Selcouth Cyber Security Services Private Limited

Cyber Forensics

Background

What is Cyber Forensics?

Cyber Forensics is a structured method of investigation to find out exactly what transpired on a computing device and/or network with a key aim to identify who and/or what was responsible for it, while maintaining a documented chain of evidence.


A Outlook to Cyber Forensics

Initial evidences to locate:

  • Reveal the current state of computer system.
  • System logs.
  • File transfer logs.
  • Event logs (Windows: System Events / Event Viewer  | Linux: secure and/or message logs)
  • Access logs.
  • Malicious software installations.
  • Monitor and analyze LAN/WAN/internet traffic (even at the packet level).
  • Logs from a wide variety of network devices (firewalls, switches, NIDS, etc.)

Approach to Cyber Forensics

In the case of a malware event

One of the steps before conducting an investigation, ensure that the compromised device is physically isolated from the environment to make sure that  not only it cannot be contaminated accidently, but also prevent further spread of the threat in the infrastructure . Once  the device is isolated a digital copy of the same must be prepared for investigation and  the original device is locked safe to maintain its “as-is” state.

In the case of a suspected breach

A digital forensics team will examine the network and look for signs of a lingering attack, such as unauthorized user accounts, or accounts with unauthorized privileges. The team can determine if an attack is still ongoing, and strengthen the organizations defenses to halt continuing damage.

A Digital forensics team can assist the organization to further strengthen their detection & response controls in order to improve their network infrastructure and security.

In the case of a suspected insider threat

Insider threats in cyber security are threats posed by individuals from within an organization, such as current or former employees, contractors and partners. These individuals have the potential to misuse access to networks and assets to wittingly or unwittingly disclose, modify and delete sensitive information.  Some common steps that can be considered to reduce insider threats are:

Recommend best practices for network and endpoint monitoring system to detect anomalous behavior.

Recommend best practices to closely manage the accounts and privileges of all employees and contractors.