It is essential to condition the workspace, it is advisable to make use of files or image files that are copies to prevent the system from being affected

Phases of forensic analysis

Karol Hernández

Updated: 12/12/21

The forensic analysis is carried out after examining the cybercrime, as this process is specifically to know how it has been possible and the computer weakness that has been able to execute this attack.

Its main objective is to reconstruct the facts and thus determine the issues most relevant to the investigation, for this it is essential to know where the most relevant information is housed, currently we can say that the best known sources of information are electronic correros, internet connections, files and systems etc..

Before carrying out an analysis, it is always necessary to prepare the field of study and preserve each element, that is to say that the most important thing is to protect the central evidence, for this it is necessary to analyse and classify the evidence in order to identify it, and then look for possible methods to analyse.

1. Prior preparation for analysis.

It is essential to prepare the workspace, it is advisable to make use of files or image files that are copies to prevent the system from being affected.

The storage media must be fully ready to receive the information; it is recommended to have at least two storage media for analysis.

In the treatment of evidence based on a particular operating system or software to run the investigation, one of the storage media will contain the system, as well as prepare the space using another operating system identical to the affected device to avoid incidents and first use as evidence and then apply to the system and do the same with the storage media, this will avoid getting unexpected results.

However, it is also necessary to prepare the space by using another operating system identical to that of the affected device in order to avoid incidents, this will avoid unexpected results.

For this purpose, it is necessary to use software or programmes that allow an investigation to be carried out on a safe ground, being a direct or live analysis commonly known.

That is to say, to make use of the stored material without modifying or altering them through a preview and continue with the analysis, in this case it would be hot, but this will only be possible when dealing with UNIX or Linux systems, since with systems such as Windows it will not be possible.

Once this first step has been carried out, the analysis will be more orientative, as the weakness and vulnerability where the perpetrators will attack again will be known.

REUTERS/KACPER PEMPEL - Un hacker encapuchado sostiene una computadora portátil

2. Reconstruction of the attack

The second phase is to verify the incident, i.e. to verify the status and characteristics of each of the systems and to identify in which area the incident occurred.

For example, it will identify the intrusion of e-mails, access by unknown parties and the presence of viruses, harmful codes, interruption of the functioning of systems and services or theft of information.

To start with the analysis, information such as the day of the attack, date and time of notification, the person who reported it, the type of incident, whether the affected parts are hardware or software.

It is also necessary to obtain information on the route followed by the incident and the characteristics of the files that have been the means of execution, both bytes and type, as well as to verify the user accounts logged in.

In identical circumstances it is necessary to organise each of the files with dates and with the specific date of the installed system, the objective is to find files of doubtful origin, whether they are files in the recycle bin, hidden or modified, they will generally use software or programmes that allow them to attack and then delete them.

First, it is important to know the file, its location and the attack route, the search is complex as there are several files and they are found throughout the system. Then it is necessary to analyse in detail each of the identified files and find the relationship between them.

The main objective is to get to the origin of the attack and identify all the elements that have been used to apply the attack. Taking into account that each file is made up of fragments and contains relevant information such as date, location and time, thus allowing us to know the time of creation, or to identify files that were deleted and can be found in the list of recovered files.

3. Execution of the facts.

Knowing the route by which the crime or incident has been directed will be useful to identify its objective and functions, through this analysis it will be possible to know its point of entry and exit as well as the weakness in the system through which they penetrated its structures or any other possibility of vulnerability.

All those processes of the analysis will delve into the same point, i.e. to continue individually with the proposed objective, files, passwords, keys and more information will have to be taken into account.

In another aspect, incidents can be detected through alarms and warnings from systems, antivirus or manually verifying an incident, often incidents have not been detected promptly and valuable information is lost to know the possible perpetrators.

Subsequently, an immediate initial response must be developed, i.e. analysing the incident and starting to develop recovery techniques, which will be obtained from statements by the team responsible, system reviews and interviews.

In this process, each of the structures of the volatile evidence will be verified by analysing the connections that remained connected during the operation of the system.

Similarly, all suspicious activities related to the offence are analysed, for this purpose, the browsers will be investigated and the central point of the violation will be found through searches.

In the event that the weakness is known and how the vulnerability occurred, it is necessary to continue analysing all the spheres closest to obtaining the reality of the incident, so that browsing and executions from previous days will be searched.

The whole forensic investigation is oriented to obtain a hypothesis and the same to be fulfilled with several analyses being able to know the motivation and modus operandi of the author, for this it is essential to have an alternative device that was mentioned before to make several tests and then apply them.

4. Identification of the author

As soon as several pieces of the puzzle that the perpetrator organised to carry out the crime are discovered, it will be possible to identify him and the other participants, as previously expressed, the temporary or volatile evidence and all the initial connections, files, images, data stored in deleted files, it will be possible to obtain indications that lead to the perpetrator.

Once sufficient information is available, we proceed to investigate the location of the possible perpetrator, in this case the internet connection or IP network will specify the place of execution, as well as connections and all the evidence present in temporary and fixed memories, i.e. storage disks and internal memory of the device.

So when a suspicious IP connection is obtained, it is verified through the internet structure coordinations, to whom that address belongs, however, the analysis and investigation will continue despite knowing the name of the suspect, this is because several perpetrators use other addresses to cover up and avoid being found.

Through various useful tools to analyse however through the NMAP tool useful for tracing connections and possible weaknesses by which the attack was initiated, through that will identify name, type of application used, status, as well as updates, versions and device connections.

3.3.5. Author profile

There are several types of perpetrators in this type of crime, the most prominent of which are:

Skilled people: These are people who have professional knowledge of computers and everything related to networks, connections, programming and know how to use the tools and equipment necessary to carry out this type of crime. They are generally students who continuously practise and carry out tests in an attempt to leave no traces.
Hackers: They are also people with great knowledge in this area, increasing their fight for an ideology or belief, so that they carry out various events focused on improving and integrating their arguments in society.
ScriptKiddies or computer criminals: These are young people with knowledge in this field and use it to perpetrate crimes on the Internet, they do not have a similar knowledge to the other profiles, but that is not an impediment as there are mentors or the navigation pages themselves that allow them to know and carry out any criminal act.

3.3.6. Impact assessment

Forensic analysis makes it possible to identify the perpetrator's plan of action through the alterations and impact on the system depending on the type of attack. There are two types of attacks.

Firstly, active attacks seriously affect the service and the system; in the case of passive attacks, the functionality of the system and information is not altered.

However, in order to verify the damage caused, other technical or structural factors that have affected the system internally must be taken into account.

Karol Hernández, Sec2crime

Tags: