Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/12/2008
03:12 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Correlating Many Data Sources Is Often The Key

Being able to successfully perform incident response and digital forensics requires having the right tools and, more importantly, the right sources of information. I was assisting a client with a case recently that made this simple fact more apparent the more I dug into the monstrous amount of information they provided me.

Being able to successfully perform incident response and digital forensics requires having the right tools and, more importantly, the right sources of information. I was assisting a client with a case recently that made this simple fact more apparent the more I dug into the monstrous amount of information they provided me.This particular case required the review of logs from numerous systems, as well as the standard "dead" forensics in which the hard drive from the suspect's computer or compromised system is forensically copied while the system is off and which serves as the primary source of information.

During analysis of a dead hard drive, other information sources are typically used to lend credence to what is seen on the hard drive. Unfortunately, the copy of the hard drive is sometimes incomplete due to damage caused by the suspect or intruder, or by physical damage caused by hardware failure or mishandling by the first responders. This is where the additional sources of data can prove to be invaluable to help fill in the picture so investigators can truly understand what took place.

So what sources of data can be important to cracking a case? The obvious answer is that it depends on the case, but several sources can apply to just about any case. Interviewing key personnel, both users and sysadmins, is very important. Users can tell you what weird things they saw when their systems were acting up, and sysadmins can tell you whether they patched diligently and what security protections were in place. They can also point you to important system and network documentation (if they exists).

Logs, logs, and logs. I can't beat this drum enough. Logs are critical to investigations, but the sad truth is that many organizations simply don't pay any attention to them. Logs from network devices (firewall, IDS, switches, routers, etc.), operating systems, applications, and even printers can be very important to providing clues to what happened. Can you imagine the credibility your findings will have if you can correlate traffic from the firewall showing that a particular service was accessed at the same time logging for that service failed and antivirus began detecting malware on the local file system?

I could go on and on about different data sources (like the cell phone in this case), but what I try to get across to people when we discuss this is that being overwhelmed with too much information during an investigation is most often a good thing. It can seem daunting at first when trying to get to some initial answers to appease management because they always want to know immediately what happened, but in the long run your investigation will be much more solid and defensible when you can take those different sources and correlate them to get the full picture of who, what, when, and why.

John H. Sawyer is a Senior Security Engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.