Forensics as a generic term for fields of work in which criminal acts are systematically investigated after the event and is primarily known from areas such as forensic medicine or psychiatry. But data analysis is also playing an increasingly important role in cybercrime cases. With its help, attacks on IT systems can be analyzed and evidence that can be used in court can be secured. Cyberforensics is still in its infancy, but the technical possibilities have grown steadily in recent years. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) defines IT forensics as “... the rigorously methodical analysis of data on data carriers and in computer networks to clarify incidents, including the possibilities of strategic preparation, especially from the perspective of the system operator of an IT system” [1].
IT forensic measures are usually not carried out for no reason - they are generally preceded by attacks or anomalies in cyberspace. With the increasing interconnectedness of various systems, cyber forensics has also become more common in recent years, with the entire spectrum from network, emails, and cloud to IoT/IIoT being taken into account in data analysis.
The objective of the forensic investigation is to answer four classic W questions - what happened where, when and by what way? When it comes to possible prosecution or prevention of future attacks, two more “Ws” follow seamlessly: Who is the attacker, and what can the company do to be more securely positioned in the future?
The detailed recommendations for action in the IT Forensics Guide of the Federal Office for Information Security were drawn up back in 2011, but have lost none of their topicality. They not only serve to clarify a specific attack, but also take into account possible formal or legal requirements.
Because no matter how different the attacks from cyberspace may be, the procedure of a forensic investigation always remains the same and is divided into preparation, investigation, data analysis and documentation. The BSI names the following areas of investigation: File system, intrusion detection, IT application, scaling of evidence, data processing and evaluation.
But which tool and which method should companies specifically use after an attack?
Here, it may be appropriate to distinguish whether the baseline scenario is data-oriented or incident-oriented. In the former, the focus is on obtaining and examining the data contained in a system. In the latter, the focus is on documenting the processes on the basis of an incident history.[2]
Regardless of whether online forensics involves data analysis on the active system or offline forensics becomes active in the aftermath - the fundamental requirements are, in particular, the unbroken chain of evidence (“chain of custody”), the integrity of the object of investigation, and the systematic approach using recognized methods and tools.[3]
Even if meeting these requirements is still a long way off for most companies and organizations, it is certainly worthwhile to take a close look at the subject. In the best case, cyber forensics not only analyzes questions about the type and duration of the attack. It also finds answers about the possible gateway into the company system by tracking down and reconstructing digital evidence or keeping a constant eye on network data. For example, with an intrusion detection and prevention system (IDP) - to detect anomalies there in a timely manner.
It is not only the attacked company itself that can benefit from “closing the gateway”. It is not surprising that cyber insurance companies in particular have a very strong interest in identifying the trigger in the event of losses that have occurred accordingly: Only when there is a high level of transparency regarding the cause can a targeted containment of losses with appropriate countermeasures be promising in the long-term and protect companies and insurers from future costs.
Rapid reporting of cyber incidents by the affected company and also rapid case handling by the cyber hotline are key success factors in limiting the damage. Approximately 70%-80% of incidents can be solved by the second-level support of the cyber hotline. For the remaining cases, more in-depth measures are usually required.
The range of possible digital traces left behind by the attackers can be very diverse: In the personal environment, for example, these can be chat logs, digital photos, but also connection logs from game consoles and smartphones. In small or medium-sized companies, the mail, collaboration and web servers are often the gateways through which - from the attacker's perspective - malware (e.g., ransomware) can be deployed. Forensic analysis and comparison of log information on various systems can usually pinpoint the route and type of attack.
The toolbox of cyber forensics is as large as the spectrum of attack targets. Increasingly, cyberattacks are not only focused on gaining information. Often the destruction of the corporate brand is in the foreground. This could mean using manipulated digital photos or press releases to create a false trail and “fake news” to generate incalculable damage for the company and its customers. Many of these attacks come from within the company's own workforce - which makes it all the more important that the company’s own IT specialists take action here in particular.
To be able to use digital evidence for possible prosecution or the implementation of future, more effective defense mechanisms, the same applies as so often in life: Good preparation is everything. Companies should therefore make strategic preparations in advance, e.g., by means of cloud computing services, so that they do not have to invest time and energy in bureaucratic processes that impede progress in the event of an attack. Continuous backup of (readable) data is essential here, as this is what makes later investigation, processing and subsequent analysis possible in the first place. After all, a cyberattack is not always as obvious as one might think. It is often small, everyday IT incidents or data inconsistencies that subsequently turn out to be an attack on the entire system. If the company has backed up the data, it has usable evidence at hand if the worst comes to the worst.
Sources:
[1] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Leitfaden_IT-Forensik.pdf?__blob=publicationFile&v=1 ( accessed on July 4, 2022 )
[2] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Leitfaden_IT-Forensik.pdf?__blob=publicationFile&v=1 ( accessed on July 11, 2022 )
[3] https://www.kriminalpolizei.de/ausgaben/2020/september/detailansicht-september/artikel/cybercrime-cybersecurity-und-digitale-forensik.html ( accessed on July 4, 2022 )
