Forensic Investigation Methodology

The Computer Forensics and Investigation Methodology is a combination of 8 steps. Initially, the first 3 steps are to acquire some evidence about the system and the crime scene. Then, the followed 4 steps are repeatable and effective steps; and eventually is the final step which is writing the report. The figure below shows the Forensics Investigation Methodology; along with the PowerPoint file that explains each step:

Screen Shot 2017-03-08 at 10.40.47 am.png

The attached PowerPoint file explains the Forensic Methodology step-by-step:

 

Digital Forensics’ Principles

There are some principles that will lead you to achieve your investigation’s goals. The investigator should be aware of the following Four principles.

  1. Record everything.
  2. Minimise data loss.
  3. Analyse all data collected.
  4. Report your findings.

 

Now the question is “Where is the data that needs to be analysed?”.

Basically, everything should be analysed and investigated when approaching a crime scene; plus, no one is allowed to access the crime scene area. The following figure shows some of the digital hardware that can analysed with the potential of finding information inside it.Picture1

 

Everything in the crime scene is valuable and should be subjected to an investigation and analysis carefully; along with the computer itself. Remember: do not despise anything, even the small things. The table below shows two different scenarios when investigating a digital crime scene (Live system and Dead system):

 

Live System   Dead System
acquisition copies the data using the suspect’s (operating) system. Usually, people try to avoid this acquisition, because the attacker can modify data or software can produce tampered data. In the live system, the power is still on, processes are still running, disks being access, and removable media keeps changing.   acquisition copies the data without the assistance of the suspect’s (operating) system. In the dead system, the power is off, the power id unplugged, no changes in the removable media.

 

 

Remember: the evidence is volatile, where the most volatile evidence can be found in (Memory) and the least can be found in (Removable media). Below is the order for the most volatile to the least (from top to bottom):

  1. Memory.
  2. Network Status and Connections.
  3. Processes Running.
  4. Hard Drive Media.
  5. Removable Media such as, floppy drive, zip drive, USB sticks and more.

Note: the evidence in the Memory, Network Status and Connections and Processes Running will be destroyed if the power cut off.

Introduction to Digital Forensics – Part 2/2

There are several types of incident in which they might be discovered by implementing forensics techniques. Below are some examples of these incidents.

  • Malicious Code Attacks – For example, viruses, Trojan horse programs, worms and hacker scripts.
  • Unauthorised Access – For example, an improper logging into the users’ accounts; and unauthorised access to the files.
  • Unauthorised Utilisation of Services – For example, an intruder may also obtain access to information or plant Trojans and sniffers by misusing available services.
  • Disruption of Service – For example, disruption of network services, erase critical processes, spamming, Denial of Service (DoS).
  • Computer Misuse – For example, using the computer services of other than official purposes.
  • Espionage – For example, stealing information to subvert the interests of a company or government.
  • Hoaxes – For example, false information is spread about an incident or threat such as, the good times virus 1995 (Non-existent hoax).

 

There are many questions that we should ask ourselves such as, why do people do these incidents? what were stolen? and how did they do it? The answers for these questions are known as the Intellectual Property Theft. The statistics show that:

  • Why do people do these incidents?
    • Moved to competitor (70%).
    • Set-up competition (23%).
    • Other purposes (7%).
  • What were stolen?
    • Customer/client information (75%).
    • Financial info (14%).
    • Business Presentations (5%).
    • Other purposes (6%).
  • How did they do it?
    • E-mail (46%).
    • Hard copy (22%).
    • Electronic storage device (9%).
    • Other purposes (23%).

 

Therefore, the UK has now set up the National Crime Agency (NCA), which is new crime-fighting agency with national and international reach and the mandate and powers to work in partnership with other law enforcement organisations. This will bring the full weight of the law to bear in cutting serious and organised crime.

STRIDE – Part 3/3

Let’s take an example, where it is possible to implement STRIDE techniques to mitigate the threats. Note: Threats should be displayed as the highest priority. The figure below is an example of a server that is connected to many clients via the insecure network.

Screen Shot 2017-03-06 at 2.51.19 pm

 

Implementing STRIDE technique will help to find and fix the vulnerabilities of the system before they can be exploited by the attacker. Below are some of the vulnerabilities, that might be exploited by the attacker, which might cause threats to the system.

Attack the server STRIDE 1

  • Attacker intercepts the data, where the attacker can Tampering with data and Information disclosure or he/she can Spoofing identity.
    • Chance of occurring: (1 = very high).
    • The damage it causes: (10 = massive).
    • Risk: 10/1 = (10).

 

 

Attack the server STRIDE 2

  • Attacker floods server with bad data (Denial of service).
    • Chance of occurring: (1 = very high).
    • The damage it causes: (7 = high).
    • Risk: 7/1 = (7).

 

 

Attack the server STRIDE 3

  • Attacker accesses the configuration data, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (5 = medium).
    • The damage it causes: (10 = massive).
    • Risk: 10/5 = (2).

 

 

Attack the server STRIDE 4

  • Attacker access persistent data or the audit log, where the he/she can Tamper with data, Information disclosure and implement a Denial of service.
    • Chance of occurring: (4 = medium).
    • The damage it causes: (8 = high).
    • Risk: 8/4 = (2).

 

There are several techniques that can be implemented to the STRIDE to mitigate these above threats such as;

  1. S – Strong authentication; and never store secrets.
  2. T – hashes, digital signatures; and tamer resistant protocols.
  3. R – Digital signature, time stamps; and secure logging.
  4. I – Strong access control mechanisms (ACLs), encryption; and never store secrets.
  5. D – Filtering, throttling; and QoS.
  6. E – Run with least privilege.

Screen Shot 2017-03-06 at 9.10.31 pm

STRIDE – Part 2/3

Keeping in mind that the occurred threats on the system might attest the different areas of your system. The table below shows what area might be affected when an attack occurs.

screen-shot-2017-03-06-at-12-34-54-pm

Prioritisation is a process of rating the actions with the highest priority or determine first things first. STRIDE can be prioritised as the following:

  • Chance of an attack occurring:
    • 1 – high.
    • 10 – low.
  • What’s the cost or damage if attack occurs:
    • 1 – little.
    • 10 – massive.
  • Risk:
    • the caused damage that might occur / the chance of the attack occurring.

STRIDE – Part 1/3

There are several techniques can be implemented to find the vulnerabilities and the threats of the system. These techniques are known as threat modelling in which it is a technique that mitigate the vulnerabilities on your system. One way to determine the threats of your system is via the STRIDE technique. STRIDE is a shorthand for:

  1. S – Spoofing identity.
  2. T – Tampering with data.
  3. R – Repudiation.
  4. I – Information disclosure.
  5. D – Denial of service.
  6. E – Elevation of privilege.

 

Spoofing identity: It allows the attacker to pose as another user or allow a rogue server to pose as a valid server.

Tampering with data: It involves malicious modification of data.

Repudiation: When the users deny performing an action (without other parties having any way to prove otherwise).

Information disclosure: Is the process of exposing the individual information to other people who are not supposed to have access to this information.

Denial of service: Denial of service (DoS) attacks, which is the process of denying the services to valid users.

Elevation of privilege: An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system

 

In conclusion, STRIDE technique assets the following:

STRIDE technique

Assets

Spoofing identity Configuration Data
Tampering with data Authentication data
Repudiation Persistent Data
Information disclosure Data “on the wire”
Denial of service State Data
Elevation of privilege Temporary Data

 

Risk Management

Risk is a situation that involves exposure to danger, where it might cause a potential harm. Risk management is a process of a quick respond and controlled to the risks in order to minimise their threats. In another word, risk management involves understanding, analysing and addressing risk to make sure organisations fulfil and achieve their objectives. Meanwhile, risk assessment is the methodical process of evaluating the risks’ prospective that might involve in the project activities.

Risks occur frequently in the world of computer security. Thus, it is important to keep your system up to date and to know everything happens in and around your system. The term risk assessment in computer security is a process of implementing techniques to mitigate the risks. A simple example, is how to implement security techniques to your house to mitigate risks in the future or to make sure thief cannot come inside your house and steel you. Let’s take a real-life example and try to find some of the vulnerabilities in which it might cause threats.

vulnerable-house

 

The figure above shows an example of a normal house, which might be vulnerable to many threats via thieves. Due to the absence of security, the thief can penetrate the house and steal valuable things such as, jewelleries, money, TVs, PCs, accessories and many more. Therefore, it is important to implement risk assessments and risk managements to mitigate these threats as much as possible.

 

Risk assessment is the process of introducing and finding the vulnerabilities within the system that might cause threats or allow the attacker to gain access to the system. Below are some of the vulnerabilities that might be exploited from the figure above:

  1. The windows might be used to penetrate the house.
  2. The door can be used/ broken to penetrate the house.
  3. There is no security camera to record video of any suspicious activities.
  4. And many more.

 

Risk management is the taken steps to manage and control the system by implementing different techniques to avoid the threats from being occurred. Below are some techniques than can be introduced to the house to mitigate the threats or the attacker from exploiting these vulnerabilities.

  1. Implement fence around the windows (bulletproof).
  2. Add a fence around the house.
  3. Have a dog outside the house for more security.
  4. Install recorded cameras to monitor and control the area around the house.
  5. Patrolling the area around the house.

The figure below for more details about the implemented security techniques:

secure-house

 

Remember: you cannot build secure systems unless you know the threats to which you are susceptible.