Uplink Inc., a local ISP, has encountered a case of possible fraud in which an unauthorized individual accessed Uplink Inc.’s system using multiple user IDs; in their action, multiple customer accounts have been breached, and the main website has been defaced. Due to Uplink Inc.’s reliance on technology to facilitate its products, the unauthenticated penetration of its hardware, software, and systems needs to be quickly identified, and the point of entry needs to be closed. As Uplink Inc.’s customers rely on their Internet services to operate, as well as the fact that they store/hold a tremendous amount of sensitive personal/organizational information, the breach needs to be handled with care, thoroughly understanding what exactly was done by the perpetrator, what they had access to, and what they continue to have access to. Uplink Inc. uses various applications, such as Microsoft Windows and Server 2016, Macintosh, and Linux; due to this vast number of different systems, the digital forensic process will be challenging.
First, I would need a significant amount of information before the investigation begins, such as the time and date of the incident, who first identified the breach, the affected customer accounts, the current security settings of the firewall, the hosting company for the defaced website, server logs, access to Uplink Inc.’s server/data room, current Windows domain policies, current Windows 10 policies, current Windows Server 2016 policies, current SUSE Linux Enterprise system policies, current Apache policies, current database policies (My SQL), as well as any antivirus/antimalware software used. The abovementioned information would have to be obtained through Uplink Inc.’s cybersecurity and IT staff, as well as managerial positions.
To locate and collect the required data for this investigation, I would have to look through all server, database, OS, and security software logs to determine the point of entry of the breach; in this process, I can also then identify the IP address of the attacker, as well as how they managed to bypass Uplink Inc.’s security. Once the IP address has been identified, I would ensure that it was blacklisted. By understanding how the attacker managed to gain entry, I would then enforce stricter password and security policies. Due to the vast number of different systems, including Windows, Linux, and Macintosh, the forensic investigation would require the use of multiple OS’s and programs to effectively collect information, make copies of drives, and build the attack vector of the unauthorized person. I would most likely utilize programs like SnapCopy, EnCase, and SafeBack to handle data acquisition for each OS, along with write-blocking utilities. For Linux, I would most likely use a Linux Live CD.
Regarding the defaced website, if an image was used, I could examine the graphics file by using a program such as WinHex to determine what the image type is (and if any modifications were made) by looking at the hexadecimal header, as well as with a steganalysis tool, such as Steg Suite to determine if there is any hidden information in it. I could also perform a simple reverse image check in Google to determine where the image came from. After collecting data from each OS, server, and RAID array (making copies whenever possible), I would also collect any devices that contain evidence, then carefully bringing them to a secure location for further analysis. Since customer’s accounts were included in the breach, I would have to recommend that Uplink Inc. sends out a mass-email stating that their accounts have been compromised, what data was obtained/accessed, as well as clarifying how exactly this will be prevented in the future. Along with the statement, customers would need to be instructed to change their passwords, with stricter requirements.
There are several obstacles in my path to understanding and identifying how the attacker successfully breached Uplink Inc.’s systems, including the length of time it will take to thoroughly perform data forensics on the four-disk RAID array, all forty workstations, Windows domain, Windows Server 2016 domain controllers, Linus enterprise servers, as well as examining each employee’s computer/network usage. If the breach was indeed found to be an internal attack, each individual with network access would have to be examined, making copies of their drives, as well as examining their activity. Due to Uplink Inc.’s usage of multiple types of operating systems, the data retrieval process would be complicated in that numerous data retrieval and forensic analysis methods/software might have to be utilized. Finally, due to the severity of the situation involving customer data, the forensic investigation would spill out of the company, opening up legal issues with analyzing customer accounts and personal information.
To solve the time-constraints of the forensic investigation, a properly-formed project management plan shall be introduced, ensuring to allocate time, manpower, and resources to each system accordingly. To help prevent the issues involved if the attack was found to be an internal event, I would work closely with Uplink Inc.’s own cybersecurity and IT personnel to assist them in the collection of Uplink Inc.’s employee data while making sure they do not impede on the forensic/legal process. For the difficulties with working with different systems (Windows, Macintosh, Linux, Apache, etc.), I would ensure to bring multiple software and systems to effectively collect data from each different OS and device using a robust mobile workstation. If possible, I would make copies of all drives and bring them to my secure forensic lab, where I will have everything I need to extract the necessary data. Finally, due to the possible legal nightmare involved with the breached customer data, I would work closely with Uplink Inc.’s legal team (if they have one), as well as with my own legal representative, and with local police (if required).
Uplink Inc. Response Plan
- Meet with Uplink Inc. to discuss the incident, brainstorm possible attack vectors, determine allotted time to finish the investigation and start communication with Uplink Inc.’s cybersecurity and IT staff.
- Create a plan for data retrieval; get access to all affected systems.
- Coordinate with Uplink Inc. to ensure customers and business partners are well informed of the incident and the steps taken to remedy it/prevent it from happening again.
- Identify affected systems, devices, etc.
- Identify required data retrieval software/hardware for forensic analysis of affected systems, devices, etc.
- Make copies of all affected systems, devices, etc.
- Bring copies of all affected systems and device’s hard/flash drives to secure location.
- Commence data retrieval and analysis of all affected systems, devices, etc.
- Identify IP address/es of the attacker, time/date of first and last unauthorized entry, their actions, as well as how they bypassed security.
- Create a report of all forensic findings.
- Offer suggestions for improving security.
- Present findings to Uplink Inc., legal teams, as well as local police (if required).
Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and Investigations. Boston, MA: Cengage Learning.