Steps in a Forensics Investigation

If you suspect a computer systems intrusion or breach, you should:

  1. Immediately Contain and Limit the Exposure

    The goal of containing and limiting the exposure is to keep the breach from spreading. If you are unable or uncomfortable performing any of the following steps, a 403 Labs forensic team will be able to assist you.

    • Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
    • Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source. Do NOT shutdown the system or push the power button (because it can sometimes create a 'soft' shutdown), which modifies system files.
    • Preserve logs and electronic evidence. A forensic hard drive image (see below) will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
    • Log all the actions you have taken, including composing a timeline of any knowledge of the incident.
    • If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
    • Be on high alert and monitor all systems.

  2. Within 24 Hours Alert All Necessary Parties

    Be sure to notify:

    • Internal information security group and Incident Response Team, if applicable.
    • The Card Associations and your merchant bank if the breach is part of a cardholder data segment.
    • Local FBI Office and/or U.S. Secret Service (file a complaint online at http://www.ic3.gov).

As your forensic investigation team and advocate, 403 Labs will:

  1. Record the Scene

    Depending on the situation, a 403 Labs forensics team will visit the onsite location or data center to examine the physical and infrastructure environment. The team will interview key personnel who have knowledge about the incident or systems involved to compile all the facts in support of the examination.

  2. Create Forensic Hard Drive Image(s)

    Systems with hard drives involved in an incident should have a forensic duplicate, or 'image', created to preserve the evidence from tampering. This preservation of evidence provides a working copy for our forensic examiners to analyze and creates a perfect state-in-time representation of the system that can be used in legal prosecution and data recovery.

  3. Analyze and Interpret Evidence

    Systems believed to be involved in the breach will be analyzed by high end forensic tools for traces of evidence of the incident. The network and application infrastructure will be reviewed for intrusion points and business impact. At this point, a narrative reconstructing the incident will be created.

  4. Maintain Chain of Custody

    In cases that may be used for legal prosecution, it is critical that all evidence is protected and controlled using a systematic method to prevent tampering and to account for proper handling.

  5. Provide Expert Testimony

    With our vast experience and proven methodologies, 403 Labs will be your subject matter expert (SME) for cases that go to prosecution.