Is it time to change the old DFIR practices?

Share on twitter
Share on linkedin
Share on reddit
Share on telegram

A few days ago, I had an interesting discussion with Archan Choudhuryabout digital forensics practices. Archan is the Lead Cloud Security Incident Response & Digital Forensics for Informatica and also runs the popular Black Perl youtube channel.

We compiled the discussion under some critical questions that we touched upon. We would like to share them with you since we believe they are beneficial for the DFIR community and the future growth of the digital forensics industry.

So, here we go: 

What are the biggest challenges digital forensics investigators face today?

Archan: While there is many, I managed to group them into these buckets to show the challenges investigators face every day:

  • Technical Challenges– dealing with Anti-forensics tech, which can be further broken into below two parts:
  • Encrypted Data– It is legitimately used for ensuring the privacy of information by keeping it hidden from an unauthorized user/person. Unfortunately, it is also used by attackers to hide their crimes/traces as well. 
  • UnderCover Channel (Covert Channel)– a kind of covert channel by which an attacker fools the IDS systems and hides their data over the network. IDS can’t see through encrypted covert channel communication between host and C2. It also becomes a challenge since it is difficult to see through the channel and identify the IOCs/IOAs. This lets them hide in plain sight.
  • Cloud Operations (Many resources are short lived-K8s, Containers, etc., so lack of process, tooling to operate, and data collection),
  • Collecting data at scale for organizations
  • Skills Gaps
  • Time to archive Data to maintain Chain of Custody
  • Analyzing a Live Machine remotely to understand the Volatile Data hence remote data collection
  • Legal Challenges- Absence of Guidelines and standards, Privacy Issues, Preservation of electronic evidence
  • Resourcing Challenges- Change in Technology, Skill Gaps

Emre: However, most of these challenges clearly show why full disk imaging has lost its efficiency in the digital forensics industry and why most industry professionals are moving towards live forensics. Anti-forensics tech, skill gaps, analyzing on a live machine on-premise, and many other challenges started to disappear with Enterprise Forensics solutions. 

With Enterprise Forensics, we can overcome these challenges easily. Instead of dealing with issues resulting from tools and practices, we can focus more on closing the security gap and getting faster and more robust digital forensics intelligence. 

Relying on manual digital forensic methods is no longer an option except in very rare cases. When a breach hits, time is your biggest asset, and with a manual approach, you waste time repeating the same set of tasks every time an incident occurs. The right automated incident response solution can fix your repetitive security processes across your organization and help minimize the potential damage an incident can cause.

Regarding legal challenges, I couldn’t agree more that standards and guidelines are absent for live evidence, and I am a big supporter of creating some legal structures around them.

Time to archive data to maintain “Chain of Custody” was a challenge 40 years ago when digital forensics practices just started, but now I highly agree with Harlan Carvey’s – a pioneer in DFIR – statement: “DFIR is not a legal counsels field.” That is not what we are trying to solve. We are trying to close the security gap, fix manual approaches, and implement automation to acquire and analyze digital evidence in minutes, not months. 

The priority of an enterprise is finding the security hole, closing it, and increasing the organization’s security posture. This is the actual problem we are trying to solve, so “Chain of Custody” is a historic challenge that in the new era of enterprise forensics started to lose its importance and place at the table.

What can digital forensics specialists and organizations do to reduce the impact of these challenges?

Here is Archan and my consolidated  list of suggestions: 

  • It is vital to have a proper and robust set of tooling capabilities that can help in acquisition without making an overload of footprints on the victim machine, which tends to override forensics artifacts.
  • Having a robust process of remote data acquisition is a challenge. We can probably collect a portion of data, but this capability should also have the privilege to capture full disk images, which becomes challenging for remote acquisition. It’s easy, though, in Cloud since we can just take a snap-shot of an EBS volume and mount it to a forensic workstation, but on-premises is a challenge.
  • We must have specific national law or international regulations applicable to every person involved in a digital forensic investigation or dealing with it or provide any service, tool, or software used for investigation purposes.
  • Investigative organizations need to conduct training and awareness programs for their digital forensics officers to be familiar with new technologies. Also, the companies who made tools for digital forensic investigation must provide proper instruction manuals that have a valid explanation, pros, and cons regarding the tools.
  • Simplify the overall process of collecting digital evidence
  • Choose digital forensics solutions that are already pre-configured and automated, so additional expertise is not required

The digital forensics industry is known for having huge backlogs and slow-motion movements. What is the proposed solution for this challenge?

Emre: I was so happy to list Archan’s suggestions below:

  • Automation and Shift Left strategy needs to be taken.
  • Repetitive jobs must be scheduled and automated, and a forensic tool should have all these capabilities.
  • Not only from a collection perspective but also to triage them.
  • The scripts should be ready and deployed on the tool, and once the collection is done, it should fire up and send the report.

Why? Because we are covering them all with enterprise forensic solutions like AIR. And not only that but much more, but that is not the topic of this post. I agree with Archan that digital forensics methods and practices need to be more modernized and customer-oriented, especially now in this time with the pandemic that created a higher focus on remote digital forensics solutions. 

This industry is full of backlogs because the practices started with law enforcement years ago. Digital Forensics practices were not mainstream at that time. Only law enforcement was using them, so they matured in that area. 

Over the last 40 years, the story has become different.  If you have a digital asset, you are open to being a victim of cybercrime. So, now it is not just a law enforcement specialty. It has become a mainstream industry. 

The challenge with the backlogs is still there because we are still applying law enforcement digital forensics methods to mainstream enterprise digital forensics cases. The invented methods to take incident cases to court 99% of the time are not required for enterprise digital forensics cases. The priority of an enterprise is finding the security hole, closing it, and increasing the organization’s security posture. And that is why enterprise forensics came up.

And that would be all for this time.

Archan, thank you very much for this beneficial discussion and for letting me share our thoughts with the community. We hope that we can create some creative buzz around these topics for further elevating digital forensics practices.

Finally, I would like to mention that Archan Choudhury, with his deep expertise in security incident response & digital forensics, shares fantastic content on his social media accounts. You can check out his youtube channel here.