CYFOR Blog

Digital forensics plays a crucial role in cybersecurity incident response by helping organisations identify, analyse, and mitigate the impact of cyberattacks and data security breaches.

It involves collecting, preserving, and analysing digital evidence to determine the scope of an incident, the techniques used by attackers, and the extent of the damage caused.

Evidence Collection and Incident Analysis

When a security incident is suspected, the first step is to preserve the digital evidence. Digital forensics experts use specialised tools and techniques to ensure that data is collected in a forensically sound manner, preserving its integrity and authenticity. This evidence can include log files, memory dumps, network traffic captures, and system snapshots.

Once evidence is collected, digital forensics experts analyse it to reconstruct the timeline of events leading up to and during the incident. They identify the attack vectors, techniques, and tools used by the attackers. This analysis provides insight into the attacker’s methods and helps in understanding the scope of the breach.

Once the extent of the compromise is understood, digital forensics aids in devising strategies to contain the incident and prevent further damage. This might involve isolating compromised systems, removing malware, and closing exploited vulnerabilities.

Attribution and Identification

Digital forensics can determine patterns of behaviour. This is achieved by analysing various aspects of the attack, such as the tactics, techniques, and procedures (TTPs) used, as well as any artefacts left behind. Therefore, time is of the essence and an investigator needs sight of the data involved, which is a core element of any investigation. Most of the time an investigator will work on triaged data sets rather than full disk images, which is more digital forensics focused. If there’s a cyber incident taking place at that time, you need to be able to deal with it there and then.

Rather than dealing with, say, five terabytes worth of data, you might be whittling that down to 10% or so, if not less, just so you can have a good understanding as to what’s happened as quickly as possible to then provide the containment and remediation strategies as soon as you possibly can.

There’ll be ongoing communications in relation to the investigation with the client, and that’s the consultative approach, which is where there is quite a difference. Unless you’re working in the corporate arena for digital forensics, your traditional legal side, the criminal side of digital forensics doesn’t necessarily fall hand in hand with that aspect. That can be one of the more difficult things for people to pick up.

Combining Investigation Techniques

The digital forensics side of an investigation has numerous elements and many applications when it comes to the cybersecurity incident response world.

Digital Forensic Incident Response (DFIR) experts look at a situation with an investigative mindset, which massively assists in the cyber incident response side. Traditionally, the digital forensics elements are continuity-based with data remaining intact, as the verification data hasn’t changed, which in Incident Response is hugely beneficial. However, this is not always the case, as the necessity is to retrieve the data for investigation.

This is where the skill set of an experienced cybersecurity professional comes into play. The digital forensics angle, as it sits currently is the primary focus of data collection. Maintaining evidence continuity is key with correct data acquisition methods being vital.

Then there is the investigation approach, which also differs slightly as it looks at different datasets. There are traditional endpoints for an investigation, but you’ll also have a lot more evidence to consider, which could be live data, that is being pulled there and then or maybe it’s still ongoing, so you’re monitoring the environments.

However, it also may be data, which is pre-event, so you can see what happened in the lead-up to the incident. This is where the mindset of an investigator comes into play because you’re building a timeline of events, you’re investigating what’s happened over a series of minutes, hours, days, weeks, whatever the case may be, which should then lead you down a path to have an overview of the root cause of the matter.

Application of business resumption and remediation

The application of business resumption and remediation can come in whilst an investigation is ongoing and can be done concurrently as you remediate and rebuild a network. A real-world scenario would involve an investigator going onsite after a client has suffered a cyber-attack or data breach, and forensically collecting the data ready for analysis. Once they are confident that the process has been completed, remediation can begin. Ideally, and depending on the size of the incident, there needs to be at least two individuals working on the investigation from two different angles of the incident response lifecycle. With the data collection element completed, the investigation is split, allowing for remediation and business resumption actions to commence.

For example, if a file server has been compromised by a cyber-attack, then the file server data can be forensically collected, and any other data that needs to be collected can be analysed. Whilst that’s being investigated, a new server and any other associated devices and systems can be rebuilt.

When dealing with remediation efforts to rebuild a client’s systems and backups after an incident, there needs to be an understanding of how the incident happened in the first place, and how to correctly build the network backup in a secure fashion. There is a comprehensive analysis of firewalls, servers, switches, and the whole infrastructure. Being able to understand the DFIR elements as well as being able to understand how to actually rebuild in a secure manner using cyber security methodology is critical.

DFIR protocols during an incident

During an incident, there are protocols that an organisation needs to follow prior to instructing a DFIR specialist. It is always advised that lawyers who are experienced in cyber incidents are approached for legal advice due to their experience in such matters. They know who to report to, when to report and how to report to them in the processes that are involved.

Post-Incident Reporting and Communication

Digital forensics findings are often compiled into detailed reports that provide a comprehensive overview of the incident, its impact, and the steps taken for mitigation. These reports are valuable for internal analysis, management decision-making, and communication with stakeholders, including law enforcement agencies if necessary.

Legal and Regulatory Compliance

Digital forensics processes are conducted with legal and regulatory considerations in mind. Properly conducted forensics procedures ensure that evidence is collected in a way that preserves its admissibility in legal proceedings, should they arise. Compliance with data protection laws and regulations is also an essential aspect of the process.

The Information Commissioner’s Office (ICO) are one of the biggest regulation authorities that would need to be informed of a breach. Law firms that have suffered a breach would also need to inform the Solicitors Regulation Authority (SRA). Depending on the business type, the company will report, or the lawyers will report on their behalf. This can be supplemented with expert findings from a DFIR specialist report.

Application of Vulnerability Assessments

Vulnerability assessment tools such as CYFOR Secure’s Pulse Scanning device are utilised during every incident response engagement. It helps by scanning the network, making sure that the network is secure while simultaneously providing a blueprint of the client’s current IT security posture, and identifying areas of security to be built-in during the refresh part of the ongoing process. It also provides the tools to secure forensic imaging and forensic data collection if required. The vulnerability assessment is a default process during the engagement but can be integrated to form ongoing cyber security services to ensure maximum protection. Other services that can be implemented off the back of an engagement to bolster cyber security are user awareness campaigns, antivirus packages, SOC and SIEM.

Lessons Learned and Improvements

After an incident is resolved, digital forensics analysis can provide valuable insights into an organisation’s security weaknesses and vulnerabilities. This information can be used to refine security policies, enhance defence mechanisms, and improve incident response plans to better prevent and respond to future incidents.

In summary, the use of digital forensics in cybersecurity is a critical component, as it helps organisations understand the nature of security breaches, identify responsible parties, assess the damage, and take appropriate measures to recover and strengthen their security posture.

Who are CYFOR Secure? 

CYFOR Secure are the dedicated cyber security division of the CYFOR Group, specialising in a breadth of proactive and reactive cyber security services, with expertise in Digital Forensics and Incident Response (DFIR). They are a trusted provider to SMEs and large enterprises globally, spanning numerous sectors that include legal, education, manufacturing, healthcare, and finance. CYFOR Secure’s cyber security experts ensure that the technical aspects and specific sensitivities of each cyber security engagement are fully understood, mitigating any cyber risks, and enforcing security protocols. This makes them ideally suited to intelligently advise and implement the appropriate cybersecurity strategies for businesses.