Digital forensics

Computer forensics investigation – A case study

Chintan Gurjar
April 6, 2018 by
Chintan Gurjar

Disclaimer: We have not performed any live investigation. This was a part of our university assignment, wherein we assumed the roles of forensics investigator, determining what methods were applicable. You are welcome to come up with your own findings and resolve the case. We attempted to follow the global methodology, illustrating what a basic forensics investigation report should look like.

Credits

Edmand Dester Thipursian – Edmand.dester@gmail.com

Sai Thogarcheti – Harikamurthy9@gmail.com

Abdullah Al Fahad – candyman961@hotmail.com

Chintan Gurjar - chintangurjar@outlook.com

Adam Mentsiev - adam.mentsiev@study.beds.ac.uk

Alams Titus Mammuan - alamsx11@gmail.com

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Computer technology is the major integral part of everyday human life, and it is growing rapidly, as are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To counteract those computer-related crimes, Computer Forensics plays a very important role. "Computer Forensics involves obtaining and analysing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)".

A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorised access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or Encase) to ensure the computer network system is secure in an organization. A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team. This report will be focused on private investigations, since an incident occurred at a new start-up SME based in Luton.

This report also includes a computer investigation model, data collections and its types, evidence acquisitions, forensics tools, malicious investigation, legal aspects of computer forensics, and finally this report also provides necessary recommendations, countermeasures and policies to ensure this SME will be placed in a secure network environment.

Case study

A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate.

The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation.

As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems.

Your task is to investigate the team's suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators.

The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched.

Deliverables

Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following:

• Malware investigation

• Digital Forensic Investigation

You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant.

You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence.

As a discussion contained within your report, you should also provide a critical evaluation of the existing tools and techniques that are used for digital forensics or malware investigations and evaluate their effectiveness, discussing such issues as consistency of the approaches adopted, the skills needed by the forensic investigators, and the problems related with existing methodologies (especially with respect to the absence of any single common global approach to performing such investigations and the problems that can result when there is a need to perform an investigation that crosses international boundaries).

Association of Chief Police Officers (ACPO)

This forensic investigation will be conducted as per Association of Chief Police Officers (ACPO) guidelines and its four principles as well. There are four ACPO principles involved in computer-based electronic evidence. These principles must be followed when a person conducts the Computer Forensic Investigation. The summary of those principles are as follows (ACPO, 2013);

Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court.

Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions.

Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to.

Computer investigation model

According to Kruse II, W.G., and Heiser, J.G. (2010), a computer investigation is to identify the evidences, preserve those evidences, extract them, document each and every process, and validate those evidences and to analyse them to find the root cause and by which to provide the recommendations or solutions.

"Computer Forensics is a new field and there is less standardization and consistency across the courts and industry" (US-CERT, 2012). Each computer forensic model is focused on a particular area such as law enforcement or electronic evidence discovery. There is no single digital forensic investigation model that has been universally accepted. However, it was generally accepted that the digital forensic model framework must be flexible, so that it can support any type of incidents and new technologies (Adam, R., 2012).

Kent, K., et.al, (2006) developed a basic digital forensic investigation model called the Four Step Forensics Process (FSFP) with the idea of Venter (2006) that digital forensics investigation can be conducted by even non-technical persons. This model gives more flexibility than any other model so that an organization can adopt the most suitable model based on the situations that occurred. These are the reasons we chose this model for this investigation. FSFP contains the following four basic processes, as shown in the figure:

Figure 1: FSFP Forensic Investigation Model

Source: Kent, K., et.al, (2006)

The "Preserve and Document Evidence" arrow mark indicates that we must preserve and document the all evidences during the course of investigation, as this can be submitted to the court as evidences in some cases. We will discuss each and every process or stage of the FSFP investigation model in following sections.

Scope of investigation

The scopes of the forensic investigations for this case are as follows:

  • To identify the malicious activities with respect to 5Ws (Why, When, Where, What, Who)
  • To identify the security lapse in their network
  • To find out the impact if the network system was compromised
  • To identify the legal procedures, if needed
  • To provide the remedial action in order to harden the system

Legal challenges of investigation

According to Nelson, B., et al., (2008), legal challenges before we start our forensic investigation are as follows:

  • Determining whether law enforcement assistance is needed, and if so then they may be available for assistance during the investigation, or else we have to submit the investigation report to them at the end of the investigation
  • Obtaining written permission to conduct the forensic investigation, unless another incident response authorization procedure is present
  • Discussing with the legal advisors to identify the potential issues which can be raised during the improper handling of the investigations
  • Ensuring the clients' confidential and privacy issues are accounted

Initial preparation

It is obvious that before starting the investigation, we need to have a preparation in order to conduct the investigation efficiently. This is considered a proactive measure of investigation (Murray, 2012). The following steps need to be taken in the preparation stage:

  • Gathering all available information from the assessing the incident, such as severity of the incident.
  • Identifying the impact of the investigation on the SME business, such as network down time, duration of recovery from the incident, loss of revenue, and loss of confidential information.
  • Obtaining information of the networks, network devices such as router, switches, hub, etc., network topology documentation, computers, servers, firewall and network diagram.
  • Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD, memory cards and remote computer.
  • Identifying the forensic tools which can be used in this investigation.
  • Capturing live network traffic in case the suspicious activities are still running with 'netmon' tools.
  • Documenting all the activities during the investigation which may be used in court to verify the course of action that was followed in the investigation.
  • Imaging the target devices' hard drive and hashing them with MD5 for data integrity.

Collection

"The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data" (CJCSM 6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation. They are volatile data and non-volatile data (persistent data). Volatile data is data that exists when the system is on and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data that exists on a system when the power is on or off, e.g. documents in HD. Since volatile data is short-lived, a computer forensic investigator must know the best way to capture it. Evidence can be collected locally or remotely.

Volatile data

The following figure shows how to capture the volatile data. The forensic workstation must be located in same LAN where the target machine, in this case the Windows NT Server, is located. 'Cryptcat' tools can be used in the forensic workstation to listen to the port of the Windows NT server. Create the trusted toolset optical drive in the Windows NT server and open the trusted console cmd.exe and use the following command:

cryptcat <ip address> 6543 -k key

To capture the data at the forensic workstation, we use the following command:

cryptcat -l -p 6543 -k key >> <file name>

Figure 2: Volatile data collection setup

Source: Reino, A., (2012)

The following table shows the Graphic User Interface tools, and their usage and outcome can be used in the computer forensic investigation.

Table 1: Volatile Data Forensic Tools and their usage and outcome

Source: Reino, A., (2012)

We also use various Windows-based tools to capture the volatile data as follows:

HBGray's FastDump - Local Physical memory acquisition.

HBGray's F-Response - Remote physical memory acquisition

ipconfig - Collecting subject system details.

netusers and qusers - Identifying logged-in users

doskey/history - Collecting command history

netfile - Identifying the services and drivers

Finally, collecting the clipboard content is also very important in a computer forensic investigation. More evidence can be found from a machine which is still running, so if the anomalies are still there in the SME, then we can retrieve a lot of important evidence from the running processes, network connection and the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and so it must be ensured that the affected computers are not shut down in order to collect such evidences.

Non-volatile data

Once the volatile data have been captured, then we will look into the non-volatile data. The first step in non-volatile data collection is to copy the content of entire target system. This is also called "forensic imaging". Imaging helps to preserve the original data as evidence without any malfunction or changes in data which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using any of those forensic tools. Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic imaging and hard drive cloning is that forensic imaging can't be accessed without forensic tools, but hard drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie., hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008).

Data collection can be done in offline investigation and online investigation. Forensic imaging can be done with offline investigation. Live network traffic can be done with online investigation by using ethereal or Wireshark tools. Firewall logs, antivirus logs, and domain controller logs will be collected for the investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be documented in the chain of the custody log documentation. Chain of the custody log documentation is to maintain the integrity of the evidence from start to end of the investigation until this investigation report will be presented (Nelson, B., et al., 2008).

Before carrying out any further processes, we need to image the disk bit by bit, which will access the entire volume and copy the original media, including the deleted files. After the disk is imaged, we should hash everything which will make sure that the data is authentic and the integrity of the data will be maintained throughout the investigation. The hash values must be recorded in multiple locations and we must ensure that we do not make any changes to the data from the time of collection of the data till the end of the investigation. Most tools help in achieving this by accessing the media in a read-only state (SANS, 2010). Target System Hard drives, External Storage devices, and the Windows NT Server Hard drive must be acquired for the digital forensic investigation in this case.

Examination

Once we have gathered all the available evidences, we need to conduct the examination by the help of various computer forensic investigation tools. We also examine the file system, Windows registry, Network and Database forensic examination, as follows:

Files system examination

NTFS is the New Technology File System and NTFS Disk is a file. MFT is the Master File Table which contains information about all files and disks, and it is also the first file in NTFS. The records in the MFT are also called metadata. Metadata is data about data (Nelson, B., et. al., 2008). Files can be stored in MFT in two ways: resident and non-resident. A file which is less than 512 bytes can be accommodated in MFT as resident files and a file which is more than 512 bytes can be stored outside the MFT as non-resident files. When a file is deleted in Windows NT, the file will be renamed by OS and moved it to Recycle bin with a unique identity. OS stores information about the original path and original file name in info2 file. But if a file is deleted from the Recycle bin, then associated clusters are marked as available for new data. NTFS is more efficient than FAT, as it is faster in reclaiming its deleted space. NTFS disks are a data stream, which means they can be appended into another existing file. A data stream file can be stored as follows:

C:echo text_mess > file1.txt:file2.txt

This file can be retrieved by the following command:

C:more < file1.txt:file2.txt

W2K.Stream and Win2K.Team are viruses which were developed by using a data stream, and they were developed with the intention of altering the original data stream. As an investigator, we must be aware of the Windows file systems FAT and NTFS in depth (Nelson, B., et. al., 2008).

Windows registry examination

According to (Carvey, H., 2005) a registry can be treated as a log file because it contains data that can be retrieved by a forensic investigator the associate key values are called the "Lastwrite" time, which is stored as a FILETIME and considered to be the last modification time of a file. With files it is often difficult to get a precise date and time of file modification, but the Lastwrite shows when the registry was last modified. Fantastic will review some certain steps (Carvey, H., 2005) which are listed below to analyze the windows registry of the organization to ensure the problem within and outside the organization are known and being solved to protect and maintain the company reputation.

Windows registry is an order of databases in a computer used by Microsoft in Windows 98, Windows CE, Windows NT and Windows 2000 to store a user or user application and hardware devices configuration, which is used as a reference point during execution of a program or processes (Windows, 2013). The common structure of the windows registry is divided into "Hives" which are:

  • HKEY_CLASSES_ROOT: ensures that required programs are being executed.
  • HKEY_CURRENT_USER: contains general information of a user that is currently logged into the system.
  • HKEY_LOCAL_MACHINE: contains information about hardware, drives etc. of a system.
  • HKEY_USERS: contains all information of users on a particular system.
  • HKEY_CURRENT_CONFIG: stores information about the present configuration of the system.

The Windows registry consists of volatile and non-volatile information. This means an investigator must at least be familiar with each meaning and functionality of the hives, keys, data and values of a Window registry before undergoing any forensic investigation of a computer to obtain a successful forensic investigation report.

Autostart Location: is a location in the registry where the applications are set to be launched without a user initiation. With this functionality a malware that affects Luton SME can persistently run when the machine is turned on without a direct user interaction because it was already programed to autostart itself or when a user runs some specific commands or processes.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionImage File Execution Option is a Windows registry in which an attacker can use the key for redirection of an application original copy to its trojaned copy (Carvey, H., 2005). Luton SME might be under this attack: a redirect of the customer payment page to an illegitimate one.

A forensics investigator can examine the autostart location to determine if the Luton SME problem results from an action performed by a user, a malware or by an attacker on the organization. According to (Carvey, H., 2005) the reliable way to access the autolocation is using AutoRuns tools from SysInternals.com which can provide listing of autostart locations.

User Activity: action and activities of a user can be investigated in the HKEY_CUREENT_USER hive which is created from HKEY_USERSID hive. User information is mapped to the HKEY_CURRENT_USER. The NTUSER.DAT holds information about registry specification settings of a user. Examination of this hive will give a forensic investigator a good clue of activities and actions taken by a user.

Most Recent Used (MRU) List: MRU holds recent specific action taken by a user and keeps track of activities for future reference. For example, HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU maintains an executed list of commands run by a user. Each executed command in the run box will add a key value entry to the hive, as shown below:

Figure3: Contents of the ExplorerRunMRU key.

Source: Carvey, H., (2005)

A forensic investigator can study this hive to source the lastwrite time of each command from the MRU list as shown above. With this, the SME Luton investigator will be able to analyze from the registry if it was user activity, a malware action or an attack that is affecting the organization.

UserAssist: according to (Carvey, H., 2005) UserAssist which is found under the hives HKEY_CURRENT_USERSoftwareMcirosoftWindowsCurrentVersionExplorerUserAssist consists of two keys that commonly look like globally unique identifiers that keep encrypted records of each object, application, etc. a user has accessed on the system. If an investigator has accessed the encrypted record, which is no longer definitive, it might indicate some action the user did to trigger the Malware through an application or any activity he might have done.

USB removable Storage: according to Farmer, College and Vermont (2008) all devices connected to the system are being maintained in a computer registry under the following key HKEY_LOCAL_MACHINESystemControlSet00xEnumUSBSTOR. The figure below shows an example of drive IDs of a USB thumb drive:

Figure4: Example contents of USBSTOR key, showing device instance IDs.

Source: Carvey, H., (2005)

Using the hives of the mounted drive, an investigator will have a clue when he/she analyzes the device ID content maintained in the registry to know which device was being mounted on the Luton SME organization. With persistent examination of each value key, an investigator can identify removable USB storage devices and map them to the parentidprefix.

Wireless SSIDs: According to (Carvey, H., 2005) SSIDs of wireless networks used on a computer can be found under HKEY_LOCAL_MACHINESoftwaremicrosoftWZCSVCParametersInterface. When navigating to key values, they contain subkeys which look like globally unique identifiers, which when opened, an investigator can navigate to the ActiveSettings which reveals each wireless SSID in the form of a binary data type. When right-clicked to modify, it reveals the SSIDs in plain written format. Though IP address and other network information can be found under HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTCPIPInterfacesGUID, an investigator can use this information to tie a user in the Luton SME organization to a particular timeframe if the person's IP address appears to be discovered under the above Window registry.

Windows registry can also be a vital source of proof in a forensic investigation if the investigator knows where to get available data that can be well presentable to the Luton SME organization. Fantastic has tried to analyze some of the basic Windows registry that might have caused the redirection of its Web page, tracked user activity and all necessary programs a user had executed, devices used on the server or any of the organization's computers, and also revealed the IP address of users.

Network forensics examination

The acquiring, collecting and analyzing of the events that take place in the network is referred to as network forensics. Sometimes it's also known as packet forensics or packet mining. The basic objective of network forensics is the same, which is to collect information about the packets in the network traffic such as the mails, the queries, the browsing of the web content, etc., and keep this information at one source and carry out further inspection (WildPackets, 2010).

Network forensics can be applied in two main ways. The first one is security-related, where a network is monitored for suspicious traffic and any kind of intrusions. It is possible for the attacker to delete all the log files from an infected host, so in this situation the network-based evidence comes to play in the forensics analysis. The second application of network forensics is related to the law enforcement, where the network traffic that has been captured could be worked on to collecting the files that have been transferred through the network, keyword search and analysis of human communication which was done through e-mails or other similar sessions. (Hunt, 2012)

Tools and techniques of network forensics

We can perform any operation with a forensically sound bootable DVD/CD-ROM, USB Flash drive or even a floppy disk. First, we need to dump the memory, and this is preferred to be done with a USB Flash drive with enough size. We must also undertake a risk assessment when we are about to collect volatile data to evaluate if it's safe and relevant to collect such live data, which can be very useful in an investigation. We should use forensics toolkits throughout the process, as this will help meet the requirements of a forensics investigation. These tools should be trusted, and it can be acquired from among the freely distributed ones to the commercial ones. (7safe, 2013)

Some very important and discreet information should be collected from a running machine, with the help of trusted tools such as:

  • Process listings
  • Service listings
  • System information
  • Logged on and registered users
  • Network connections
  • Registry information
  • Binary dump of memory
(7safe, 2013)

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

There are many different kinds of network forensics tools, each with different functions. Some are just packet sniffers and others deal with identification, fingerprinting, location, mapping, email communications, web services, etc. The table below lists some of the open-source tools that can be used for network forensics and their functionalities. (Hunt, 2012)

Tool Platform Web Site Attributes

TCPDumpWindump Unix & Windows www.tcpdump.org F

NetStumbler Windows www.netstumbler.com F

Wireshark Unix & Windows www.wireshark.org F

Sleuth Kit Unix www.sleuthkit.org F R C

Argus Unix www.qosient.com/argus F L

SNORT Windows /Unix www.snort.org F

F: Filter & collect; L: Log analysis; R: Reassembly of data stream; C: Correlation of data; A: Application Layer view

Table 2: Network Forensic Tools

Source: (Hunt, 2012)

Database forensics examination

A database is a collection of data or information which is represented in the form of files or a collection of files. Retrieving the data from the database can be done with a set of queries. Database forensics can be defined as the application of computer investigation and the analysis techniques to gather the evidences from the database to present them in a court of law. A forensic investigation needs to be done on the databases, because a database has sensitive data where there is a high chance of a security breach by the intruders to get this personal information.

In the case study it is mentioned that a large amount of data is being sent out of the database, so now the task of the Fantastic team is to perform a forensic investigation on the database with the help of forensic tools. Database forensics focuses on the identification, preservation and analysis of data. According to Khanuja, H.K., and Adane, D.S., (2011), to access the database the users need to get permissions like authorization and authentication from the database servers. Once the authorization is done, only the user can access the data and if intended he/she can alter the data. Now if we check the audit logs of the database, we can get a list of the users who got permissions to access the data. The team needs to look up in the database for the IP addresses which are remotely connected, because there are chances of altering the data by the authorized user or unauthorized user.

According to Dave, P., (2013), with the help of the investigation we can retrace the operations of the DDL (Data Definition Language), which are used to define the database structure, and DML (Data Manipulation Language), which are used for managing the data within the database and can identify if there are any pre and post transactions happened in the database. This investigation can also help us to know if there are any data rows that are deleted by the user intentionally, and is able to recover them, and it also helps us to prove or disprove that a data security breach has occurred within the database, and it helps us in determining the scope of the intrusion of database. Windows forensic tool v1.0.03 is used with a customized configuration file which will execute DMV (Distributed Management Views) and DBCC (Database Consistency Checker) commands to gather the data which is sufficient to prove or disapprove the intrusion as stated earlier (Fowler, K., 2007).

Analysis

Initially we need to analyze the evidences which we gathered and examined. We will look into the data to see whether any hidden files or unusual files are presented or not. Then if there is any unusual process running and if there are any sockets opened unusually. We will also look if any application requests occurred unusually. Then we will check the account, whether any unusual account is presented or not. We will also find the patching level system, whether it is been updated or not. By the outcome of those analyses, we will come to know whether any malicious activities are presented or not. Then we will develop a further strategy for the forensic investigation, such as complete analysis of memory, complete analysis of file systems, event correlation, and timeline analysis (Nelson, B., et. al., 2008). According to this case study, there are malicious activities present in their network system and it is also been confirmed by our initial analysis. In order to find the malicious code capabilities and its aim, we have to do the malware executable analysis. The malware executable analysis can be divided into Static Analysis and Behavioural Analysis.

Malware analysis

According to the report of the Verizon "2012 Data Breach Investigations Report", 99% of the vulnerabilities have led to the data being compromised for a few days or less, while 85% took several weeks to investigate. This is a serious challenge for the security departments, as attackers get a lot of time to work in a compromised environment. More "free time" leads to more stolen data and more serious damage. This is mainly due to the fact that current security measures are not intended to deal with more complex threats (2012 Data Breach Investigations Report, Verizon, 2012).

The point when performing a malware crime scene investigation: certain parts of a Windows PC are well on the way to hold data identifying with the malware installation and utilization. Legal examinations of the traded off frameworks incorporated an audit of record hash values, signature confuses, packed files, collision logs, System Restore points, and the pagefile. A worldly investigation of the File Systems and Event Logs may be directed to distinguish exercises around the time the malware was animated on the system. Advanced specialists additionally may as well review the Registry for unordinary entrances such as in Autostart areas, and adjustments around the time of the malware installation. Keyword hunts may be performed to discover references to malware and associations with other bargained hosts. Normal attack vectors are recognized, incorporating email attachments, Web browsing history, and unauthorized logons.

According to Syngress "Malware Forensics – Investigating and Analyzing Malicious Code, 2003" there should be done an investigation based on the following:

  • Search for Known Malware
  • Review Installed Programs
  • Examine Prefetch
  • Inspect Executables
  • Review Auto-start
  • Review Scheduled Jobs
  • Examine Logs
  • Review User Accounts
  • Examine File System
  • Examine Registry
  • Restore Points
  • Keyword Searching

Before starting the malware analysis, we need to create the malware analysis environment such as VMware and Norton Ghost. VMware is virtual based malware analysis environment and Norton Ghost is dedicated malware analysis environment.

Static analysis

Static analysis is the type of malware analysis which is used to conduct the analysis without running the malware programming. Static analysis is better than Dynamic analysis in terms of safe analysis. Since the malware program is not running, there is no fear of deleting or changing the files. It is always best to do the static malware analysis in a different operating system, where the malware is not designed to run or impact. Because an investigator can accidently double click the malware program to run, and it will affect the system. There are so many ways to do the static analysis such as File Fingerprinting, Virus Scanning, Packer Detection, Strings, Inside the FE File Format and Disassembly (Kendall, K., 2007).

Dynamic analysis

Dynamic Analysis is the type of malware analysis where malware code runs and observes its behaviour. It is also called Behaviour Malware Analysis. Dynamic Analysis is not safe to conduct unless we are ready to sacrifice the malware analysis environment. We can analyze the malware by simply monitoring the behaviour of the malware functions. There are many tools to conduct the dynamic malware analysis, but Process Monitor from SysInternals and Wireshark are the most used and freeware tools (Kendall, K., 2007).

According to Kendall, K., (2007), in almost all malware cases, a simple static and dynamic malware analysis will find all the answers which will be required by the malware investigators for the particular malware code.

Findings

After our investigation, we summarize our findings as follows:

  • Identified the attacker's persistent remote access to the company's computers.
  • The forensic analysis identified that the systems had been compromised.
  • OS patches were not installed in some systems.
  • Suspected malware was found in compromised system.
  • Identification of that malware and its functionality & aim of malware led us conclude that it is 'spamming' malware.
  • Determined the attackers had access to the client's systems using the malware by supplying in appropriate website link for payment gateway

Remedial actions

There were considered above the most common ways of malicious software into the network. From the foregoing, it is possible to make two important conclusions:

  • Most of the described methods are somehow related to the human factor, therefore, training of employees and periodic training on security will enhance the network security;
  • Frequent cases of hacking legitimate sites lead to the fact that even a competent user can infect his computer. Therefore, we come to the fore classical measures of protection: antivirus software, the timely installation of last updates, and monitoring the Internet traffic.

According to Shiner, D.L.D., and Cross, M., (2002), there are major countermeasures to protect against malware:

  • Authentication and password protection
  • Antivirus software
  • Firewalls (hardware or software)
  • DMZ (demilitarized zone)
  • IDS (Intrusion Detection System)
  • Packet filters
  • Routers and switches
  • Proxy servers
  • VPN (Virtual Private Networks)
  • Logging and audit
  • Access control time
  • Proprietary software/hardware is not available in the public domain

In our case, the most useful are the following:

  • Firewall
  • Logging and Audit

Firewall checks all Web pages entering to the user's computer. Each Web page is intercepted and analyzed by the firewall for malicious code. If a Web page accessed by the user contains malicious code, access to it is blocked. At the same time, it displays a notification that the requested page is infected. If the Web page does not contain malicious code, it immediately becomes available to the user.

By logging, we meant collecting and storing information about events that occur in the information system. For example, who and when tried to log on to the system and how this attempt ended, who and what information resources were used, what and who modified information resources, and many others.

Audit is an analysis of the accumulated data, conducted promptly, almost in real time (Shiner, D.L.D., and Cross, M., 2002). Implementation of logging and audit has the following main objectives:

  • Accountability of users and administrators;
  • Providing opportunities for reconstruction of events;
  • Detection attempts violations of information security;
  • Providing information to identify and analyze problems.

Security policies

The fullest criteria for evaluating organizational level security mechanisms are presented in the international standard ISO 17799: Code of Practice for Information Security Management, adopted in 2000. ISO 17799 is the international version of the British Standard BS 7799. ISO 17799 contains practical rules for information security management and can be used as criteria for assessing the organizational level security mechanisms, including administrative, procedural and physical security measures (ISO/IEC 17799:2005).

Practical rules are divided into the following sections:

  • security policy;
  • organization of information security;
  • asset management;
  • human resources security;
  • physical and environmental security;
  • communications and operations management;
  • access control;
  • information systems acquisition, development and maintenance;
  • information security incident management;
  • business continuity management;
  • compliance

These sections describe the organizational level security mechanisms currently implemented in government and commercial organizations worldwide (ISO1799, 2005).

Several questions arise after considering the above need for some combination of business requirements for the Internet. What software and hardware and organizational measures must be implemented to meet the needs of the organization? What is the risk? What should be the ethical standards for the organization to carry out their tasks with the help of the Internet? Who should be responsible for that? The basis of the answers to these questions is a conceptual security policy for the organization (Swanson, M., 2001).

The next section contains fragments of hypothetical security policies of safe work in the Internet. These fragments were designed based on the analysis of the major types of safety equipment.

Security policies can be divided into two categories: technical policy implemented using hardware and software, and administrative policy, performed by the people using the system and the people running it (Swanson, M., 2001).

Common Security Policy for an Organisation:

  • Any information system must have a security policy
  • The security policy must be approved by the management of the organization
  • The security policy should reach out to all employees in a simple and understandable form
  • The security policy should include:
    • Definition of information security, its main objectives and its scope as well as its importance as a mechanism, which allows collectively use the information
    • The position of leadership on the purposes and principles of information security
    • Identify general and specific responsibilities for providing information security
    • Links to documents related to security policies, such as detailed safety guidelines or rules for users
  • The security policy must satisfy certain requirements:
    • Correspond to national and international legislation
    • Contain provisions for training personnel on security issues
    • Include instructions of detection and prevention of malicious software
    • Define the consequences of violations of the security policy
    • Consider business continuity requirements
  • There must be defined a person who is responsible for the procedure of reviewing and updating the provisions of the security policy
  • Revision of the security policy must be carried out as a result of the following cases:
    • Changes in the organizational infrastructure of the organization
    • Changes in the technical infrastructure of the organization
  • Subject to regular review of security policy are the following characteristics:
    • The cost and impact of countermeasures on the organization's performance(ISO/IEC 17799:2005)

Reporting

A forensic report highlights the evidences in the court and it also helps for gathering more evidences and can be used in court hearings. The report must contain the investigation's scope. A computer forensic investigator must be aware of the type of computer forensic reporting such as formal report, written report, verbal report and examination plan. A formal report contains the facts from the investigation findings. A written report is like a declaration or an affidavit which can be sworn to under oath so that it must be clear, precise and detailed. A verbal report is less structured and is a preliminary report that addresses the areas of investigation not covered yet. An examination plan is a structured document that helps the investigator to understand the questions to be expected when he/she is justifying the evidences. An examination plan also helps the attorney to understand the terms and functions which were used in computer forensic investigation (Nelson, B., et al., 2008). Generally a computer forensic report contains the following functions:

  • Purpose of the Report
  • Author of the Report
  • Incident Summary
  • Evidence
  • Analysis
  • Conclusions
  • Supporting Documents

There are many forensic tools to generate the forensic investigation report such as ProDiscover, FTK and EnCase (Nelson, B., et al., 2008).

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Conclusions

This report contains how to conduct the Computer Forensic Investigation and Malware Investigation in various methods and using various tools. This report also contains the ACPO's four principal and IS017799 security policy procedures which must be implemented in every organization to improve the security network architecture. It also analysed the First Four Step Forensic Investigation model and why we chose this model to conduct the forensic investigation for this case. It also has important preparation steps before starting the investigation. Then this report has an analysis part where we analysed the data which we gathered by various methods to yield the findings. This report also has the recommendations to avoid the security breach in future.

Digital forensic investigation is a challenging process, because every incident differs from other incidents. A computer forensic investigator must be competent enough in Technical and Legal to conduct the investigation. Since the evidence which is provided by a computer forensic investigator can be an important part the case, the investigation report must be precise and in detail.

Sources

Chintan Gurjar
Chintan Gurjar

Chintan Gurjar is a System Security Analyst and researcher from London working in Lucideus Tech Pvt Ltd. He has written articles for Europe based magazine namely “Hakin9”, "PentestMag" and India based magazine “Hacker5”. He has done a valuable research in cryptography overhead mechanism. Chintan Gurjar has completed B.Tech in computer science from India and currently pursuing his post graduate degree in computer security & forensics from London (UK). During his academics, he has submitted a small scale research paper on Cryptography Overhead Mechanism in IPsec Protocol. He has also submitted Network Security Auditing and Network services administration and management report. He is very keen to spread cyber awareness world wide. In future he would like to work for his Country’s government in a forensics investigation field.