Computer Forensics - finding the cause

Computer Forensics is a reactive service that is provided after the security violation has occurred and it is necessary to cope with the situation.

What happened?
Who did it?
How could this have happened?
What do we need to do now?
How can we prevent this from happening again?

With the support of our service these questions can be answered. We support you in clarifying such important issues as identifying the originator of an attack or determining the exploited vulnerabilities, the affected systems and the loss caused by the attack to clear the damages and eliminate the security holes permanently.

Identifying causes - Eliminating vulnerabilities permanently

After a security crash the cause of the incident is often left undetermined. With regard to the system's availability, the system is rebooted completely without looking further into the cause of the incident. This procedure is not recommendable.

The goal should be in any case to determine and eliminate the vulnerabilities to prevent a crash like this from happening again. SRC supports you with the identification of the causes and the definition of countermeasures with permanent effect.

Identifying originators

Identifying the originator of the damage is important for incidents that may be subject to a claim for damages from your side. SRC supports you with securing lost, deleted or destroyed data on to IT-systems which can be used as evidence in court to identify the originator of a damage, to secure evidence usable in court proceedings and to reconstruct maliciously destroyed data.

Detection and limitation of the extent of damage

Once a harm has been detected, its degree must be determined. Without destroying evidence or threatening its usability by the courts, it must be assessed which IT-systems and which information has to be considered as compromised. The identification of the specified measure of damages is relevant especially against the background of an efficient procedure in the limitation of damage. SRC can help you establish the extent of damage, the affected systems and information, and our goal is to team up with customers to define a procedure for damage-limitation.

CERT - quickly making the right decisions after a security incident

After a security incident, in certain cases it is all about reducing the measures of a damage and restoring regular operations as quickly as possible. A Computer Emergency Response Team (CERT) takes on this job.

The security experts of SRC support you in making the right decisions so that the measure of a damage can be reduced as far as possible after a security incident. We help you to come to the right decision at the right time and we stay focused even in times of crisis.

Live-Analyses

Frequently, when a security incident is identified, the affected system is rebooted immediately without further investigation. From a security perspective, this implies that the cause of the incident is often not detected and that the rebooted system continues to be vulnerable to new attacks.

In order to be able to determine the cause of the incident a detailed investigation is necessary. Therefore the system must be left in its current state. SRC supports you in the prompt live-analysis of the incident of the affected system and is able to react fast.

Email Forensics

Today, businesses receive large amounts of unwanted emails. Normally, these are spam emails or messages with deceptive intent (phishing, Trojans, malware, etc.). However, there are also sporadic emails with offensive content.

Flame emails that have been received from external sources can be destroyed or their emergence can be contained by using virus and spam filters. If the offensive flame emails presumably originate from the company's own network, current law dictates that the incident has to be prosecuted. The offence is an attack on the honour of a person through the announcement of defiance or disrespect.

According to German law (§ 185 StGB) the offence will be punished with a prison sentence of up to one year or a monetary fine. Is the offence committed by means of assault it will be punished with a prison sentence of up to two years or a monetary fine. According to German law (§ 194 StGB) the offence will be pursued only upon request.

Is an offence returned right away, the judge can exempt both or only one of the offenders from punishment according to German law (§ 199 StGB). With the aid of email forensics the authenticity of the email sender will be verified and simulated e-mails will be recognised.

Reverse-Engineering

Frequently, computer systems are affected by malware (viruses, Trojans, spyware). Recent examples are Trojan horses that intercept passwords, PINs and TANs. For a detailed clarification of the incident the malware, which was found on the compromised system, has to be examined.

SRC's consultants support you during the analysis of Trojan horses and will analyse the exact operation mode of the malicious software by reverse-engineering. Aim of the analysis is e.g. the collection of further information for the investigating authorities which contribute to the prosecution of the offender.

Examples of use

  • White-collar crime (e.g. theft of research data), identification of the offender and securing evidence for usage in court
  • Defraud, e.g. manipulation of accounts
  • System manipulation e.g. manipulation of accounting software, enterprise resource planning systems, point-of-sale-systems, data bases, fileservers
  • Manipulation of hardware components e.g. identifying manipulation of monetary transaction terminals and ATMs as well as reconstructing the offender's course of action and defining countermeasures
  • Analysis of Trojan horses e.g. in line with anti-phishing in order to identify affected online-banking systems, detection of target accounts

References

SRC supported among others a big German media enterprise on revealing an attack on their internet presence. We provided consultation regarding the evaluation of the impact and extent of the damage and compiled a concept to eliminate the vulnerabilities.

SRC has conducted several post mortem incident analyses for internationally operating banks. SRC's consultants supported a big German telecommunication provider with the development of algorithms for forensic analyses of e-mail headers of message transport agents.

Additionally, SRC was significantly involved in building and operating the first commercial CERT service provider in Germany. SRC has performed forensic analyses within the financial sector requested by MasterCard.

Contact

Randolf Skerka
Thilo W. Pannen
Detlef Kraus

info[at]src-gmbh.de
Telephone: +49(0)228 2806-0
Telefax: +49(0)228 2806-199