Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

Cybercrime investigators on the job



Special actions need to be taken in the event of a security incident. Courts require that all steps are documented and evidence is preserved. Special tools are available to carry out this work.

IT teams face special challenges after a successful attack. Traces have to be preserved in a complex process. At the same time, systems have to be back up and running as quickly as possible, requiring both expert knowledge and the right tools.

A master plan detailing the necessary steps hopefully already exists to deal with such emergencies. After all, a level-headed approach is key now and making the wrong moves can have dire consequences (see here for more information). This incident may ultimately lead to criminal proceedings so traces have to be preserved and the required steps have to be documented. The risk is that any actions may simultaneously alter the evidence. Even logging in or viewing log files leaves behind traces that could superimpose traces left by the intruder.

Detective work to look for signs of the incident’s causes and effects is a case for IT forensic experts. External specialists can be brought in if a company does not have properly trained in-house experts.

Preserving evidence

First, you have to back up the latest version of all affected systems. Experts advise starting off by creating a copy of the memory using special software. This will show any processes still running that were launched during the hack. These traces would be lost if the system was switched off or shut down. Hackers also use diskless malware, which works without putting files on the hard drive.

In the next step, you can back up storage devices. Anybody taking a diligent approach will first back up hard drives and other connected mass storage devices while they are running and then again after the system has been shut down. This dual approach typically reveals which files were opened before the system was shut down.

A duplicate standby system should be available for critical company systems that must not go offline. This step allows one system to be backed up, while another continues to run.

Special forensic tools

All evidence must be preserved in a legally admissible manner in case legal action is taken at a later date. Not every back-up software can do this so forensic experts opt to use special tools. One popular open-source tool is the Sleuth Kit, a kit of forensic software that can be fully complemented by Autopsy as a graphical user interface.

Other actions need to be taken in special cases if investigators want to observe what the attacker is doing. These tools should make it possible for investigators to track every step taken by hackers to discover what their intentions were, what changes they make and the security gaps that they exploited.

The complex nature of this investigative work prompted the German Federal Office for Information Security (BSI) to publish a highly detailed Guide for IT Forensics. More than 300 pages long, this guide also contains useful checklists. A much more compact Introduction to Computer Forensics can also be found on the BSI’s website.

Once forensic experts have finished their tasks, admins’ work begins. Before the affected systems can restart, they must be free of malware or be reinstalled. Any backdoors must be closed and exploited security loops must be closed.

This article highlights IT forensics from the management perspective.


You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter. 

To register for the newsletter