Managing a cyber crime scene

Challenges to data security have reached epidemic proportions, as evidenced by recent consumer and government breaches that have put hundreds of millions of Americans' credit and debit cards, email addresses and other personal information at risk. The number of people affected by cyberattacks has intensified the spotlight on how organizations, including government, respond to data breaches.

Federal IT and security professionals can take a few tips from law enforcement and learn to secure technological "crime scenes," assess the damage and report on how an attack was carried out.

1. Arriving on the scene

As law enforcement officers at a physical crime scene first scan the area to make initial observations about how the incident occurred, security professionals must first assess the business impact of a technological crime scene. Specifically, they must determine the incident’s severity, whether confidential information was compromised, what steps have been taken to contain the immediate threat and how the attack happened.

Shutting down a system too quickly could compromise a forensic investigation. Therefore, security professionals should quickly identify what systems or servers have been affected, what data could be lost if a computer or system is powered off and what static data is stored on hard drives.

2. Collecting evidence

Similar to taking photographs and fingerprints at a physical crime scene, security professionals should use forensic imaging to record the affected system and related components. That approach captures significant network traffic and creates a snapshot of the network at the time the incident occurred. If system changes are made later in the investigation, an exact image of the breached network is preserved for analysis.

Next, the investigators should evaluate all available information sources, including virtual machines, log files and external devices that might have been used. They should “fingerprint” physical evidence using a one-way hash -- a cryptographically sound, non-reversible algorithm that becomes unique to the source being collected and can easily be verified later to prove the integrity of collected information.

3. Assembling the pieces

After a crime scene review is complete, detectives analyze fingerprints, initiate DNA testing and talk to witnesses. Federal agencies should conduct similar post-breach analyses by taking these steps:

• Examine artifacts from collected images to develop a detailed timeline of the breach.
• Determine how applications, servers and devices were configured or patched when the attack occurred.
• Analyze file systems and memory images to determine if any unusual files, processes or suspicious network connections exist.

4. Documenting the investigation

If a cyber crime eventually proceeds to trial, a thorough report of the steps taken during the breach investigation will be important for the prosecution. To better defend any challenge to statements of fact made in the account, security professionals should include information on how the analyzed artifacts were recovered from collected data.

The narrative should be detailed enough to allow another expert to start from a duplicate copy, follow the steps outlined and reach the same results. The report should answer questions identified as critical during the investigation and clarify questions where no evidence supports the claim.

5. Updating the public

Despite the pressure to report some findings almost as soon as a security incident is uncovered, it is advisable not to rush evidence collection and analysis. Security leaders should understand applicable federal laws and notification requirements, and make sure they have gathered sufficient facts before making a public statement.

A technological crime scene is as complicated as a physical crime scene, and an effective probe requires a careful approach to preserve evidence for potential future litigation. Federal agencies must balance the need to respond to constituent concerns with the necessity to carry out a thorough investigation and should be cautious about providing information to the public until they have accurately confirmed the breadth and scope of the incident.