The first installment of the series Digital Smoke: The Art of Incident Response discussed the modern threat environment. The analysis of the threat environment was juxtaposed with the traditional methodology of responding to a scene where there is a running computer, namely, pulling the plug. The conclusion of the first installment was that the modern threat environment is such that pulling the plug on a running computer is not only undesirable but may inadvertently destroy any chance of obtaining the information needed from the computer.
This, the second installment of the series, will address the issue of defining incident response. Although the term incident response appears self explanatory, its meaning within the field of computer forensics and cyber-based investigations is anything but clear. The purpose of this article is to define the incident response space, in an effort to enable forensic professionals, law enforcement and responders to better prepare for the inevitability of responding to a scene with a running computer. To fully define incident response it must be differentiated from the terms with which it is often used interchangeably. Therefore, this article will examine the terms, forensic preview, triage, and incident response and the characteristics that constitute them.
The process of viewing files on the subject’s computer in it’s native environment constitutes a preview. A forensic preview is one which uses forensically sound bootable media on the subject’s computer to view the files on the computer without making any changes to the data (Lewis, 2008). The process of using bootable media to conduct a forensic preview indicates that if the computer is running, it must be restarted with the forensic media inserted. Forensic Preview’s are often conducted in eDiscovery or administrative environments.
Characteristics of Forensic Preview
The Forensic Preview process can best be characterized as a sterile environment. The environment is made sterile by booting from a forensically validated media source that contains trusted tools or an entire integrated user interface. Typically Forensic Preview tools provide features for viewing, searching, hashing, exporting and reporting. Therefore, there is little risk for the responder to inadvertently change or alter data contained within the target machine. In addition, the Forensic Preview is designed to provide a speedy, albeit relatively cursory, insight into the whether or not the allegations are supported and further action warranted. Lastly, the Forensic Preview does not require a high level of computer expertise or in-depth training for the responder to perform.
Triage is the process whereby time sensitive evaluations (made so by an imminent danger or threat) are conducted resulting in the establishment of work priorities (Lewis, 2008). The most critical of tasks is promoted to the top of the priority list and so on in descending order. It is this critical nature of triage that is the most overlooked aspect in differentiating terminology in the field of computer forensics. Therefore, many processes for the responder are termed as triage, however, upon closer examination, triage for the responder to a running computer occurs only during the initial contact, whereby the destruction of data, either intentionally or unintentionally, is likely to occur and immediate action to counteract the destruction must be taken.
Characteristics of Triage
The environment for triage is stressful in that every moment of indecision can have disastrous consequences. Given the time sensitive nature and severity of the situation, responders must be well versed in the methodologies for interrupting data destruction as it is occurring on a running computer. However, additional specialized training is not a requisite for the responder to be successful. Traditionally, the method of pulling the plug on a running system is the fastest and safest way to stop destructive activity, however, there are a number of alternatives that may be warranted in other situations. Lastly, there are no specialized tools for triaging a running computer to stop destructive activity, therefore, manual procedures are the only viable alternative.
For the purpose of this article, incident response is defined as those actions taken on a running computer to obtain volatile and critical data and to prepare it for further forensic examination (Lewis, 2008). In other words, incident response is an approach, containing a series of actions, specifically designed to capture data that will become unavailable once the computer is powered off.
Characteristics of Incident Response
Incident response is characterized by a dynamic environment that requires a high level of technical skill to successfully negotiate. Responders performing incident response must be versed in triage methodologies, be prepared to act according to the status of the computer, transition smoothly into data capture, provide documentation of findings and prepare the computer for possible removal from the scene and transport to a forensic laboratory for an in-depth analysis.
There are two methodologies for incident response, which are not entirely mutually exclusive, manual and automated. The capturing of volatile and critical data manually can be time consuming and prone to errors. Likewise, the automated approach cannot possibly account for every scenario that will confront the responder. Therefore, the responder should ideally be well versed in the manual procedures and have access to a variety of automated tools.
As discussed in Part 1 of the series, the threat environment is substantial. The training of the responder should be inextricably linked to the threat environment. The well trained responder therefore should have a base understanding of computer networks, encryption, computing processes, various operating systems and much more.
General Response Strategies
It is imperative that some form of incident response be performed on-scene whenever there is a running computer. As such, broad guidelines can be established. Assuming officer safety has been accounted for, the on-scene assessment must be made to determine the necessary course of action. This is similar to emergency medical personnel arriving at the scene of an accident. The medical personnel use the “ABC” (airway, breathing and circulation) acronym to assess injuries and establish priorities of work (triage). In a digital crime scene, the priority of work is focused on preserving potential evidence. By following the acronym “STU” responders of the digital crime scene now have an approach to effectively control the situation – stop destructive activity, take volatile and critical data and unplug the system for removal to a lab for further analysis (Lewis, 2009).
The actions the responder takes to stop the destructive activity (triage) depend on the type of activity taking place. If the destruction is intentional, the only viable option may be to pull the plug on the system. If the destructive activity is unintentional, it may be as simple as stopping running processes, removing a network cable or even removing liquid spilled on the computer. Once the destructive activity as been stopped, and if the computer is still running, the responder has a chance to capture volatile and critical data.
Incident Response Phase
Capturing volatile data on a system can be accomplished manually or through automated tools. As previously mentioned both manual and automated responses have their achilles heel. A combination of automated tools and manual processing, provides the best chance for successfully capturing volatile and critical data in the digital crime scene. However, tools and techniques for capturing data should coincide with the expected lifespan of data chart (Farmer and Venema, 2004, p. 6). By considering the Order Of Volatility (OOV) Farmer and Venema (2004) have created a template based on the likelihood of the data remaining viable for capture. Aside from network and system processes, additional data should, depending on the circumstances, also be captured. Generally, data that resides on the hard drive is left for the in-depth forensic examination likely to occur in a laboratory environment. However, organizations and responders thereof, should consider the potential that the data on the drive may become inaccessible once the drive is powered off. Two major reasons data can become inaccessible after a drive is powered off is encryption and hardware malfunction. Therefore, if during the incident response data capture process, the responder can capture data that would be considered critical to the case, it would be prudent to do so. For example, if the case centered around a set of images, it is possible to capture the images or the entire folder containing the images, for use as best evidence should the hard drive later become inaccessible. Lastly, there should be a procedure in place for the responder to formalize a report and prepare the computer assets for transportation to forensic laboratory.
In this article the terms Forensic Preview, Triage and Incident Response have been defined and characterized. The differences between these terms and what constitutes them should enable organizations to plan for education and training of their responders, purchase necessary tools, and develop appropriate response strategies. By being prepared for the modern threat environment, responders will enable organizations to achieve a greater success rate in obtaining the requisite information to move their investigations forward.
Farmer, D, & Venema, W. (2004). Forensic Discovery. Addison-Wesley, Upper Saddle River, NJ.
Lewis, A. (2008). Hybrid Theory Forensics. High Tech Criminal Investigator’s Association (HTCIA), Atlantic City, NJ.
Lewis, A. (2009, July-December). Digital Smoke: The Art of Incident Response. The Informant, 6(2), 26-27.