Chain of Custody for Incident Response must provide provenance details to keep track of original evidence of a security incident. These details can include case name, the evidence numbers, date/time when assets are seized, target system, evidence description, people who had access to the evidence, location of the evidence, and date/time of evidence return or destruction. Details about the attacker are also tracked in the analysis.
An IT security administrator detects an event in network traffic that violates computer security policies. She identifies an attack, and plans the response. She documents the chain of custody for evidence and derived artifacts, including the hash value of extracted information of confirmed associated malware, hash values for files and pages generated by the malware, and pieces of computer code. The steps she takes are described below.
- Suspicious traffic emanating from a conference system camera on the corporate network is reported by a network monitoring appliance.
- The administrator initiates a cyber-investigation, assigning a case name and her authorization (creating an Investigation object).
- The administrator preserves a PCAP file containing captured network traffic (monitoring system, PCAP file name, hash value, and associated ProvenanceRecord).
- She extracts a malware file from the PCAP, which indicates the camera was being used to deploy attack payloads.
- The administrator takes the camera offline and acquires an image of the camera’s storage chip using a JTAG interface, seeking persisted attack artifacts.
- The administrator extracts malware files from the camera’s storage image, recognized by containing malicious domain names suggesting Command and Control servers.
- The discovered Command and Control domains forwarded to remediation groups. The Chain of Custody retained in the CASE representation of this incident can support inquiries to the processes and reasoning used to designate these domains as requiring remediation.