Lesson Digital Forensics and Incident Response - Cybersecurity - ثالث ثانوي

Lesson 3 Digital Forensics and Incident Response Link to digital lessin www.ten.edu. Introduction to Digital Forensics (DF) and Incident Response (IR) Digital Forensics and Incident Response (DFIR) are important branches of cybersecurity that focus on identifying, investigating, containing, and remediating cyberattacks and providing information for legal cases or other digital investigations. DFIR services are made up of two main components: Digital Forensics As an investigative field within forensic science, digital forensics involves collecting, analyzing, and presenting digital evidence on computer systems, network devices, phones, or tablets. This evidence can help reveal the truth about events that occurred on these devices. Digital forensics is often employed in legal proceedings, regulatory investigations, internal company investigations, and criminal activity cases, among other types of digital investigations. Incident Response While also involving the investigation of computer systems through the collection and analysis of data, incident response specifically focuses on addressing security incidents. In these cases, investigators must balance various steps, such as containment and recovery, to effectively respond to the situation. Both digital forensics and incident response play crucial roles in uncovering the facts surrounding digital events and addressing potential security incidents to ensure the safety and integrity of digital systems and data. Cyber Kill Chain The Cyber Kill Chain is a methodology used to understand and analyze malicious cyber-attacks. It identifies the stages that enable attackers to gain control of their target and ultimately perform their objectives. Understanding the cyber kill chain is an essential part of the DFIR process. By understanding the cyber kill chain, defenders of the networks can identify attack patterns, recognize known techniques used by the attackers, and respond accordingly. The phases of the Cyber Kill Chain are the following: Phase 1: Reconnaissance During Reconnaissance, attackers identify targets and explore vulnerabilities to exploit. This process may involve harvesting credentials and collecting info like email addresses, user IDs, locations, software apps, and OS. More info gathered leads to more successful attacks. Phase 2: Weaponization During Weaponization an attacker creates an attack vector (e.g., malware, ransomware, virus, worm) to exploit a known vulnerability. They may also set up backdoors for continued access if their entry is closed by admins. وزارة التعليم 21773-1445 86

Phase 3: Delivery In the Delivery step, an intruder may send malicious attachments or links to users to spur activity. They may also use social engineering techniques to try to increase the effectiveness of their attack. Phase 4: Exploitation During the Exploitation phase, the harmful code is run on the system of the targeted individual. Phase 5: Installation Immediately after Exploitation, the attack vector will be installed on the victim's system, allowing the threat actor to gain control. Phase 6: Command and Control In Command & Control, the attacker takes remote control of a device/identity within the network and moves laterally, expanding access and creating new entry points. Phase 7: Actions on Objective During this phase, the perpetrator proceeds with their desired objectives, which could involve stealing data, causing damage, encrypting information, or extracting data. DFIR Processes Digital forensics and incident response, while distinct functions, are closely related and often combined in practice. Both are essential components of cybersecurity, with digital forensics focusing on collecting and analyzing evidence to determine what happened during a security incident, while incident response involves investigating, containing, and recovering from such incidents. These techniques are frequently used together by Computer Security Incident Response Teams (CSIRTS) in handling cyberattacks, litigations, and various digital investigations. DFIR processes include the following: Computer Security Incident Response Teams (CSIRTS) Computer Security Incident Response Teams (CSIRTS) are specialized groups of technical professionals who investigate, analyze, and respond to digital security incidents. They play a critical role in protecting and recovering computer networks after identifying security Issues. Forensic collection This involves the process of gathering, examining, and analyzing data from various sources, such as networks, applications, data stores, and endpoints, both on-premises and in the cloud. Chain of custody A procedure that continues forensic collection by keeping track of the evidence's journey from collection to analysis, it involves documenting every individual Interacting with the evidence, the date and time of collection or transfer, and the reason for the transfer. Bot cause invation In this step, the organization determines whether it has been the target of a breach and identifies the root cause, scope, timeline, and impact of the incident. وزارة التعليم 2177-1445 87

88 Notification and reporting Depending on the organization's compliance obligations, it may need to notify and report breaches to the appropriate authorities. Post-incident review This stage may require the organization to negotiate with attackers, communicate with stakeholders, customers, and the press, or implement changes to systems and processes to address vulnerabilities, depending on the nature of the incident. The Digital Forensics Process A typical DF process will go through the following steps: A Bog Identification Potential digital evidence related to an incident or investigation is identified and documented. This involves pinpointing the sources of relevant data, such as computers, mobile devices, servers, or network logs, and determining the scope of the investigation. Preservation The digital evidence that is identified is safeguarded to prevent alteration, damage, or loss. This includes creating forensic images or copies of the data, isolating affected systems from networks, and maintaining a proper chain of custody to ensure the integrity of the evidence. Analysis The collected evidence is then examined to uncover relevant information and identify patterns or connections. This may involve using specialized forensic tools and techniques to recover deleted files, decrypt encrypted data, or analyze system logs and artifacts. Analysts must also interpret the findings, considering the context of the investigation and potential alternative explanations. Analysis includes the following methods: ⚫ File system forensics: Investigating endpoint file systems to identify signs of a security breach or compromise. ⚫ Memory forensics: Examining system memory to uncover indicators of compromise that may not be present in file systems. ⚫ Network forensics: Analyzing network activity, such as emails, messages, and browsing history, to recognize an attack, understand the attacker's methods, and determine the scope of the incident. • Log analysis: Reviewing and interpreting activity records or logs to detect unusual events or suspicious behavior that could indicate a security incident. Documentation The entire digital forensics process must be documented, including the steps taken, tools ⚫used, and conclusions made. Detailed documentation ensures that the forensic analysis can be reviewed, replicated, and challenged if necessary while demonstrating the investigator's adherence to best practices and industry standards. 173-1445

Reporting After the digital forensics process, teams present their evidence and findings. This final step usually details the analysis methodology and procedures followed during the investigation, ensuring the information is presented clearly and accurately for further review or potential legal proceedings. The Incident Response (IR) Process A typical IR process will go through the following steps: Scoping In this stage, the goal is to assess the incident's severity, scope, and breadth and identify all indicators of compromise (loC). This step helps to understand the extent of the attack and prioritize response actions accordingly. Investigation This involves using advanced systems and threat intelligence to detect threats, collect evidence, and provide in-depth information about the incident. It is a crucial step in understanding the nature of the attack and gathering essential data for further analysis. Securing Organizations still need to continuously monitor their cyber health even after the threats have been addressed. This stage often involves containing and eradicating active threats identified during the investigation and closing any identified security gaps to prevent future attacks. Support and Reporting The Support and Reporting stage ideally concludes each security Incident with a detailed plan for ongoing support and customized reporting. A DFIR service provider may also examine the organization and provide expert advice on the next steps to enhance security measures and ensure preparedness for potential future incidents. Transformation Finally, the Transformation stage involves DFIR teams identifying gaps in the organization's security posture, advising on effectively strengthening areas of weakness, and mitigating vulnerabilities. This stage aims to improve the organization's security posture and Increase its resilience against future cyber threats. Digital Forensics and Incident Response Challenges As computer systems have progressed, so have the difficulties associated with DFIR. Today, digital forensics and incident response experts face several significant obstacles. Table 2.6 illustrates the main challenges of DFIR. وزارة التعليم 2173-1445

Table 2.6: Main challenges of Digital Forensics and Incident Response Challenge Digital Forensics Scattered evidence The fast pace of technology Incident Response Description The reconstruction of digital evidence is no longer dependent on a single host, it is dispersed across numerous physical and virtual locations. As a result, digital forensics requires more expertise, tools, and time to collect and investigate threats thoroughly and accurately, Digital devices, software applications, and operating systems are constantly changing, evolving, and expanding Due to the rapid rate of change, experts in digital forensics must be able to manage digital evidence in a wide variety of application versions and file formats. Growing data, scarce support Increased attack surface Organizations are confronted with an increasing number of security alerts. However, they often do not possess the cybersecurity expertise necessary to address the volume of information and, ultimately, the relevant threat dēta Organizations increasingly rely on external DFIR experts to bridge the skills divide and maintain critical threat support The expansive attack surface of modern computing and software systems makes obtaining an accurate network overview harder and increases the risk of misconfigurations and user error. ليم Digital Forensics and Incident Response Best Practices DF Best Practices The effectiveness of DFIR depends on responding quickly and thoroughly. It is essential that digital forensics teams have extensive experience and appropriate DFIR tools and processes in place to provide a practical, prompt response to any issue. Expertise in digital forensics has a number of advantages, including the ability to determine an incident's root cause and precisely determine its scope and impact. Employing the appropriate investigative tools will optimize the identification of vulnerabilities that led to an attack or accidental exposure. IR Best Practices Incident response services are customized for real-time incident management. To reduce reputational damage, financial loss, and business downtime, the best practices for IR include preparation and planning, as well as timely, accurate, and trustworthy mitigation and response. Best practices for digital forensics and incident response include determining the fundamental cause of issues, correctly identifying and locating all available evidence/data, and providing ongoing support to ensure 1173-1445 the organization's security defenses are strengthened for the future. 90

Zero-Trust Security IR also covers the prevention of malicious attacks in a system. Enterprises have developed security architectures called zero-trust security models. The zero trust model is a new information security model that has gained popularity recently. Unlike traditional methods that rely on perimeter defenses, such as firewalls, to protect the internal network, zero-trust assumes that no device or user should be inherently trusted. This means that even if a user accesses a system from a valid account and an internal device, their request must still be authenticated and authorized. In a zero-trust model, authorization is not granted by default and should only be given if there is a legitimate need. This approach has become more popular due to changes in technology and society, such as remote workforces and the rise of cyberattacks, making perimeter defenses less effective. Zero-Trust Security Nave aap vanity Protection Control Figure 2 21. Representation of Zero Trist Security Table 2.7: Main principles for Implementing a zero-trust security model Principle Description Identity verification Least privilege Network segmentation Continuous monitoring ▪Date protection وات التعليم enforcement All users, devices, and applications must be authenticated and authorized before granting access to resources. Multi-factor authentication (MFA) is often used to provide an additional layer of security beyond usernames and passwords. Access to resources should be granted on a need-to-know basis and only for the minimum time required to complete a specific task. Networks should be segmented to limit lateral movement by attackers. This is often accomplished through micro-segmentation, which divides a network Into small, isolated zones that can be individually secured. Zero Trust security requires continuous monitoring of user and device behavior, network traffic and security events to detect and respond to threats in real time. Data should be protected using encryption and other security measures at rest and in transit. Policies should be defined to ensure that all users, devices, and applications comply with security requirements MART 2173-1445 91

92 Analyzing the Web Activity of a Device Many cyberattacks that occur, originate from an infection that occurs through the web activity of a user. After an incident has occurred, the digital forensics process follows. One of the main tasks is investigating and analyzing the web activity of a device that was affected by the incident. Web browsers store log files that contain data and information about the activities that were performed with that browser. These log files are structured in a way that they can be accessed and read by data analysis tools. In the scenario that follows, you will analyze the web activity for your device that occurred with the Chrome web browser. You will utilize DB Browser for SQLite which is a database management system tool. This tool will be used to access the log files and read the activity data. You can download and install DB Browser from the following link: https://download.sqlitebrowser.org/DB.Browser.for.SQLite-3.12.2-win64.msi Getting Started with DB Browser To view the activity of your browser, you will first have to find and open the log files of Chrome. The log files are databases that contain multiple tables, where each table holds information about your activity, like the websites you have visited and the files you have downloaded. Always make sure that you follow security and protection best practices for your own PC when browsing on the Internet. To open DB Browser and load a log file: > Double-click the DB Browser shortcut on your Desktop. > Click on File > Open Database.... > Enter "C:\Users\[username]\AppData\Local\Google\Chrome\ User Data\Default" in the location path, at [username] insert the your computer's username. > Choose All files (*) from the dropdown menu. > Click on History, to select the History log file, and click Open. Open Real Offy... Export دراية للمعليم 73-1445 2 Смано CHAS

TAL Choose achbere Autose CeCethe comicccption_do AppData Local Google Chrome Date Default Quick co Creative Clopa Huy 5 LOCK Netwo LOO LOG Log Filename History To view a table: > Click on the Browse Data tab. > Click the dropdown menu and select urls to view the urls table. وزارة التعليم 173-1465 Suite database files do * sqlite "sale".ch5|}\ Figure 2:22. To opel D&Bruwer and load log He 1 Descase Souture Boxes 2 dunter Jay Туре d domes m 4 548 A6 Cancal Open Project collections 3:45141 collocation/sport 3 100 Maymondba 377-1406233334901 4 page 3 79.0472213745117 3 3 72.475845324797 74573511535 Tigure 223 To view table 77-2737/s 93

The Uniform Resource Locators (URLs) table In cybersecurity forensics, the urls table plays a significant role in investigating and analyzing user browsing activities. The urls table, found within the Chrome history log file, contains valuable information about the web addresses visited by a user during their browsing sessions. By examining the data stored in the urls table, investigators can gain insights into the websites accessed, track user behavior, and uncover crucial evidence related to cybercrimes. The urls table consists of several key columns that provide specific details about each visited URL. Let's explore these columns and understand their significance in the realm of cybersecurity forensics: url: The url column stores specific web addresses of the visited websites. Analyzing the URLS allows investigators to identify the exact web pages accessed and retrieve critical information related to a particular online activity. title: The title column holds the titles or names of the visited web pages. This information offers additional context and helps investigators understand the content and purpose of the accessed websites. Analyzing the titles can provide valuable insights into the user's interests, browsing habits, and potential areas of focus during an investigation. visit_count: The visit_count column records the number of times a specific URL has been visited by the user. This count allows investigators to determine the frequency and level of engagement with a particular website. Analyzing it helps in identifying frequently accessed resources, prioritizing investigation efforts, and identifying patterns or trends in user behavior. last_visit_time: The last visit time column provides the timestamp or date and time of the most recent visit to a particular URL. This information enables investigators to establish timelines, track the chronology of user activities, and potentially correlate website visits with other events or actions. Table title Filter 1 1 https://www.google.com/search? 2 3 ksa ministry of education- Ministry of Education Ministry of Education 4 Pl https://moeba/en 3 btps://ga/en/Pages/... 4 https://nca.gov.sa/en National Cybersecurity... Shops//sdsia.gov.sa/en/default.aspe Saudi Authority for Data and... visit_count last visit time Filter 2 13331026045492522 1 13331026047091166 1 13331026047091165 2 13331026071307456 1 13331026134530124 2173-1445 94

The Uniform Resource Locators (URLs) table In cybersecurity forensics, the urls table plays a significant role in investigating and analyzing user browsing activities. The urls table, found within the Chrome history log file, contains valuable information about the web addresses visited by a user during their browsing sessions. By examining the data stored in the urls table, investigators can gain insights into the websites accessed, track user behavior, and uncover crucial evidence related to cybercrimes. The urls table consists of several key columns that provide specific details about each visited URL. Let's explore these columns and understand their significance in the realm of cybersecurity forensics: url: The url column stores specific web addresses of the visited websites. Analyzing the URLS allows investigators to identify the exact web pages accessed and retrieve critical information related to a particular online activity. title: The title column holds the titles or names of the visited web pages. This information offers additional context and helps investigators understand the content and purpose of the accessed websites. Analyzing the titles can provide valuable insights into the user's interests, browsing habits, and potential areas of focus during an investigation. visit_count: The visit_count column records the number of times a specific URL has been visited by the user. This count allows investigators to determine the frequency and level of engagement with a particular website. Analyzing it helps in identifying frequently accessed resources, prioritizing investigation efforts, and identifying patterns or trends in user behavior. last_visit_time: The last visit time column provides the timestamp or date and time of the most recent visit to a particular URL. This information enables investigators to establish timelines, track the chronology of user activities, and potentially correlate website visits with other events or actions. Table title Filter 1 1 https://www.google.com/search? 2 3 ksa ministry of education- Ministry of Education Ministry of Education 4 Pl https://moeba/en 3 btps://ga/en/Pages/... 4 https://nca.gov.sa/en National Cybersecurity... Shops//sdsia.gov.sa/en/default.aspe Saudi Authority for Data and... visit_count last visit time Filter 2 13331026045492522 1 13331026047091166 1 13331026047091165 2 13331026071307456 1 13331026134530124 2173-1445 94

Fl 96 The Keyword search_terms Table The keyword search_terms table is a significant component of cybersecurity forensics investigations as it holds crucial information about the search terms or keywords used by users during their browsing activities. The term column in this table specifically captures the individual search queries entered by users. The term column provides valuable insights into users' interests, information needs, and online behavior. Analyzing the term column allows investigators to understand the specific keywords or phrases users use when searching for information. These search terms can range from simple keywords to more complex queries, offering valuable clues about the users' intentions and the type of information they were seeking. The Downloads Table Another important table that holds crucial information in forensics is the downloads table. The downloads table contains information about downloaded files and associated metadata. It plays a significant role in managing and tracking downloaded content. The table includes several important fields that provide insights into the downloaded files and related details: FOT current_path C:\Users\binar Download\ICT_Brochure.pdf target_path C:\Users\Binar\Downloads\ICT_Brochure.pdf http://binarylogic.net/brochures/1 total_bytes 1769706 start_time end_time 13328797041529572 13328797042103677 current_path and target_path columns: These fields store the current and target paths of the downloaded file on the user's local system. The current_path represents the temporary or in-progress location of the file during the download, while the target_path indicates the final destination where the file is stored after the download is completed. tab_url column: The tab_url field stores the URL or web address of the webpage where the download originated. It helps identify the specific webpage or online source from which the file was downloaded. total_bytes column: The total_bytes field represents the total size of the downloaded file in bytes. It provides information about the file's size, which can be helpful in assessing the impact on storage resources and understanding the nature of the downloaded content. start_time and end_time columns: These fields capture the start and end times of the download process. The start_time indicates when the download was initiated, while the end_time represents when the download was completed. Analyzing these timestamps can provide insights into the duration of the download process and potentially correlate it with other events or user activities. 1773-1445 777 1700 170427 mm beadhu

The Logins Table In the Login Data log file, you can find the logins table. The logins table contains information related to user logins and stored credentials. It is commonly found in web browsers' databases and plays a crucial role in managing and auto filling login details. The table includes several important fields that provide insights into user credentials and associated metadata: origin_url Filler https://login.tive.com/oauth20_authorze.rf username_element loginfimt Filter username_value saacisa.bl@outlook.com password_element Filmr pasewd password_value the password date_created Filbur 13328890149058235 date_last_used 13328890141382119 The value of is encrypted and shown here as BLOB. origin_url column: The origin_url field stores the URL or web address of the website where the login credentials were used or saved. It helps identify the specific website or online service associated with the stored login information. username_element and username_value columns: These fields capture the HTML element name and corresponding value for the username or user identifier used during login. They provide information about the structure and values of the username fields in the web form. password_element and password_value columns: Similar to the username fields, these fields capture the HTML element name and corresponding value for the password used during login. They provide insights into the structure and values of the password fields in the web form. date_created column: The date_created field indicates the date and time when the login credentials were created or saved. It helps establish the timestamp of when the credentials were initially stored in the browser's database. date_last_used column: The date_last_used field records the most recent date and time when the login credentials were used for authentication. It provides insights into the last time the credentials were utilized for logging into the associated website. صراره است 3173-1475 engine.com_auth.f madimo.com p p pe word wil _cood 97

38 Exercises Read the sentences and tick True or False. 1. Digital forensics focuses on restoring deleted files and decrypting encrypted data. 2. Digital forensics and incident response are distinct processes. 3. Computer forensics is only used in legal proceedings. 4. Incident response involves gathering and analyzing data to determine what happened in a security incident. 5. Computer Security Incident Response Teams (CSIRTS) play an essential role in cybersecurity. 6. Post-incident review is not necessary for a DFIR process. 7. Forensic collection only involves collecting data from a single source. 8. Memory forensics is the same as file system forensics True False 2 Outline the sources of evidence that must be identified when conducting a digital forensics Investigaben? 3 Analyze the role of Computer Security Incident Response Teams (CSIRTS) in protecting machine networks. وزارة التعليم

4 Describe the steps of a typical DAR process. 5 Describe the main challenges associated with Digital Forensics and Incident Response. 6 In a web browser with large quantities of activity data, analyze the results from the urls table and try to deduct if there are specific partems the user follows in their web browsing activity. 7 For the sehe data as the previous exercises, evaluate the data from the logins table and list the sites where the user has entered their credentials. After that. categorize them as secure and .mally unsecured sitesت التعليم 99