When a client’s information technology (IT) team identifies a potential security incident their remediation activities can have unintentional destructive effects on evidence necessary to complete a forensic investigation. The most common actions include restoring from backups and wiping infected systems without saving a snapshot, or image, and failing to preserve logging data that may only be retained for a limited time period. IT teams, whether they are internal employees or an outsourced managed service providers (MSP), have a primary goal of maintaining the client’s technology and keeping the business running. Without proper direction the process of evidence collection may not be a priority and can impede or delay the recovery process.
As data privacy attorneys, you are consulted at the early stages of an event, often prior to the involvement of a forensics or incident response team. This puts you in a position to convey to the client and their IT team the importance of data preservation for a potential forensic investigation. In cases involving zero day threats and or highly complex attacks by nation state threat actors, such as the SolarWinds supply chain attack or the Hafnium attacks on Exchange servers, the full extent of an event may not be fully known for months after the initial discovery. It is better to preserve the evidence and not need it than to launch a forensic investigation with no evidence to review. Most of the time, these evidence preservation activities can be accomplished without slowing down the recovery process.
Forensic investigators are frequently brought into a chaotic situation where a client’s network was just compromised or is actively under attack. Initial efforts focus on securing the network from further damage or ongoing unauthorized access. This involves the isolation of infected systems from the network, securing the firewall and resetting passwords. While these actions take immediate priority, evidence preservation must also be at the forefront of everyone’s minds.
Log review is often the starting point for forensic investigators as it helps identify the method of access to the network, what user accounts were potentially compromised, evidence of a command and control activity and any evidence of data exfiltration, such as large data transfers to suspicious external IP addresses. Logs are always at risk from being overwritten and must be immediately preserved. Vital log data includes firewall logs, VPN logs, email logs, intrusion detection logs and endpoint detection logs. Forensic investigators can never have too many logs.
In the event of a potential network intrusion or malware infection, a forensic investigator will need to collect forensic artifacts (or obtain images) from infected or accessed systems. This often includes key servers such as domain controllers (DC’s), terminal servers, file servers, web application servers and other systems that potentially contain sensitive information. Any systems that are identified as showing access from a live attacker should be preserved. If any endpoints or servers are believed to be the point of entry to the network (“patient zero”) then special care should be taken to preserve these systems. Most businesses today are running at least some of their servers as virtual machines, either in the cloud or on physical host server. By taking snapshots of the virtual hard drives in an infected or compromised state it will preserve an instant forensic image for review. Generally, the operating system drives (C: drives) of these systems are going to contain the forensic evidence necessary for the investigation.
The operating systems of accessed servers and endpoints contain a variety of key artifacts that provide details about file system activity, file and folder access, program executions, remote connections and web browsing activity. Malicious files identified during the investigation can be analyzed to identify their capabilities and ensure containment. Common data exfiltration tools found on systems include FTP tools such as FileZilla or WinSCP, web based file sharing tools such as Mega.nz or Dropbox, or remote access tools such as TeamViewer or Anydesk. Intruders can also exfiltrate data directly to their command and control servers using tools such as Cobalt Strike (a commercial penetration testing tool).
When threat actors prepare to exfiltrate a large volume of data from a network they will usually look to compress the data into archive files (such as .zip files). Part of the forensic analysis involves searching for data staging activity, including the creation of these archive files and access to data programs capable of exfiltrating data. A complete set of artifacts allows investigators to create a timeline of access, including the intruder navigating to specific files and folders, data staging activity and the transfer from the network. Firewall logs can provide an additional confirmation of the volume of data removed. Darknet searches and communications with the threat actors can also help confirm what data may have been stolen.
Only a limited percentage of information security incidents involve the exfiltration of data. Threat actors are usually focused on the deployment of their tools or malware, such as ransomware, to encrypt a network or using cryptocurrency miners to exploit system resources. They may also gain access to systems or email accounts in an attempt to redirect payments or wire transfers. Analysis of the accessed systems can often allow forensic investigators to determine the limits of the threat actors’ scope in accessing data, or even eliminate the possibility that sensitive data was accessed at all.
Prioritizing evidence preservation from the onset of the engagement and creating a game plan for the collection process helps to ensure that the necessary evidence will be available for review when needed. The client and IT team should be provided with the necessary tools and direction to preserve the data without delaying the recovery and remediation process. A full forensic investigation will provide a complete picture of how an event occurred and what data, if any, was potentially at risk. Visibility into the timeline of events can mean the difference between a finding of no access to information and a full data breach.