Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Craig Carpenter
Craig Carpenter
Connect Directly
E-Mail vvv

Why Digital Forensics In Incident Response Matters More Now

By understanding what happened, when, how, and why, security teams can prevent similar breaches from occurring in the future.

In the 1991 movie Backdraft, Robert De Niro plays the part of Donald ‘Shadow’ Rimgale, a fire department detective investigating a series of arsons in Chicago. As a former firefighter himself, De Niro’s character works closely with firefighters to piece together events based on the available evidence, both physical and circumstantial, and relies on his years of experience as both a firefighter and arson investigator.

Today’s practice of incident response (IR) is very similar to De Niro’s Backdraft character: equal parts firefighter (containing and remediating a breach as quickly as possible while minimizing damage) and investigator (figuring out what exactly happened, how, from where, and why). Security analysts must first and foremost get things under control, stopping harmful or unauthorized activity as soon as it is discovered. But while a fact-based understanding of exactly what happened is important, without a root cause analysis, similar breaches can and often do simply reoccur. And though threat vectors and tools (think keyboards, computer monitors, and sophisticated software instead of flames, hoses, and fire-retardant jackets) are very different -- the use cases for incident response and firefighting are actually quite similar.

Physical vs. digital forensics
Modern forensics is generally practiced in two places: law enforcement and corporate security/IT departments. While physical forensics (fingerprints, bullet trajectories, DNA testing, etc.) is often relevant with law enforcement, it is typically not a major factor in corporate security departments. However, its virtual sibling digital forensics is incredibly important to both constituencies.

With law enforcement, digital forensics has become more commonplace as more crime moves online, and increasingly relevant even with “offline crime” to help corroborate physical evidence and support key elements of a prosecution, like a criminal’s intent, location, or state of mind. Being able to definitively prove that someone did (or failed to do) something is the key goal, with process integrity (e.g. chain of custody) paramount.

In corporate security departments, digital forensics seeks to answer somewhat different questions than where did the malware come and how did it get here. What’s more relevant is determining where the bad guys went, what they did, and what they took after they hacked into the network in the first place. The goal is to understand details of what happened -- when, how, and why -- to prevent a similar intrusion in the future. (The “who” question is typically less important beyond identifying what type of actor/activity was likely involved, e.g. eastern European crime syndicate vs. state-sponsored espionage.)

Endpoint challenges
But whether talking about digital forensics conducted by law enforcement or a corporate security department, the simple fact is that forensics is difficult -- especially at the endpoint. Challenges in either case include accessibility of systems and data on them (e.g. cellphones), latency when pulling data from a system remotely, erroneously tipping off a user that their system is being accessed, myriad formats and devices, languages, and synthesizing data from multiple sources -- to name just a few. This is where corporate security departments enjoy the benefits of decades of laborious work by law enforcement and vendors that supply them with tools: no matter how challenging a scenario may be, law enforcement has seen and handled it before, often with a higher degree of difficulty.

The criticality of rock-solid forensic tool sets becomes even more important when looking at the velocity, volume, and variety of data corporate security departments must sift through on a daily basis. Most large security teams see thousands or tens of thousands of alerts every day. Whether proactively hunting for threats on endpoints, validating alerts from a next-gen firewall, integrating threat intelligence, or correlating log data, network traffic, and endpoint artifacts in a SIEM, forensics is everywhere in today’s IR.

You don’t have to be a fan of Robert De Niro movies to understand how important forensics is to arson investigations... and IR. Just like De Niro’s character in Backdraft, today’s IR practitioner must rely on proven forensics tools in order to nab the bad guy.

Craig joined AccessData as Chief Marketing Officer in 2013. With the company split in November 2014, he was promoted to President and COO of the newly formed cybersecurity company, Resolution1 Security. Prior to joining AccessData, Craig was VP of Marketing and Business ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/29/2014 | 9:02:03 AM
Re: Why Digital Forensics In Incident Response Matter More Now
While I agree that proven forensic tools are essential, we cannot rely on technology to catch the bad guy.  Let's not forget that in order to make these forensic tools work, knowledgeable people and established processes are equally important.
User Rank: Apprentice
12/28/2014 | 11:54:46 PM
Re: Knowledge base for attacks
DrT, that is a great point about building a "knowledge base" of past attacks. It's a lesson perhaps transferable from other catastrophe types, like say hurricanes. Experts there study past hurricanes, not that one is replicable --- but more to learn how wind speeds and wave heights affect businesses, communities, etc. in the hopes of applying relatable lessons when the next hurricane comes. Agree it's similar?
User Rank: Ninja
12/26/2014 | 9:35:32 AM
Re: Being Pro-active with Forensics
I agree on the IP address also. IP address can easily be spoofed, neither source nor destination IPs are reliable. Not even MAC address can really be used to identify the source of a message.
User Rank: Ninja
12/26/2014 | 9:33:53 AM
Re: Being Pro-active with Forensics
Agree, being proactive and doing the require work and analyzing the treats. It needs to be taken to next level and removing vulnerabilities in the environment
User Rank: Ninja
12/26/2014 | 9:21:52 AM
Knowledge base for attacks

I agree there has to be a knowledge base built for the attacks in the enterprise. This would not only help to understand and prevent from similar types of attacks but also it would give us an idea of the trend around where are being exploited and what our vulnerabilities are. The enterprise can not really continue to fight with attacks that would be very expensive in the long run, we need to understand our vulnerabilities and close them before they are being exploited.
User Rank: Author
12/24/2014 | 1:11:55 PM
Being Pro-active with Forensics
The more I learn about the forensics work we do at RiskIQ, the more I see the value. In our case, our forensics team uses data collected from our detection technology, which scans large sections of the publich web. Our forensics teams analyze threats as they appear online. The benefit being that a potentially innocous looking infection may be tied to a more expansive and sophisticated attack infrastructure.

The reality is that many prominent threat actors share resources and just because one attack may appear to have originated from IPs tied to prior attacks, does not mean that infrastructure is owned by the same group. It could be infrastructure rented out for multiple uses. It helps us understand what our customers might be up against. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.