Forensics expert looking for files on a computer.

Digital Forensics – A Guide

Ever wondered how a digital forensics team operates? How do the experts find those incriminating files or suspicious activity only using a person’s data? Here’s a breakdown of how the digital forensics process works, giving you an idea of how your own case could play out:

Continue reading

Forensics expert looking for files on a computer

3 Common Digital Forensic Myths

To many, digital forensics seems like magic as they are unable to understand how experts can pull vital data from devices like a rabbit out of a hat. With dramatized depictions of digital forensics, there have been various misconceptions regarding the industry. Several creative liberties are taken, which differ wildly from the reality of it all.

These are some of the most common myths related to digital forensics, which might be crucial to know about whether you’re considering a career in the field or want to hire digital forensic experts for your case:

Continue reading

The Lifecycle of Incident Forensics

Did anything highlight the need for companies to engage in crisis preparation as acutely as the ongoing coronavirus pandemic? We doubt. With many companies switching to a remote working model —something that’s here to stay– their incident forensics must be on point if they’re looking to adapt to this new normal. What does this mean? Addressing the new risks that come with it.

Your enterprise may truly be in crisis if it suffers from a major cybersecurity incident. Therefore, forward-thinking enterprises must be prepared in advance, and understanding the lifecycle of incident forensics is the best place to start.

1. Evidence of initial compromise

Maybe, an RDP brute force attacks a server, so you may explore the event logs to find some useful information, or the host may have been compromised during lateral movement using harvested credentials or PsExec. Maybe new APT crafts a spear-phishing email (perhaps, high-class) so you can browse recent documents that the users opened. Or maybe, it’s a drive-by download, which means the web-browsing activity of a user may offer you a fair bit of information.

2. Evidence of execution

Nowadays, it isn’t difficult to find one. For example, we have some new artifacts like Windows Timeline and BAM/DAM and some old ones like UserAssist and Prefetch files. Maybe, finding evidence of execution for malware isn’t the only thing you’re looking for—you want to get your hands on software that an adversary used, for instance, for data exfiltration, lateral movement, or reconnaissance.

3. Evidence of achieving persistence

Did you ever see MITRE Framework? If yes, you’ll know that there are innumerable persistence mechanisms that threat actors use. It may include anything from startup folders and run keys to WMI.

4. Evidence of lateral movement

In the majority of cases, adversaries complete the initial compromise and then move laterally through the network. Why? Because compromising the final target is almost impossible. For example, if a money-hungry APT wants to steal quite a few dollars from a bank, they’ll gain access to the computer of a regular user through spear-phishing, subsequently elevating privileges and laterally moving through the network to find the main target. If you want to look for evidence of WMI, PsExec, network shares, RDP, etc., go through the file system, registry, and event logs.

5. Evidence of actions on objectives

During this phase, you’ll come across a lot of stuff. For instance, 9 out of 10 times Cobalt Gang will create a Support452 account. So, you can undertake an analysis of NTUSER.DAT and find out that it was used for reconnaissance and lateral movement. Maybe, you’ll discover evidence of the execution of a network scanner on a host where it doesn’t usually execute. Or maybe, the whole case may begin from finding ZIP-archives with the contents of the My Documents folder in unfamiliar places.

Eclipse Forensics’ cyber forensic expert helps you neutralize threats with cutting-edge, intelligent solutions

Fast investigation and early detection are crucial when it comes to dealing with threats and keeping the attackers at bay. However, a lack of visibility, inadequate information, and an overwhelming number of alerts may limit you from achieving these tasks. This is where Eclipse Forensics’ digital forensic consultant can help!

Contact our digital forensic engineer now!