Computers will occasionally be infected with a virus for any number of reasons. Most of these viruses can be dealt with using anti-virus scans and clean up, but with some compromises anti-virus is not an appropriate countermeasure –either as a means of finding the malware or for dealing with it. But whatever the means by which these compromises are detected, decision makers should always consider digital forensic examination as an opportunity to learn more about an attack or APT.
Each incident takes place in a unique set of circumstances – the system infected, the network it was on, the user, the data stored on or accessible from that machine, the network defences in place and many other factors - but investigations will always fall into two main areas:
- Off-line Host Analysis – entailing the removal of a system drive or storage media from a powered down system for analysis;
- Live Host Analysis – conducted while a system is still in operation.
Context Response consultants will help an organisation decide which course of action to take, outlining the risks and benefits of each. Context forensic investigators hold UK government security clearances and have experience and knowledge of managing the aftermath of security incidents and forensic investigations using best practice procedures and techniques, in accordance with the Association of Chief Police Officers (ACPO) guidelines where appropriate. We can also support clients in liaising with law enforcement and government agencies or legal representation.
Off-line Host Analysis
This is usually the most appropriate method following a breach of an organisational policy, such as theft of intellectual property, use of an organisation’s assets or resources for illicit or illegal purposes, or system compromise due to malware or a targeted attack. Investigation techniques used include analysis of deleted emails (including those sent using web-based email systems like Hotmail or Gmail) and email attachments; registry analysis covering the use of USB devices; file system analysis incorporating recovery of deleted files; file signature searches and manual file system reviews; timeline analysis; keyword analysis; and a detailed analysis of Internet usage.
Live Host Analysis
This is usually most relevant in situations where it seems likely that evidence is contained inside the system memory, which would become inaccessible if the system is powered down; or if the system in question is so important to an organisation that powering it down would create an unacceptable level of disruption.
To seek out malware which is operating at low levels of the operating system and can modify native functions without the knowledge of that operating system, we use the following techniques:
- Memory analysis
- Network connections and traffic analysis
- Registry analysis (including use of USB devices)
- Running process analysis
- Rootkit detection
In addition to the off-line analysis of media, Context investigators are able to carry out ‘behavioural’ analysis. This involves connecting the media to a virtual machine in a virtual environment without being connected to the Internet. This technique is particularly useful in malware investigations where malware will try to call out to command and control infrastructure.
At the end of any digital forensics investigation Context will provide the client with a thorough report of the incident, signatures of any malware extracted, an assessment of the potential damage sustained in an incident, and recommendations to avoid a potential repetition of the incident.