Businesses today face a dangerous array of cybersecurity threats, from external attackers seeking intellectual property or critical infrastructure control, to insidious insider threats like time theft, fraud, or data exfiltration. Insider risks can be particularly devastating, often remaining undetected until significant damage is done.

To quickly contain a risk and mitigate damage during a cyberincident, corporate digital forensic investigators must examine email and internet activity. This investigation helps them build context, identify persons of interest, and reconstruct a clear narrative of events.

Email Investigations: Where to Start

Email is often a critical vector in malware attacks, phishing, data exfiltration, and intellectual property (IP) theft. Apply these techniques whenever email is involved, regardless of the incident type.

Initial Steps for Email Analysis:

• Expand Data Files: Expand all email-related files, such as .PST, .OST, .OLK, and .MBOX.
• Examine Contact Lists: Review the contact list to identify other potential witnesses or parties involved.
• Analyze Headers: Review sender and recipient information, paying close attention to forwards and BCCs, which can indicate covert communications.
• Establish Timelines: Look at activity immediately surrounding pertinent emails; these communications can be triggers for specific actions or consequences of previous events.

How Technology Streamlines Email Investigations:

Modern digital forensic tools, such as Exterro FTK®, offer critical capabilities:

• Domain Sorting: Features like Smart Grid can automatically sort emails by domains, making it easier to reveal communications outside the organization.
• Artifact Filtering: Artifact-based filtering automatically categorizes email-related file types, providing a head start on understanding context and identifying persons of interest.

Internet Activity Investigations: Reconstructing Behavior

Internet activity investigations focus on patterns of behavior, which are vital for cases involving malware, time theft, resource misuse, or financial crime. Apply these techniques whenever conduct involves internet or remote use.

Where to Start Internet Analysis:

• Expand Browser Data: Expand all folders related to browsers (Chrome, Edge, Firefox, etc.) and associated .SQL database files.
• Identify Anonymizers: The presence of tools like Tor must be investigated immediately, as they are used to access the "dark web" and conceal activity.
• Review Searches and History: Analyze keyword searches, URL history, downloads, bookmarks, cookies, logins, and saved form data (including credit cards).
• Assess State of Mind: Even if not direct evidence of a crime, site visit histories can be especially revealing of a subject's state of mind during the investigated period.

How Technology Aids Internet Investigations:

• Contextual Timelines: Timeline views are essential, as nothing happens in a vacuum. They allow investigators to see events in the context of what preceded and followed them, revealing critical patterns of behavior.
• URL Categorization: Sorting web histories by URL (a native capability in Exterro FTK) simplifies the review of a user’s internet activity and repetitive actions.

For additional tips, techniques, and tricks related to specific types of incidents—such as malware, fraud, or insider threats—download the full Exterro whitepaper: Jumpstarting Digital Forensic Investigations.

‍