Evidence Handling and Attack Attribution: 6.1.1 Digital Forensics

7/25/22, 9:33 PM Module 6: Digital Forensics and Incident Analysis and Response | 1.
Evidence Handling and Attack Attribution
Lab - Gather System Information After an Incident 

  
Lab - Gather System Information After an Incident

Objectives

= Collect system
information after an incident has occurred.
= View logs for
potential intrusions.
Background / Scenario
When an incident occurs in an organization, people
responsible must know how to respond. An organization needs to develop an
incident response
Evidence Handling and Attack

plan and put together a Computer Security Incident Response
Team (CSIRT) to manage the response. In this lab, you will gather system information
and review logs after an incident has occurred. Doing these tasks immediately
after the incident is important because any data residing in RAM will be
gone
when the system is shut down.
Required Resources
Attribution
PC with the CSE-LABVM installed in VirtualBox
Instructions
Step 1: Open a terminal window in

the CSE-LABVM.
a.
Launch the CSE-LABVM.
b.
Double-click the Terminal icon to open a terminal.
Step 2: Collect volatile

information of the compromised system.
In this step, you will create a file called report.txt
that includes a variety of system information that can be used for incident
analysis. This report can
then be transferred to a USB drive, emailed, or
uploaded to a cloud server to preserve the information. Then the system can be
taken down.
a.
Switch to the root user with the sudo su command. Enter password
as the root password.
cisco@labvm:~$ sudo su
Scroll to begin 
[sudo] password for cisco: password
root@labvm:/home/cisco#
b. Enter the echo
command, and then specify a heading for a newly created file named report.txt.
Enter the cat command to review the new file.
root@labvm:/home/cisco# echo Incident Investigator Report >
report.txt
root@labvm:/home/cisco# cat report.txt
Incident Investigator Report
c.
Enter the date command and redirect the date and timestamp to the
report.txt file. Be sure to use the double angle brackets (>>)
to append to the
report.txt file. Otherwise, you will replace the
previous content.
Note: To better document the content stored in
report.txt, use the echo command to add a subheading as shown here for Start
Date and Time.
Each substep will specify a subheading for you to append
before you gather information.
root@labvm:/home/cisco# echo =====Start Date and Time=====
>> report.txt
root@labvm:/home/cisco# date >> report.txt
d. Enter the uname
command to print system information. Use the -a option to append all
system information to the report.txt file.
root@labvm:/home/cisco# echo =====System Information=====
>> report.txt
root@labvm:/home/cisco# uname -a >> report.txt
e. Enter the ifconfig
-a command and append all network interface information to the report.txt
file.
root@labvm:/home/cisco# echo =====Network Interfaces=====
>> report.txt
root@labvm:/home/cisco# ifconfig -a >> report.txt
f Th t t t d ll t ll th t k t ti ti E t th d ith th ti t ll td t ll k t ( ) IP
6.1.1 Digital Forensics
Now that you have investigated and identified valid alerts, what do you do with the evidence? The
cybersecurity analyst will inevitably uncover evidence of criminal activity. In order to protect the
organization and to prevent cybercrime, it is necessary to identify threat actors, report them to the
appropriate authorities, and provide evidence to support prosecution. Tier 1 cybersecurity analysts are
often the first to uncover wrongdoing. Cybersecurity analysts must know how to properly handle
evidence and attribute it to threat actors.
Digital forensics is the recovery and investigation of information found on digital devices as it relates to
criminal activity. Indicators of compromise are the evidence that a cybersecurity incident has occurred.
This information could be data on storage devices, in volatile computer memory, or the traces of
cybercrime that are preserved in network data, such as pcaps and logs. It is essential that all indicators
of compromise be preserved for future analysis and attack attribution.
https://contenthub.netacad.com/sgp/varmir/1.0/en-US/m6//?xAPILaunchKey=d56e2954767b2bb4c870665daa72cff411f50cf10b6b30f5c8aa8e91… 1/14
7/25/22, 9:33 PM Module 6: Digital Forensics and Incident Analysis and Response | 1. Evidence Handling and Attack Attribution
LabCybercriminal activity
- Gather System can be broadly
Information characterized
After an Incidentas originating from inside of or outside of the
Lab - Gather
organization. System
Private Information
investigations After an
are concerned withIncident
individuals inside the organization. These


Objectives
individuals could simply be behaving in ways that violate user agreements or other non-criminal
 
= Collect system
conduct.
= View
When intrusions.
logs for
potential individuals are suspected of involvement in criminal activity involving the theft or
destruction of intellectual property, an organization may choose to involve law enforcement authorities,
in which case the investigation becomesmust public. Internal users could also have used the response

organization’s
responsible know how to respond. An organization needs to develop an
incident
network
and review logstoafter
conduct
an incidentother criminal
has occurred. activities
Doing these that are unrelated
tasks immediately
after the incident isto the organizational
important mission
because any data residing in RAM but
will beare in
gone
violation of various legal statutes. In this case, public officials will carry out the investigation.
Required Resources
When
PC with thean external
CSE-LABVM attacker
installed has
in VirtualBox exploited a network and stolen or altered data, evidence needs to be
gathered to document the scope of the exploit. Various regulatory bodies specify a range of actions
Instructions
that an organization must take when various types of data have been compromised. The results of
the CSE-LABVM.
forensic investigation can help to identify the actions that need to be taken.
a.
b.
For example, under the US HIPAA regulations, if a data breach has occurred that involves patient
information, notification of the breach must be made to the affected individuals. If the breach involves
taken down.
more than 500 individuals in a state or jurisdiction, the media, as well as the affected individuals, must
a.
becisco@labvm:~$
notified. Digital forensic investigation must be used to determine which individuals were affected,
sudo su
and to certify
[sudo] thefornumber
password of affected individuals so that appropriate notification can be made in
cisco: password
compliance with HIPAA regulations.
b. Enter the echo
report.txt
It is possible that the organization
root@labvm:/home/cisco# itself could be the subject of an investigation. Cybersecurity analysts
cat report.txt
may find themselves in direct contact with digital forensic evidence that details the conduct of
members
c. ofcommand

Enter the date the organization. Analysts
and redirect the date must
and timestamp know thefile.requirements
to the
report.txt regarding
Be sure to use the double the preservation
angle brackets (>>)
to append to theand
previous content.
handling of such evidence. Failure to do so could result in criminal penalties for the organization and
Date and Time.
Each the
even substep will specify a subheading
cybersecurity analystfor you
if tothe
append
before
intention youto
gather information.
destroy evidence is established.
>> report.txt
d. Enter the uname
>> report.txt
file.
>> report.txt
6.1.2 The Digital Forensics Process
It is important that an organization develop well-documented processes and procedures for digital
forensic analysis. Regulatory compliance may require this documentation, and this documentation may
be inspected by authorities in the event of a public investigation.
NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response is a
valuable resource for organizations that require guidance in developing digital forensics plans. For
example, it recommends that forensics be performed using the four-phase process.
The following describes the four basic phases of the digital evidence forensic process.
LabThe Digital
- Gather Evidence
System Forensic
Information Process
After an Incident

Objectives  
= Collect system
= View logs for
Media Data Information Evidence 
incident response
Collection
and review logs after Examination
an incident has occurred. Analysis
Doing these tasks immediately
afterReporting
the incident is important because any data residing in RAM will be
gone
Required Resources
Instructions

the CSE-LABVM.
a.
b.

taken down.
a.
Step 1. Collection
root@labvm:/home/cisco# 
b. Enter the echo
report.txt
Step 2. Examination
root@labvm:/home/cisco# cat report.txt 
Step the3. Analysis
c.
Enter date command and redirect the date and timestamp to the
to append to the
previous content.

Date and Time.
This entails drawing conclusions from the data. Salient features, such as people, places, times,
>> report.txt
events, and so on should
root@labvm:/home/cisco# bereport.txt
date >> documented. This step may also involve
the correlation of data from
multiple
d. Enter sources. to print system information. Use the -a option to append all
the uname
command
>> report.txt
e. Enter
Step the 4.
ifconfig
file.
Reporting
>> report.txt

6.1.3 Check Your Understanding - Identify the Steps in the

Digital Forensics Process
Question 1
Which technique involves assessment and extraction of relevant information from collected data?

 Examination

Objectives  
= Collect system
= View logsCollection
for
Background / Scenario 
incident response
plan and putReporting
together a Computer Security Incident Response
gone
Required Resources
Analysis
Instructions
Reset  Show feedback
the CSE-LABVM.
a.
b.

taken down.
a.
Question 2
b. Enter the echo
report.txt
Which technique involves drawing conclusions from the data?
Examination
c.
to append to the
previous content.
Date and Time.
root@labvm:/home/cisco#
Analysis
echo =====Start Date and Time=====
>> report.txt
d. Enter the uname
Reporting
>> report.txt
file.
Collection
>> report.txt
Question 3
Which is technique incudes identification of potential sources of forensic data and acquisition,
handling, and storage of that data?
Reporting
 Collection
Analysis

Examination

Objectives  
= Collect system
= View
Reset
logs for
potential intrusions.  Show feedback
incident response
gone
Required Resources
Question 4
Instructions

the CSE-LABVM.
a.
Which technique includes preparation and presentation of the information which resulted from the
b.
analysis?
taken down.
 Reporting
a.
Examination
b. Enter the echo
report.txt
Analysis
c.
Enter theCollection
date command and redirect the date and timestamp to the
to append to the
previous content.
Date and Time.
Reset
>> report.txt
 Show feedback
d. Enter the uname

>> report.txt
file.
>> report.txt
6.1.4 Types of Evidence
In legal proceedings, evidence is broadly classified as either direct or indirect. Direct evidence is
evidence that was indisputably in the possession of the accused, or is eyewitness evidence from
someone who directly observed criminal behavior.
Evidence is further classified as:
Best evidence

Lab - Corroborating
Gather System Information After an Incident
evidence  

Objectives  
= Collect system
This is evidence that supports an assertion that is developed from best evidence.
= View logs for
Indirect
an incidentevidence
When occurs in an organization, people
incident response

gone
Required Resources
Instructions

the CSE-LABVM.
a.
b.

taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
>> report.txt
file.
>> report.txt
f Th t t t d ll t ll th
6.1.5 Check Your t Understanding
k t ti ti E t th d ith th ti t ll t d t
- Identify thell Type
k t ( ) IP
of
Evidence
Question 1
Which type of evidence was indisputably in the possession of the accused?
 direct evidence
best evidence
indirect evidence
corroborating evidence
Reset Show feedback




Objectives  
= Collect system
= View logs for
Question 2
incident response
gone
Required Resources
Which type of evidence supports an assertation that is developed from best evidence?
Instructions
direct evidence
the CSE-LABVM.
a.
best
b.
Double-click the evidence
Terminal icon to open a terminal.

 corroborating
then be transferred to a USB drive,evidence
emailed, or
taken down.
a.
[sudo] indirect
password evidence
for cisco: password
b. Enter the echo
report.txt
Reset
root@labvm:/home/cisco# cat report.txt  Show feedback
c.
to append to the
previous content.
Date and Time.
>> report.txt
Question 3
d. Enter the uname
>> report.txt
file.
Which type of evidenceecho
root@labvm:/home/cisco# is circumstantial evidence that, report.txt
=====Network Interfaces=====
>> in combination with other facts, establishes a
hypothesis?
 indirect evidence
best evidence
corroborating evidence
direct evidence
Question 4

Which type of evidence is in its original state?


Objectives  
= Collect system

= View logsbest evidence
for
incident response
plan and putcorroborating evidence
together a Computer Security Incident Response
gone
Required Resources
indirect evidence
Instructions
direct evidence
the CSE-LABVM.
a.
Reset
b.
Double-click the Terminal icon to open a terminal.  Show feedback
taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
>> report.txt
6.1.6 Evidence
root@labvm:/home/cisco# Collection
uname -a >> report.txt Order
file.
>> report.txt
IETF RFC 3227 provides guidelines for the collection of digital evidence. It describes an order for the
collection of digital evidence based on the volatility of the data. Data stored in RAM is the most volatile,
and it will be lost when the device is turned off. In addition, important data in volatile memory could be
overwritten by routine machine processes. Therefore, the collection of digital evidence should begin
with the most volatile evidence and proceed to the least volatile, as shown in the figure.
Evidence Collection Priority


Objectives Volatile  
= Collect system
= View logs for
Contents of RAM
incident response
gone
Evidence Contents of Fixed Disks
Source
Required Resources
Instructions
Archived Backup Data
the CSE-LABVM.
a.
b.

information of the compromised
Non-volatile
system.
taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
Anroot@labvm:/home/cisco# echo =====System Information=====

>> report.txt
example of most volatile to least volatile evidence collection order is as follows:
file.
Memory registers, caches
>> report.txt
Routing table, ARPifconfig
root@labvm:/home/cisco# cache, -a
process table, kernel statistics, RAM
>> report.txt
Temporary file systems
Non-volatile media, fixed and removable
Remote logging and monitoring data
Physical interconnections and topologies
Archival media, tape or other backups
Details of the systems from which the evidence was collected, including who has access to those
systems and at what level of permissions should be recorded. Such details should include hardware
and software configurations for the systems from which the data was obtained.


Objectives  
6.1.7
= Collect
Chain of Custody
system
= View
logs for
incident response
plan and put together
Although a Computer
evidence may Security
have Incident
been Response
Team
gathered(CSIRT)
fromtosources
manage thethatresponse. In this lab,
support you will gatherto
attribution system
an information
accused
gone
individual, it can be argued that the evidence could have been altered or fabricated after it was
Required Resources
collected. In order to counter this argument, a rigorous chain of custody must be defined and followed.
Chain of custody involves the collection, handling, and secure storage of evidence. Detailed records
Instructions
should be kept of the following:
the CSE-LABVM.
a.
Who discovered and collected the evidence?
b.
All details about the handling of evidence including times, places, and personnel involved.
Who has primary responsibility for the evidence, when responsibility was assigned, and when
then be custody
transferred tochanged?
a USB drive, emailed, or
taken down.
a.
Who has physical access to the evidence while it was stored? Access should be restricted to only
the password
[sudo] most essential personnel.
for cisco: password
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
>> report.txt
file.
>> report.txt
6.1.8 Data Integrity and Preservation
When collecting data, it is important that it is preserved in its original condition. Timestamping of files
should be preserved. For this reason, the original evidence should be copied, and analysis should only
be conducted on copies of the original. This is to avoid accidental loss or alteration of the evidence.
LabBecause timestamps
- Gather may be partAfter
System Information of thean
evidence,
Incidentopening files from the original media should be
avoided.


Objectives  
= Collect
system
The process used to create copies of the evidence that is used in the investigation should be recorded.
= View logs for
Whenever possible, the copies should be direct bit-level copies of the original storage volumes. It
should be possible to compare the archived disc image and the investigated disk image to identify 
incident response
whether
plan the contents
and put together of theIncident
a Computer Security investigated
Response
Teamdisk have
(CSIRT) been the
to manage tampered
response. In with.
this lab, For this
you will reason,
gather it is important
system information
to archive
gone
when and isprotect
the system shut down.the original disk to keep it in its original, untampered with, condition.
Required Resources
Volatile memory could contain forensic evidence, so special tools should be used to preserve that
evidence before the device is shut down and evidence is lost. Users should not disconnect, unplug, or
Instructions
turn off infected machines unless explicitly told to do so by security personnel.
the CSE-LABVM.
a.
Following these processes will ensure that any evidence of wrongdoing will be preserved, and any
b.
indicators of compromise can be identified.
taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
>> report.txt
6.1.9 Attack Attribution
file.
>> report.txt
After the extent of the cyberattack has been assessed and evidence collected and preserved, incident
response can move to identifying the source of the attack. As we know, a wide range of threat actors
exist, ranging from disgruntled individuals, hackers, cybercriminals and criminal gangs, or nation
states. Some criminals act from inside the network, while others can be on the other side of world.
Sophistication of cybercrime varies as well. Nation states may employ large groups of highly-trained
individuals to carry out an attack and hide their tracks, while other threat actors may openly brag about
their criminal activities.
Threat attribution refers to the act of determining the individual, organization, or nation responsible for
a successful intrusion or attack incident.
Identifying responsible threat actors should occur through the principled and systematic investigation
of the evidence. While it may be useful to also speculate as to the identity of threat actors by
identifying potential motivations for an incident, it is important not to let this bias the investigation. For
example, attributing an attack to a commercial competitor may lead the investigation away from the
possibility that a criminal gang or nation state was responsible.
In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and
Procedures (TTP) that were used in the incident with other known exploits. Cybercriminals, much like
other criminals, have specific traits that are common to most of their crimes. Threat intelligence
Labsources canSystem
- Gather help to Information
map the TTP After
identified by an investigation to known sources of similar attacks.
an Incident
Lab - Gather
However, System
this highlights Information
a problem After
with threat an Incident
attribution. Evidence of cybercrime is seldom direct


Objectives  
evidence. Identifying commonalities between TTPs for known and unknown threat actors is
= Collect system
circumstantial
= View
evidence.
logs for
Some aspects of a threat that can aid in attribution are the location of originating hosts or domains, 
incident response
features
plan of thea Computer
and put together code used Securityin malware,
Incident the tools
Response
Team used,
(CSIRT) to manageand theother
response.techniques. Sometimes,
In this lab, you will at the national
gather system information
securitythelevel,
gone
when system threats
is shut down.cannot be openly attributed because doing so would expose methods and
capabilities
Required that need to be protected.
Resources
For internal threats, asset management plays a major role. Uncovering the devices from which an
Instructions
attack was launched can lead directly to the threat actor. IP addresses, MAC addresses, and DHCP
Steplogs
1: Open
cana help
terminal window
track in
the CSE-LABVM.
the addresses used in
the attack back to a specific device. AAA logs are very
a.
useful in this regard, as they track who accessed what network resources at what time.
b.

taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
6.1.10 The MITRE
root@labvm:/home/cisco# ATT&CK
echo =====System Framework
Information=====
>>
report.txt

file.
>> report.txt
One way to attribute an attack is to model threat actor behavior. The MITRE Adversarial Tactics,
Techniques & Common Knowledge (ATT&CK) Framework enables the ability to detect attacker tactics,
techniques, and procedures (TTP) as part of threat defense and attack attribution. This is done by
mapping the steps in an attack to a matrix of generalized tactics and describing the techniques that are
used in each tactic. Tactics consist of the technical goals that an attacker must accomplish in order to
execute an attack and techniques are the means by which the tactics are accomplished. Finally,
procedures are the specific actions taken by threat actors in the techniques that have been identified.
Procedures are the documented real-world use of techniques by threat actors.
The MITRE ATT&CK Framework is a global knowledge base of threat actor behavior. It is based on
observation and analysis of real-world exploits with the purpose of describing the behavior of the
attacker, not the attack itself. It is designed to enable automated information sharing by defining data
structures for the exchange of information between its community of users and MITRE.
The figure shows an analysis of a ransomware exploit from the excellent ANY.RUN online sandbox. The
columns show the enterprise attack matrix tactics, with the techniques that are used by the malware
arranged under the columns. Clicking the technique then lists details of the procedures that are used
by the specific malware instance with a definition, explanation, and examples of the technique.
Note: Do an internet search on MITRE ATT&CK to learn more about this tool.
LabMITRE ATT&CK
- Gather SystemMatrix for a After
Information Ransomware Exploit
an Incident

Objectives  
= Collect system
= View logs for
incident response
gone
Required Resources
Instructions

the CSE-LABVM.
a.
b.

taken down.
a.
b. Enter the echo
report.txt
c.
to append to the
previous content.
Date and Time.
>> report.txt
d. Enter the uname
>> report.txt
file.
>> report.txt
f6.1.11
Th t t t Video
d ll Lab
t ll th t- kGather
t ti ti E t th System
d ith th Information
ti t ll t d t ll After
k t ( ) IP an
Incident
Press the play button to view this short demo video.


Objectives  
= Collect system
= View logs for
incident response
gone
Required Resources
Instructions

the CSE-LABVM.
a.
b.

taken down.
a.
6.1.12 Lab - Gather System Information After an Incident
b. Enter the echo
report.txt
In this Lab, you will complete the following objectives:
c.
to append to the
previous content.
Collect
Note: To better system
document theinformation after anuse
content stored in
report.txt, incident has occurred.
the echo command to add a subheading as shown here for Start
Date and Time.
View logs for potential intrusions.
>> report.txt
d. Enter the uname
>> report.txt
 Lab
root@labvm:/home/cisco# uname -a >> -report.txt
Gather System Information After an Incident
file.
>> report.txt
Previous Home Next

Evidence Handling and Attack Attribution: 6.1.1 Digital Forensics

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evidence Handling and Attack Attribution: 6.1.1 Digital Forensics

Uploaded by

Copyright:

Available Formats

7/25/22, 9:33 PM Module 6: Digital Forensics and Incident Analysis and Response | 1.

Evidence Handling and Attack Attribution

Lab - Gather System Information After an Incident 

Lab - Gather System Information After an Incident

Evidence Handling and Attack

Step 1: Open a terminal window in

Step 2: Collect volatile

6.1.1 Digital Forensics

6.1.2 The Digital Forensics Process

Step 1: Open a terminal window in

Step 2: Collect volatile

6.1.3 Check Your Understanding - Identify the Steps in the

Lab - Gather System Information After an Incident

Step 2: Collect volatile

Lab - Gather System Information After an Incident

Step 1: Open a terminal window in

d. Enter the uname

6.1.4 Types of Evidence

Evidence is further classified as:

Step 1: Open a terminal window in

Step 2: Collect volatile

Which type of evidence was indisputably in the possession of the accused?

Reset Show feedback

Lab - Gather System Information After an Incident

Step 2: Collect volatile

Reset  Show feedback

Lab - Gather System Information After an Incident

Evidence Collection Priority

Lab - Gather System Information After an Incident

Step 2: Collect volatile

Anroot@labvm:/home/cisco# echo =====System Information=====

Lab - Gather System Information After an Incident

6.1.8 Data Integrity and Preservation

Step 2: Collect volatile

e. Enter the ifconfig

Step 1: Open a terminal window in

Step 2: Collect volatile

Press the play button to view this short demo video.

Lab - Gather System Information After an Incident

Step 1: Open a terminal window in

Step 2: Collect volatile

Previous Home Next

You might also like