Identifying sources of evidence

For any successful investigation, it is extremely important to successfully collect, collate, preserve, and analyze the evidence.

To begin with, we need to identify the sources of evidence for any investigation.

The sources of evidence can be easily pided into the following two categories:

Evidence obtainable from within the network

Consider the following image:

This can include the following:

• Evidence from network & device logs:

  A log is a record of all the activities and outcomes performed by a device or by outside agents on a device. Thus, all the incoming or outgoing events are logged on a system. Logs are a crucial part of the investigation ecosystem.

  Devices such as firewalls, intrusion prevention and detection systems, anti-virus servers, and so on generate logs. Other logs include operating system event logs, application logs, and so on.

• Network traffic:

  As discussed in the previous chapter, network traffic is transmitted in packets. The data is split up and transmitted in the form of packets that need to be captured and reconstructed for analysis.

• Memory of the inpidual computers under investigation:

  Volatile memory can be a valuable source of evidence. A lot of malware may only reside in the memory of a computer, which is under investigation. Similarly, computers with whole disk encryption (WDE) may save the key on a USB stick and the key will only be accessible to the investigator if it is grabbed from the volatile memory. Any kind of investigation that involves memory will require us to acquire the data from the suspect system's memory.

• Evidence residing on the hard drives of inpidual computers under investigation:

  Substantial evidential data resides on the hard drives of compromised computers. Traces of internet activity, web mail communications, efforts to cover tracks and obfuscate evidence, and so on will all be found post an investigation of hard drive contents. The registry of Windows computers is also a treasure trove of information. A bit stream image has to be obtained for each drive under investigation.

Evidence from outside the network

This can include the following:

• Internet service provider (ISP) logs:

  These logs are a detailed record of access to various Internet resources that are provided by the ISP. This can include details related to log on, log off, user names, resources accessed, online content, online activity, IP addresses, date and time of usage, as well as the duration of usage.

• Domain name controller logs:

  The domain name controller logs may also include date and time, IP addresses, queried domain names, protocol used, and so on. This data is usually available for a very short period of time due to the high volume of data in the logs as well as the log rotation policies followed by the service provider.

• Internet archives (Wayback Machine):

  These are online resources that archive websites and pages for a specific period of time. This can help us to determine the state of an Internet server offering up websites before a defacement attack. The URL to the Wayback Machine is http://archive.org/web/.

• Domain hosting provider logs:

  These are servers that host a domain. Unauthorized attempts to log in to the domain host are all logged here. A log of the activities of, for example, a criminal attempting to hack in would be available with this machine.

• Evidence on mobile devices:

  When hand-held devices such as phones or tablets are used to access network resources, evidence of their interaction is created on these devices. This too may be required from an investigation perspective.

A number of these sources of evidence may be protected by privacy laws and may not be easily available to the company investigators without a formal request from the law enforcement officers or a subpoena.

Further along in this chapter, we will discuss the tools and the methodology required to acquire the evidence from network packets and system memory in a step-by-step manner for further analysis.