Wednesday 26 November 2014

Investigation and Intelligence Framework - About Evidence

Cybercrimes are advancing every day, investigators are facing more and more challenges, but they are often too focused technically, hence miss out to draw whole picture of the incident by correlating the seized / acquired evidences for the intelligence purpose.

The idea of Investigation and Intelligence Framework (iif) is to help to correlate evidence and intelligence to help investigation more effectively. To begin with, let's look at the evidence first. 
All network related evidences including Memory, Registry, Web-applications (e.g. Browser or Skype) and Network traffic (e.g. pcap) should be investigated.

Memory
We are not going to malware analysis when we got the memory dump, instead we are looking for any suspicious processes and interesting artifacts.


Registry
For registry, we will try to look at HIVE keys for the starting processes, to see if any suspicious findings. Besides, we can also check the Internet History (sometimes).



Web-applications
Web applications include Browser history as well as some Instant Messengers history like Skype, we should try to look for possible downloads from suspicious sources.


Network traffic
For network traffic, we will have to do packet analysis, searching for suspicious IP Addresses and Protocol, in the example here (of course it's intended to), a malware could be using FTP protocol to transfer something like keylogger history to the evil server.


So, you may ask how do we know if the evidence worth further investigation, and even if we sort out the evidence we want, what are we going to do next? We will be discussing about it in the next post, please stay tuned. :)


No comments:

Post a Comment