Incident response and computer forensic investigation

¶ … Computer Forensic investigation

Making an initial assessment about the case.

Identifying the risks.

Mitigating or minimizing the risks.

Determining a preliminary design or approach to the case.

Creating a detailed checklist.

Determining the resources needed.

Establishing the Chain of Custody.

Obtaining and copying an evidence disk drive.

Analyzing and recovering the digital evidence.

Investigating the data recovered.

Completing the case report.

Critique the case.

Case Assessment

Data Tech Inc. is a data processing company that assists companies globally to store retrieve and process data, and our company specializes in the payroll processing, and ACH processing. The nature of the service that our company delivers requires our company to store sensitive data for organizations and individuals, which include SSN (Social Security Number), bank account numbers, credit card numbers, health information, and other personal information such email, telephone number and addresses. To facilitate data processing, the company has a database that stores and processes all the data, and the database is linked to other systems in our company to enhance effective data retrieval, storage and processing.

Over the years, our company has implemented security devices to ensure that all data in the database ready for processing are secured. We use IDS (intrusion detection system) to monitor and detect unauthorized network, malicious activities and policy violations in our system. (Zhang, Lee, & Huang, 2003). Recently, our intrusion detection systems have provided a report that several systems in our company have been compromised and these systems are exporting data out to a known hostile IP address. Assessment of the case reveals that our company has not implemented effective security devices to protect the company data. Intrusion detection systems cannot protect our data from the external parties; however, the IDS can only detect unwanted traffic into our systems. Thus, our company will need to take immediate action to stop the data export onto the identified hostile IP address and implement effective strategy to restore the lost data and safeguard our company from future attacks.

Objective of this report is to conduct an Incident Response and Computer Forensic investigation on our systems security breach and take a step to ensure that our data are restored and protected. Identification of the risks is very critical to enhance greater understanding on the strategy to manage the risks.

1.1. Identification of the Risks

Data and security breach is the risk that our company is facing by compromising our system. Data breach involves the state where our personal information, client's personal information such as credit card information, social security numbers and health information have been compromised. Typically, this data breach could be costly to our company because it could pose significant financial risks to our company. Our reputation may be at stake if adequate step is not taken to address the problem. Typically, our company could incur a financial reputation or other loss from the incident because of non-compliance with data, privacy and security regulations. Moreover, a wide range of repercussion could occur with the data breach, which includes criminal charges. Some companies had filed for bankruptcy protection because they incurred large monetary costs to fix the data breach that occur in their companies. For example, South Shore Hospital in Massachusetts agreed to pay $750,000 for the data breach and failure to protect health information of more than 800,000 customers. (Massachusetts Government, 2012). Another example of data breach similar to our company case involved a credit card company that processed credit card transaction for merchants. When the breach occurred, it affected up to 3 million accounts that exposed millions of credit card holders to potential misuse and fraudulent transactions. Typically, the servers, computer, firewall logs as well as social media sites, even the cell phones were generating data. As the volume of transaction was growing, it became very challenging to protect the data. Thus, our company needs to take immediate action to arrest the data breach that occurs in our systems.

1.2. Mitigate or Minimize the Risks

The best strategy to mitigate the risks is to recover the lost data using the forensic computer strategy. The computer forensic is the science of recovering the lost data, and the report will use Forensic Toolkit version 1.80 to retrieve the data exported to the hostile IP address. The special forensic tools such as Undelete, WinUndelete, Uneraser, or Softperfect could also recover the file. In the computer system, the lost or deleted files leave file paths that could assist in restoring deleted or lost files. Thus, all the data lost from the company operating systems will be recovered using the forensic tools.(Nabity & Landry,2010).

The next step is to identify the hostile IP address where our systems are exporting data. Typically, we will need to install RiskAnalytics to mitigate the risks. (Mahoney, & Chan, 2011). The IDS initial installed in our systems is to detect unauthorized traffic in our systems; and the shortcoming of IDS is that it could not prevent unwanted traffics to penetrate in our systems. Our company will need to install IPS to prevent unwanted traffic into our systems. Coupled with the IPS, we will still need to install firewall to filter and block unwanted network from our systems.

The solution we will implement to stop our system from communicating with the hostile IP address is to use the RiskAnalytics software such as AutoShun. The AutoShun blocks the communication between our system and the hostile IP address. The AutoShun also removes, prevents and limits the transfer of crime-ware onto the company assets. Typically, AutoShun is dynamic risk management software that filters and disrupts hostile IP address such as Conficker, Zeus, and bonet. The technology has database of more than 3 million hostile IP addresses that have been marked as hostiles around the world. When one of the hostile IP addresses attempts to communicate with our network, the AutoShun technology will identify this IP address as hostile and disrupts the communication in real-time and will block the communication of this hostile IP address with our systems. Thus, AutoShun technology has the capability to prevent hostile IP addresses to communicate with our systems.

Data migration is also an effective method to minimize and mitigate the risks. Data migration is the process of transferring data from one system to other systems. In our own case, data migration will be designed to extract data and load data in another system. Our company will need to make a complete data back-up of all the data in our database and the data in the other system and store the data in another system away from the initial exploited systems.

Back up created will assist our company to safe the rest of the data in our system when we are restoring the data lost to the hostile IP address. To carry out the data back up, the company information will be stored in the high-capacity tapes, and the back up will contain all organization's data. After the data backup has been implemented, the next step is to erase the corrupted data from our systems. (Allaire, Augat, Jose, et al. 2012). The data backup is critical to stop our system exporting our data to the known IP address, and enhance the business continuity.

1.3. Approach to the Case or Determine a Preliminary Design

Approach to the case is to take an immediate system to stop the communication of our systems to the hostile IP address. By stopping our systems from communicating with the hostile IP address, we will be able to stop the data export to the identified IP addresses. The Fig 1 reveals the AutoShun technology, and the system will allow our company to achieve administrative control over IP addresses on all geographical regions. With the technology, we can choose to block entire IP addresses of the countries that we are not having legitimate business. Moreover, the technology will assist our company to view threat report and other performances indicators specific to our organization. The technology will also simultaneously assist our company to manage more than 5 billion IP addresses globally.

Fig 1: IP Address Management Technology

The AutoShun technology will also to protect our systems against:

Botnets,

Bag guys (criminal controlled sites)

Crimeware

Open proxies

Spambots

Zeus

External attacks

Recon bots

Command and control sites

Brute force attacks

The next step is to create SQL Server 2008 R2 to restore and backup the data from the damaged database and store our data in the separate devices. Typically, a well-designed SQL Server 2008 R2 will assist our company to restore our lost data, implement the data back up, maximize data availability and minimize data loss. The technology contains the data back up and restores options. (Microsoft, 2010). However, the company should put the backups on separate devices to safeguard the data protection.

"Backup and restore operations occur within the context of a recovery model. A recovery model is a database property that controls how the transaction log is managed. In addition, the recovery model of a database determines what types of backups and what restore scenarios are supported for the database. Typically, a database uses either the simple recovery model or the full recovery model. The full recovery model can be supplemented by switching to the bulk-logged recovery model before bulk operations." (Microsoft, 2010 P. 2).

Meanwhile, our company will need to implement the full back up safeguard all our data. Under the full recovery model, the first step is to back up the transaction log. Combination of full back-up with log back ups is equivalent of full database back up. Starting the back up from the log transaction is the best practice to perform a full database back-up. The illustration in Fig 2 reveals the strategy to implement a full back up. As being revealed in the Fig 2, the back up starts from the transaction logs and the next step is to schedule the full database back up and file backups at subsequent interval to satisfy our company requirements. From the illustrations in the Fig 2, the backup (a, C, B, a) is the order in which file back-ups are carried out to satisfy the business requirements. The next step is to place the data back up in separate devises to enhance business continuity.

Fig 2: Data Restore and Back-up Strategy for Our Company

1.4. Create a Detailed Checklist

This section provides detailed checklists t to safeguard our data from the hostile IP address.

Steps

Details Description

First Step

Identification of the Hostile IP address. The identification will include the country origin, and the website associated with IP address.

Second Step

The next step is to block the IP address from communicating with our systems. We will need to install IP address management software to achieve this objective. The strategy will assist our systems to stop exporting data to the hostile IP address.

Next Step

The next step is to recover our lost data as well as implementing the full back up strategy. The SQL Server 2008 R2 is effective in restoring our lost data.

Next Step

The next step is to put the recovered data at a separate devices

Next Step

Inspect the recovered data whether all the data are intact.

Next Step

Other step is to install the IPS to prevent unauthorized network into our systems.

Final Step

Final step is to install firewall to block all the unwanted traffic from our systems.

1.5. Determine the Resources Needed

Both financial resources and human resources will be needed to carry out the project. Typically, the company will need to set aside minimum of $30,000 dollars to carry out the task. The company could use an in-house staff or third part providers to carry out the tasks. To safeguard the data integrity, it is critical to use the in-house employees. The following resources will be needed for the project implementation:

Purchase of Forensic tool to recover the lost data exported to the hostile IP address,

Installation of SQL Server 2008 for the data backup,

Installation AutoShun technology or other IP Trace technology to block the hostile IP address getting access to our data,

Set aside skilled manpower in association with a forensic expert to implement the project.

1.6. Establishing the Chain of Custody.

The purpose of this chain of custody is to establish the electronic evidence that leads to the export of data to an identified IP address.

On 25 June 2013, Mr. James Anderson, a forensic expert in our organization collects the evidence that a hostile IP address has corrupted our system leading all our system to export data to the hostile IP address. Our intrusion detection system has notified us that our systems are exporting data to the hostile IP addresses.

The IP address is 58.1456.1246.1 hosted by a company having the major objective to commit criminal activities. The documented evidence reveals the file paths of the data lost from our systems to the hostile IP address.

The evidence of the data theft is from our hard drives and revealed as follows: We have made:

All the image copy of the data restored and data freshly wiped from our system.

Image copy of our operating system logs.

Typically, data are lost from the following systems to the hostile IP:

Data are lost from our server,

Data are lost from our database

Data are lost all from the hard disks of our computer systems,

Data are lost from all software,

Data are lost from all our storage devices, which include tapes, USB, and other storage devices that we use in storing our data.

The type of the data stolen from our system to the hostile IP address is as follows:

Credit card information of our clients,

Sensitive data such as SSN, health information, bank accounts, email, phone number, and addresses of our clients.

The strategy that we use to trace the hostile IP address is as follows:

Using of tracing tools include that include Netscan Pro and Neotrace.

We also Use IDS logs.

With the assistance of our computer forensic expert, the following professionals also assist in the investigation:

Incident team and corporate security,

Security investigator,

Emergency response core team,

Application owner,

Application developer,

System administrator,

Network administrator,

Firewall administrator,

Security consultants,

Document Signed

Forensic Expert of Data Tech Inc. Mr. James Anderson.

1.7. Obtaining and copying an evidence disk drive.

The report identifies that much of the evidence needed to support our forensic investigation is in the disks, hard drives and other storage devices in our systems. We have used forensic tool kits to locate the sample of this evidence. To collect the sample of evidence, our company will need to make the back up of all the data systematically restored. We also make the copy of all the following in the course of our investigation:

We make a copy of all our windows especially the Registry because it contains a wealth of information.

We also make a copy of our password files, the filesystem, and the shell,

We make copy of hard drive as an evidence disk drive,

From the hard drive, we make a copy of restore image and freshly wiped data.

We also make a copy of our operating system logs.