ISSC499 final

profiledeweese3
issc499week2assignment.docx

2

Cristian DeWeese

American Public University System

ISSC499

Dr. Missakian

06/16/2024

I. Introduction:

Data breach investigation of Equifax Inc. proved that in September 2017, an extreme security breach occurred and compromised the data of almost 147 million people. This incident revealed some major data protection flaws in Equifax’s system protection network especially for important consumer information (Goers, 2020). It is expected that this cybersecurity investigation and forensic methodology plan will outline the many-fold investigative process that will help law enforcement identify the perpetrators and contribute toward preventing similar types of breaches in the future.

II. Investigation of the Crime or Incident Scene:

The first area of concern covered in the first phase of our inquiry entailed fixing on the entry points that were used. First, to identify an intrusion an enormous scan of network logs, firewalls and outputs from many IDS’s were analyzed. To this end SPLUNK the professional logger analysis tool was used for log parsing which helps in thorough examination of fish logs. In parallel, Solar Winds was used to monitor the network traffic and it presented all the necessary information regarding the traffic abnormality. To accomplish this, the authors provided a thorough chronological review of the breach, which was instrumental in identifying key milestones and a timeline of events. In this way, under the intense scrutiny, I found a critical weakness in a Web Application that provided the penetrators with the initial foothold to invade Equifax’s systems. This was important not only because it showed us the primary means of entry (Aslan et al., 2023).

III. Reconstruction of the Scene or Incident:

The next step of our investigation arose from the results of the work that we did in the first phase, which focused on reconstructing the incident in its entirety. To achieve this, we employed tools such as FTK and Encase in investigations which are recognized for their effectiveness in this field. These tools were used to help us conduct an investigative analysis of disk image and server log data coming from Equifax’s systems during the breach. This stage entailed a process where he had to gather all the data relating to this particular event and arrange the flow of events that might have led to the massive data exfiltration incident (Nikkel, 2021). By piecing together such specific and precise description of the events in the aftermath of the attack, it was possible to identify with certainty how exactly the attacks were carried out. More notably, what we were able to discern was the fact that the attackers had capitalized on an already known loophole in the Apache Struts framework, something that explained how the intrusion did not only commence but continued with the attackers having access to more data. This kind of shot allowed us look into the mechanics of the breach and proved to be invaluable in terms of drawing the overall scope and the magnitude of the intrusion.

IV. Collection and Preservation of Digital Evidence:

During ‘the collection of the EMI in the critical period’ thorough measures were avoided to compromise the admissibility of the digital evidence. In conducting our analysis, we relied on FTK Imager, a powerful and widely-used imaging tool for creating exact and identical copies of the affected systems. Furthermore, to avoid writing over evidence during the creation of the forensic image, the target devices were equipped with hardware write blockers. This technique was important to support the integrity of data as it was during the creation of breach which is important in the forensic analysis process (Etow, 2020). All of the inputs in electronic format were documented and preserved under proper conditions to prevent loss. These evidences were only shared with the usual investigation team and therefore the chain of custody was strong. Indeed, in addition to protecting the evidence from tampering by the suspects, this process helped to document adherence to various procedural steps that could be important during legal proceedings or assessments.

V. Analysis of the Digital Evidence:

Diagnostic of the investigation meant that the analysis phase used both inductive and deductive reasoning processes to break down the cyber-attack. One of the most popular tools was Wireshark, a tool for analyzing protocol, to monitor the traffic within the network. From these excluded individuals, this analysis showed the servers at Equifax speaking with malicious IP addresses that external sources identify, as well as the routes the perpetrators employed to steal data (Dodiya & Singh, 2022). At the same time, Volatility which is an intricate memory forensics frame for analyzing system memory was employed to traverse through the system memory. During routine analysis of the system, issues with malicious processes, as well as others that are not observable, were defined with the help of this tool. Applying these elaborate forensic tools, we were able to put together a quite coherent narrative on the workings of the breach. This breakdown was not only useful to identify the pathways used by the attackers inside the network. This phase was therefore central in establishing the trail left behind by the attackers in the digital world which was of significant relevance at the time of investigation and in futures litigations.

VI. Establish Linkages, Associations, and Reconstructions:

By employing a social network graphical technique using the Maltego tool, we were able to perform a link analysis and establish relationships between the pieces of evidence. This aided in mapping out some of the movements and points where the attackers were seen moving within Equifax’s network (Reddy & Pelletier, 2022). The SIEM systems also helped in the process of correlating current security incident reports with analysis of potential past incidents, thus integrating the effect of the breach.

VII. Use the Evidence for the Prosecution of the Perpetrators:

A detailed forensic review structure consistent of all the main facts and conclusions emerging from the case study was diligently prepared. It was very important to structure this document in a manner that would help support the LEAs as they prosecuted those individuals that made Equifax data breach possible. In the view of this therefore Sree and Bhanu (2020) have identified some key practices for cybercrime investigation that hold relevance in this research study, they include; Adequate documentation; The forensic report must be complete and detailed: it is recommended that the forensic investigation properly examines the timeline of the cyber-incident, the type of intrusion, the extent of loss as well as the identity of the perpetrator. The report contained the step-by-step breach procedure, details related to the kind of data that was leaked, and elaborate details about the exploited loopholes. A consistent and rigorous approach was adopted in the organization of each piece of evidence and the documentation of all the facts in order to abide by the legal standard of evidentiary admissibility. This endeavor was as an attempt to align the process of explaining events to a sound legal argument that the culprits, who were mentioned as ‘defendants’ in the text, could easily be prosecuted with the help of this narrative to ensure law enforcement.

VIII. Conclusion:

This particular forensic approach helped in presenting a logical step by step approach to examine the Equifax data breach by even taking into account the aspects of acquisition, identification, documentation, analysis, and reporting. While it allowed the discovery and punishment of the offenders, it also pointed out numerous essential security measures required to avoid similar events in the future.

References:

Aslan, Ö., Aktuğ, S. S., Ozkan-Okay, M., Yilmaz, A. A., & Akin, E. (2023). A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions.  Electronics12(6), 1333. https://scholar.google.com.pk/scholar?hl=en&as_sdt=0%2C5&as_ylo=2020&q=Aslan%2C+%C3%96.%2C+Aktu%C4%9F%2C+S.+S.%2C+Ozkan-Okay%2C+M.%2C+Yilmaz%2C+A.+A.%2C+%26+Akin%2C+E.+%282023%29.+A+comprehensive+review+of+cyber+security+vulnerabilities%2C+threats%2C+attacks%2C+and+solutions.+Electronics%2C+12%286%29%2C+1333.+&btnG=

Dodiya, B., & Singh, U. K. (2022). Malicious Traffic analysis using Wireshark by collection of Indicators of Compromise.  International Journal of Computer Applications183(53), 1-6. https://www.researchgate.net/profile/Bindu-Dodiya-2/publication/358742834_Malicious_Traffic_analysis_using_Wireshark_by_collection_of_Indicators_of_Compromise/links/62134e514be28e145ca6bc65/Malicious-Traffic-analysis-using-Wireshark-by-collection-of-Indicators-of-Compromise.pdf

Etow, T. R. (2020). Impact of anti-forensics techniques on digital forensics investigation. https://www.diva-portal.org/smash/get/diva2:1453485/FULLTEXT02

Goers, T. (2020). From Banking To Data Breaches: Ensuring Financial Institution Accountability With Public And Private Oversight.  Mich. St. L. Rev., 1141. https://scholar.google.com.pk/scholar?hl=en&as_sdt=0%2C5&as_ylo=2020&q=Goers%2C+T.+%282020%29.+From+Banking+To+Data+Breaches%3A+Ensuring+Financial+Institution+Accountability+With+Public+And+Private+Oversight.+Mich.+St.+L.+Rev.%2C+1141.+&btnG=

Nikkel, B. (2021).  Practical Linux Forensics: A Guide for Digital Investigators. no starch Press. https://digitalforensics.ch/linux/practical-linux-forensics-appendix-2021-07-17.pdf

Reddy, P. S., & Pelletier, J. M. (2022, May). The pentest method for business intelligence. In  2022 45th Jubilee International Convention on Information, Communication and Electronic Technology (MIPRO) (pp. 1117-1125). IEEE. https://www.researchgate.net/profile/Justin-Pelletier/publication/362987522_The_Pentest_Method_for_Business_Intelligence/links/63c8ad10d7e5841e0bdcf5bc/The-Pentest-Method-for-Business-Intelligence.pdf

Sree, T. R., & Bhanu, S. M. S. (2020). Data collection techniques for forensic investigation in cloud.  Digital Forensic Science. https://www.intechopen.com/chapters/64377