with the parties performing cross examination. This activity will also serve to facilitate a more accurate real world scenario for all involved.
Next, the team will collaborate on investigating and identifying any potential gaps in workplan or evidence gathering and determine defense for discrepancies.
This will include a review of:
- Federal Review of Evidence
- Procedures for evidence handling
- Forensic Analysis Logs
- Exhibits that will be entered into the court record
There will also be discussions about persuasive delivery of factual information and making emotional connections with the jury. Special emphasis will be placed on communicating with non-technical audiences.
The best way to present technical terms to nontechnical people is by relating it to terms that they are familiar with in their daily lives. People are more likely to understand technical terms with explanations related to activities or items they interact with on a regular basis, so this approach should be used whenever feasible.
Finally, the team will validate that any breaks in chain of custody can be adequately explained such that evidence is not deemed inadmissible.
[RELATED: Samsung’s $1 Billion Forensics Mistake]
As with other professions that require high degrees of public trust, investigators will be required to adhere to internal code of ethics as well as the code as published by (ISC)2 for security professionals (n.d.).
Those ethics include:
- Protecting society
- Acting honorably
- Providing competent services
- Advancing the profession
Team members will also be advised of their responsibilities to the client. Those obligations include keeping all aspects of the work confidential and not performing any actions that could negatively impact the outcome of the forensics investigation.
The scope of responsibility to the client is not just evidence. Care must be taken to avoid any impropriety, including disclosing intellectual property or using it to profit or harm the business.
This covers interactions with law enforcement, members of the media, family members, and even social media communications (Harrington, 2014). More importantly, forensics professionals must demonstrate good moral character.
The team is also required to follow all ethical practices involving acquisition, storage, and presentation of forensic data to avoid any aspect of evidence being considered inadmissible in a court of law. Finally, ethics must include staying within the scope of the investigation.
This concludes Part 2 of this series.
Jobs will not come to entry level people, even with a degree and/or certs. You have to put yourself out there.
Case, A., Levy, J., Ligh, M. H., & Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. New York: Wiley.
Electronic crime scene investigation [electronic resource] : an on-the-scene reference for first responders. (2009). Washington, DC : U.S. Dept. of Justice, Office of Justice Programs, National Institute of Justice, 
Garfinkel, S., Malan, D., Dubec, K., Stevens, C., Pham, C. (n.d.) Advanced Forensic Format: An Open, Extensible Format for Disk Imaging. Harvard University. Retrieved from: https://cs.harvard.edu/malan/publications/aff.pdf
Harrington, S. (2014, March 4) Professional Ethics in the Digital forensics Discipline: Part 1. ForensicMag. Retrieved from: http://www.forensicmag.com/article/2014/03/professional-ethics-digital-forensics-discipline-part-1
(ISC)2 Code of Ethics (n.d.) International Information System Security Certification Corsortium Inc. Retrieved from: https://www.isc2.org/ethics/default.aspx
John, J. (2012) Digital Forensics and Preservation. DPC Technology Watch Report. Digital Preservation Coalition. Retrieved from: http://www.dpconline.org/docman/technology-watch-reports/810-dpctw12-03-pdf/file
Zatyko, K. and Bay, J. (2011, December 14) The digital forensics cyber exchange principle. Forensic Magazine. Retrieved from: http://www.forensicmag.com/article/2011/12/digital-forensics-cyber-exchange-principle
Zhong, J., & Lai, X. (2012). Improved preimage attack on one-block MD4. Journal Of Systems & Software, 85(4), 981-994. doi:10.1016/j.jss.2011.11.1020