Analyzing IT incidents forensically for their causes and processes helps IT managers to continuously increase the IT security level in their companies. In addition, digital evidence protection helps to limit damage during an incident and quickly determine whether authorities or customers need to be informed afterwards.

Photo: Third key – shutterstock.com
This is becoming increasingly important as incidents pile up and attackers blur their tracks faster and better. It is therefore important to integrate forensics into the incident response process. Since both disciplines are closely related, they are often summarized under the term “Digital Forensics and Incident Response” (DFIR).
What exactly is DFIR and what do companies have to consider?
IT forensics is about examining computer systems for suspicious incidents. Digital traces of an attack or perpetrator are recorded, analyzed and evaluated. Documenting the evidence is important, and in case of doubt it must be in court.
The Federal Office for Information Security (BSI) assigns forensic investigations to emergency management and divides its process into three phases:
-
Immediate action (Incident Response), which are intended to limit the immediate damage.
-
Restart (Recovery) in which an emergency operation is initiated and consequential damage is to be limited. In addition, the time pressure for complete restoration should be reduced.
-
The Restoration is intended to restore the situation prior to the incident, remove all effects of the incident and ensure normal operation.
Digital forensics play a role in each of these steps during and after an incident. The Live forensics (Online forensics) starts during the incident itself and tries to capture volatile data. This includes, for example, the main memory content, information about existing network connections and started processes.
In the so-called Post mortem forensics (Offline forensics) after an incident, it is important to back up and examine relevant deleted, renamed, hidden and encrypted files on mass storage devices.
Davin Teo, IT security expert from the consulting firm Alvarez & Marsal, gave an insight into the work of an IT forensic scientist at TedX 2015 in Hong Kong.
Often it’s not just a matter of determining the cause of an incident. Litigation over lawsuits by investors or government agencies can also threaten. Against the background of the GDPR, this aspect takes on a new dimension.
For example, the 72-hour reporting period to the authorities after a data leak can be problematic. If a company only worries about IT forensics in the course of an incident to clarify whether personal data is affected, it may take too much time.
In addition, companies are subject to a documentation requirement according to the regulation. You must record all violations, including their circumstances, effects, and countermeasures taken. DFIR systems cover a large part of these requirements.
Companies can either build the necessary skills internally (more on that later) or work with a partner for consulting or managed security services.
According to Forrester’s “Planning for Failure, How to Survive a Breach” report, 58 percent of the companies surveyed already work with providers of incident response services. Another 17 percent plan to conclude a contract next year. The report lists criteria for the selection of a suitable partner. He should develop implementation roadmaps, understand business requirements, and choose the right protection and response products.
Some service providers also offer designated forensic services. NTT Security, for example, has a range of Incident Response & Forensics modules in its portfolio. They can be used proactively as needed. The provider supports the planning and evaluation of existing plans for emergencies. PwC offers similar forensic services, tools and information. Deloitte sums up its offering under the portfolio for the financial sector.
Digital forensics requires not only IT but also legal expertise. Qualified employees are correspondingly rare. At best, the investigators have a background in law enforcement. Understanding what is required to collect and obtain evidence that could become part of a lawsuit is a basic requirement.
In order to build up the specialist knowledge of existing employees, training providers, research institutes or training centers offer fee-based courses for certification in special sub-areas of IT forensics. These include, for example, the SANS Institute, the Modal Expert School or the Fraunhofer Academy. At universities such as the Albstadt-Sigmaringen University of Applied Sciences, online part-time courses in digital forensics can also be found.
When selecting the courses, it is important to pay close attention to what knowledge is required in the company. Since forensics combines numerous aspects of different disciplines, the training offer is wide. It can happen that a course does not add value to the company because it deals with an aspect that is not relevant.
Consultation firms offer further (fee-based) information. Both Forrester’s wave report for digital forensics and Gartner’s “Market Guide for Digital Forensics and Incident Response Services” compare solutions for companies.
Ideally, IT, legal and HR departments work together to create an IT forensic plan. All three play important roles in responding to an incident. HR helps to inform the employees and to procure the devices to be examined. IT ensures that certain processes are adhered to (for example, leaving devices on to secure volatile evidence).
The legal department is driving the investigation forward. It understands the requirements for chronological documentation and the order of safekeeping, control, transfer, analysis and disposal of evidence in accordance with the applicable law.
The developed playbooks and work processes have to be checked and tested regularly. If companies neglect such test runs, it can happen in an emergency that actually effective measures become ineffective because the task and role distribution in the team is unclear.
Red team tools such as the ATT & CK framework (Adversarial Tactics, Techniques, and Common Knowledge), which has been continuously developed by the US research organization Miter since 2014, can provide support here. They enable IT departments to proactively identify possible weak points and optimize their security measures.
In regular simulation games, it is important to try out the individual steps and responsibilities that are adequate for various incidents. They also help to find and eliminate unnecessarily complicated processes and inconsistencies in the plan.
The test runs do not always have to be long and complex. It can already help a lot to use key scenarios to determine where which data is located and who is taking care of what during a critical incident with the most important stakeholders.
Digital forensics and incident response combine many ways of working. This includes, for example, the reverse engineering of malw
are, finding malicious files, and searching computer memory and digital documents for infections and threats.
Security solutions that help with these tasks include security information and event management (SIEM), firewalls, threat intelligence databases, and solutions for intrusion detection and endpoint detection and response (EDR). Tools for penetration and application tests as well as analysis of log files round off the defense measures.
There is a wide range of forensic tools available. There are some portals that make it easier for IT employees to find the right tool.
The portal of the DFIR community DFIR.training, which has been in operation since 2016, offers a manufacturer-independent and detailed search mask. Users can rate the entries, which makes it easier to find their way around the quality of the products. In addition, the site offers resources for testing tools as well as brief instructions and infographics. A comparison function of various tools will soon be available.
With its SANS Investigative Forensics Toolkit (SIFT) workstation, the SANS Institute recommends a free suite of open source tools for DFIR. The tools included are updated regularly. Furthermore, the training specialist has published a paper that describes step by step how Windows 10 can be turned into a forensic examination platform.
Jessica Hyde, Director of Magnet Forensics, has compiled a list of other sources of current information. It contains community pages, newsletters, audio and video podcasts and Twitter feeds related to digital forensics and incident response.