By Tim Rollins
Businesses today face a more diverse and more dangerous array of cybersecurity threats than ever before. External bad actors include everything from individuals to profit-motivated gangs and even state-based cyber-warfare units. They might be looking to steal intellectual property or consumer data, paralyze critical infrastructure, or hold data hostage for ransom. At any given time, they might be deploying malware or ransomware, using phishing attacks, or breaching firewalls.
Unfortunately, the threats posed by external bad actors can pale in comparison to the damage caused by insider threats. From low-level fraud or theft, to exfiltration of critical data or business secrets, insiders can cause grave damage while remaining undetected until it’s too late. Corporate digital forensics and incident response (DFIR) teams need to be prepared to act quickly to investigate risks of all sorts in order to understand what’s happening, contain the risks, and lessen the damage the business faces. To quickly understand what's happening in any sort of cyberincident, email and internet activity are two types of information corporate digital forensic investigators will want to examine.
Tips for Email Investigations
Rather than an investigation into a particular nature of incident, use the email investigation techniques when a case of any sort involves email communications involving a person of interest. These techniques will apply when email is a vector in a malware or phishing incident, data exfiltration, or an intellectual property (IP) theft case.
Where to Start an Email Investigation
- Expand .PST, .OST, .OLK, .MBOX, and any other email related files. Make sure you also view the contact list to identify other parties that may have information on the topic of the investigation.
- Review the sender and recipient information—and pay attention to email forwards and BCCs, as they may be indicators of surreptitious or “off the record” communications between parties.
- Threaded emails can provide valuable context, as well. Make sure to note attachments, which may be pertinent to malware, spyware, or data removal cases.
- Make sure to look at timeline activity around times when pertinent emails are sent or received; they may be triggers that initiate actions or results of something else that happened.
How Technology Helps Email Investigations
- Features like the Smart Grid in Exterro FTK® can help sort emails by domains to reveal communications outside the organization.
- Artifact-based filtering can automatically categorize and sort artifacts (such as the file types mentioned above) so you can look at them at the start of your investigation. This will help you understand the context and identify other persons of interest to the investigation.
Tips for Internet Activity Investigations
As with email investigations, internet activity investigations focus on a type of activity that could potentially appear in a variety of cases, ranging from malware infections to resource misuse, time theft, and financial crime. Apply these techniques when there is evidence that the conduct in question involved internet use or remotely.
Where to Start Internet Activity Investigations
- Expand Chrome, Edge, Firefox, Internet Explorer, and any other browser folders and associated .SQL files. The presence of Tor, which is capable of visiting “dark web” sites, should definitely be investigated.
- Review keyword searches/search engine history, accessed URLs, downloads, bookmarks, cookies, logins and passwords, saved form data, credit card information, and synced accounts.
- Even if it’s not direct evidence of the investigated activity, search and site visit histories can be especially revealing of investigation subjects’ state of mind.
How Technology Helps Internet Activity Investigations
- Timeline views allow you to see events in the context of what preceded and followed them. Nothing happens in a vacuum. Timelines can reveal patterns of behavior that may be relevant to the investigation.
- Sorting web histories by URL—the way Exterro FTK categorizes them—makes it easy to review a user’s internet activity, including understanding what actions the subject repeats over and over again.
For addition tips and tricks related to the type of incident--fraud, malware, or insider threats--download the new Exterro whitepaper Jumpstarting Digital Forensic Investigations.