What is digital forensics and incident response?

Digital Forensics and Incident Response (DFIR) identify, remediate, and investigate cybersecurity incidents. A cyber incident is an event that compromises the confidentiality, authenticity, integrity or availability of information. When a cyber incident occurs, digital forensic specialists collect and examine evidence on digital devices and systems.

Incident response aims to restore the affected infrastructure as quickly as possible, minimizing the damage caused.

For any entity subject to a cyberattack, recovering quickly is a priority. However, along with recovery, it is necessary to understand how and why the incident occurred. DFIR provides this knowledge, which helps improve and strengthen an organization’s defensive system.

By gathering information from various sources, specialists in this cybersecurity area can discover who carried out an attack, how it was executed and what solutions should be implemented to correct the exposed vulnerabilities.

Digital Forensics

Digital forensic analysis aims to gather and preserve evidence to bring to trial those who have committed cybercrime. Computers, networks and other related devices are continuously generating data that may be important in an investigation. Acting quickly upon detection of an incident is crucial to gather information before it is maliciously deleted, edited or altered.To this end, scrupulous care must be taken to ensure that the chain of custody is maintained through the following steps:

Acquisition

All evidence must be identified, collected and preserved, understanding how and where it is stored. In this first phase, exact duplicates of the affected media are created in order to preserve the original asset from any tampering that would contaminate the evidence.

Certain types of evidence are volatile because the data is only accessible when a device is kept powered on and disappears when the power is disconnected. Such a circumstance forces the investigator to create images that duplicate the information

contained in the affected devices. This procedure ensures the protection of the records by assigning cryptographic values called hashes. This ensures the authenticity of the images obtained. Additionally, the evidence is safeguarded by adding physical protection to prevent it from being compromised.

Analysis

During this stage of the investigation, the information is scrutinized in order to clarify the facts. By means of the data processed (disk images, memory images, activity log analysis, etc.), the development of the observed event is reconstructed, leading to conclusions about what occurred.

Reporting

The findings revealed during the investigation are presented in a report the content of which must be admissible in a court of law.

Incident Response

As we have seen, digital forensics investigates and gathers evidence to help clarify a cyberattack. Incident response aims to remediate and recover from the incident as quickly as possible. Although there are different reference guides published by recognized organizations, such as SANS or NIST, the steps to follow are very similar and can be summarized as follows:

Preparation

Before an incident occurs, it is necessary to prepare adequately in order to know how to react when it happens.

Identification

When an incident occurs, it is necessary to detect elements that make it possible to recognize it.

Containment

Action must be taken as soon as possible to limit the adverse effects that a cyberattack can have on the affected system.

Eradication

Once the relevant evidence has been gathered, the threat must be eliminated, ensuring that the identified vulnerability cannot be exploited again.

Recovery

Once the threat has been completely neutralized, services that have been compromised are restored.

Lessons learned

Documenting the actions taken is essential to acquire knowledge that can improve future actions and, in turn, allow better hardening of the systems.

DFIR and its current challenges

The evolution in the complexity of systems presents DFIR specialists with a number of challenges:

• Evidence collection extends to physical and virtual resources, requiring greater expertise, specialized tools and time.
• Devices, software or operating systems are constantly and rapidly changing. This requires knowledge of a wide range of technological ecosystems, applying the safest and most effective techniques in each case to gather evidence.
• Given the high skill requirements, and the increasing demand for these services, the need to reduce talent shortages must be addressed. Optimal availability and effectiveness must be ensured to the benefit of the organizations.
• The increase in cyber-attacks, and their growing diversity and degree of sophistication, increases the difficulty of their tracking and prompt response. Continuous professional updating involves a vast amount of information that is renewed at an increasingly rapid pace.

In short, digital forensics and incident response (DFIR) are essential to trace a cyberattack and recover the affected systems in the best possible conditions. The data is carefully preserved, as it must be used as evidence for the legal professionals in charge of incriminating the culprits.

Thanks to the work carried out, it is possible to discover evidence detailing an attacker’s activity, eradicate his presence, identify the vulnerabilities exploited, and apply what has been learned to strengthen IT security.