FEATURE
and other improvements that streamline
investigations. For example, in May 2018,
AccessData introduced AD Enterprise
6.5, which provides even deeper visibility
into data, so organisations can investigate
the causes and potential implications of
a data breach, then act swiftly to conduct
their post-breach analysis and execute
crucial response actions. This platform
allows CISOs to perform comprehensive
end-to-end post-breach forensic
investigations within a single tool by
collecting all sorts of complex data types
directly at the endpoint.
Software tools that help manage
large-scale forensic investigations
can enable deeper visibility into data
residing on enterprise networks and
employee devices so that IT executives
and information security professionals
can work with digital forensics experts
to investigate possible employee
wrongdoing, fact-check a whistleblower’s
claims, respond to government inquiries
or conduct post-breach analysis.
incidents, directly within the same
software platform
4. Parsing additions – Put new parsers
to work in order to analyse even
more data types. A few of the new
parsers available include Windows
registry activity, several SSH Parsers,
Net Logon events and parsers for
Android including Google Hangouts,
Kik, contacts from address books,
calendars, SMS and call logs
CISOs occupy a crucial role in
responding to incidents as well as
overseeing post-incident investigations.
This is a high-pressure job with serious
responsibilities to fulfil but making use
of next-generation digital forensics
software tools can lighten the burden by
enhancing investigative capabilities and
more efficiently managing the workflow.
MOREY
MOREY J J HABER,
HABER, CHIEF
CHIEF
TECHNOLOGY
TECHNOLOGY OFFICER
OFFICER – –
BEYONDTRUST
BEYONDTRUST
Here are four specific best practices for
leveraging technology tools in post-
breach investigations:
1. Live memory analysis – Take
advantage of enhanced searching
capabilities to conduct more
thorough ‘memory analysis’ in the
aftermath of a breach, identify
possible malware that has been left
behind on the network, improve the
speed of the response and reduce
chain of custody risk during
the investigation
2. Targeted preview and collection
– Use a remote agent deployed by
the software to preview live data at
the endpoint or anywhere across
the enterprise, so investigators can
then determine what data should be
collected. This saves time as well as
storage costs, since only data critical
to the case needs to be pulled back
and ingested into the tool for analysis
3. Tasking collaboration among
investigators – Leverage built-
in collaboration features to
communicate seamlessly with
investigators and other colleagues
across departments so you can
share notes, tasks and escalate
www.intelligentciso.com
|
Issue 04
• Assets – the assets, devices, data,
or resources targeted, compromised,
or breached by an identity
While a full digital forensics investigation
goes beyond these silos to include
firewall logs, access control events,
log on log off events, they also pattern
match and correlate into these three
pillars as well.
Security experts operate in silos too,
but digital forensics experts operate at
a higher level in all silos with enough
knowledge about each one to be
extremely good at bridging the gap
between them.
In addition, digital forensics is much like
real world criminal forensics. Information
can be spoofed, threat actors can
create red herrings in the form of bad
digital log data and the data itself can
be altered, deleted or tampered with
much like using a photo editing software
to implicate someone else or to hide a
threat actor’s movement.
This is where the search for truth and
mental wisdom comes from that makes it
so intriguing. Security tools and detective
style insights can help build advanced
correlation but bad data intentionally
entered into the investigation stream can
skew the results.
This is where a security expert comes
into play to help the investigation. They
can help the digital forensics expert
decide if the datum is valid or if it has
been spoofed or tampered with.
There are three critical pillars of
an investigation:
• An identity – the digital
determination of a user’s identity
(threat actor), account and
credentials that are a part of a
forensics investigation
• Privileges – the