Digital Forensics

Answers to the questions that arise after a cyber incident
Overview Initial Deliverables Steps

Overview

Digital Forensics is the activity of collecting, storing, and analyzing data from computer systems and applications that have been the target of unregulated and malicious actions against them.

The purpose of Digital Forensics is to gather and summarize information relevant to a cybersecurity incident that has occurred within an organization.

The attack vector to a given system, device or application can be determined depending on the available data for analysis and its volume.

Initial Deliverables

Current status of the affected system

Current status of the affected system. Initial assessment and evidence acquisition and recommendations for future analysis.

Initial check

Initial check and suggestions for the type of cyber-attack.

Revealing the causes 

Revealing the causes of the cyber security of the incident occurred.

Revealing the initial vector

Revealing the initial vector and source of the cyber-attack.

Reporting

Digital forensics report supported with digital evidence processed from the collected analysis.

Steps

Data Collection

Gathering initial information for analysis:

• Log data from affected devices, security and monitoring systems.

• Conduct analysis of log files.

• RAM memory dump of the affected systems (Windows, Linux) that were not shut down after an incident.

• Information about the current network connections of the affected systems (Windows, Linux).

• Forensic image of hard disk.

Analysis

• Review of the collected data.
• Search for information relevant to the incident in order to determine the vector of the attack and the reasons that led to it.
• Correlation of the found IoC and artifacts from the different data sources and determining the attack vector.
• If necessary, recovery of the important artifacts (files) from the disk copies that may be related to the incident.

Reporting

• A detailed description of the Digital Forensic process for the specific incident.
• A full description of all information found in the analysis of the initially acquired data.
• Depending on the available data for analysis, creation of a timeline with events.