Blue Core Research
Contact Us
Reactive Forensics and Auditing: Follow Sherlock Holmes
Learn about reactive forensics, the evidence you need, and how to prepare so that when the time comes, everything works.

A reactive forensic investigation is the IT equivalent of a detective analyzing a crime scene. Just as Sherlock Holmes reconstructed the events of a crime through clues, traces, and deductive methods, reactive forensics seeks to answer essential questions like who did it, when, how, etc.? Basically – what happened?

Evidence Collection

Holmes analyzes every detail of the crime scene to formulate a hypothesis. Reactive forensics does that in the digital world – examining files, activity logs, and all available digital traces. However, as Holmes would warn, an investigation depends on the availability and preservation of evidence. Without evidence, finding answers is much more complex and costly, if at all possible.

Types of Evidence

Reactive Forensic investigations take advantage of whatever evidence is available. But what can such evidence be?

  • Files and disk drives are like the crime scene Sherlock walked into. Sherlock’s keen observation noticed the slightest clue and a good forensic investigator is no different. However, the crime scene alone may be insufficient to reconstruct what happened. It’s like walking into the kitchen and finding eggs on the ceiling and ketchup on the walls. It may be impossible to know exactly how they got there.
  • Security event logs are like asking the neighbors if they heard anything. Not every crime will register a security event, and security events may have many possible causes. But it’s yet another clue. If the neighbors heard the kids laughing and shouting, the mess in the kitchen may be from a game rather than a crime.
  • Audit logs are like having a recording from a security camera. Those were not available at Sherlock’s time but are ideal today. If you had a security camera in the kitchen when the eggs ended up on the ceiling, there would be no question about what happened.

High-quality evidence might mean you don’t need Sherlock Holmes at all. That is where preparation will save time and money.

Reactive Forensics Auditing

Auditing, also known as Activity Monitoring, records what happens in information systems. It is like a security camera and is critical for many security functions, including reactive forensics. With a sufficient audit trail, forensic investigations are short and precise – there’s no question about what happened.

The challenge in IT is that information systems process an immense volume of activity. That means that there’s a lot of activity to capture and store.

Capturing activity may impact performance, so there are three capture paradigms: capture only login information, selective activity capture, or full capture of everything that happened. Login capture will only tell you who logged in but not what they did. Selective activity capture will capture a subset of the activity, like privileged activity. Full capture will capture everything but requires a technology that can do that without impacting performance.

There are also two storage paradigms: selective storage of activity based on user-defined rules or full recording of everything that happened. Full recording requires a repository technology capable of recording such evidence with a small storage footprint.

Core Audit comes with Full Capture that gives 100% visibility at less than 3% overhead and two repositories: a compliance repository that records based on rules and a security repository that records everything that happened.

When a security incident occurs, reactive forensics comes into play to analyze what happened. Without an audit trail, it often concludes it’s impossible to tell what transpired. In that case, you must assume the worst – that the attackers compromised everything.

Reaction Plan

There are many ways to react to a security event. Thinking about it beforehand will save precious time. Here are some key aspects to consider:

  • Was there an Attack? Just as Sherlock sometimes surmised no one committed any crime, not every security event is a successful attack. Security events are suspicious indications that could be a data breach, a failed attack, or nothing. Reaching quick conclusions about the nature of a security event is vital and may depend on the immediate evidence available to you.
  • Reacting to the Attack. One of the most time-sensitive activities is attack reaction. The reaction aims to prevent further data loss and possibly learn more about the attacker. You have multiple reaction options, such as disconnecting breached systems, honey pots, etc. It is wise to plan what reaction you will take under what circumstances and ensure you have everything ready. Remember that your reactions may also affect the evidence available to the ensuing forensic investigation.
  • Determine the Scope. When Holmes inspected the environment, it often extended beyond the room or the official crime scene. He would find critical footprints or clues in the most unlikely of places. A forensics investigation examines which systems were involved, reconstructing the path and the timeline of the attack.
  • Securing Evidence. Just as detectives secure the crime scene to avoid contamination of evidence, security analysts must preserve affected systems to preserve evidence. Those may include files, event logs, activity logs, or the whole hard drive.
  • Closing the Security Holes. Sherlock discovered how the criminal entered and exited the scene. Similarly, reactive forensics aims to identify the vulnerabilities exploited in the attack. The sooner we can do that, the quicker we can close the security holes and prevent additional similar attacks.
  • Returning to Normal. After solving the case, Holmes restored order. We must also restore data, bring systems back online, and bring operations back to normal. Downtime affects the business, so quick recovery is essential. However, getting back to normal may require concluding the investigation or, at the very least, ensuring all the security holes were identified and closed.

Many actions are time-sensitive, critical to security, and crucial to the business. It is advisable to deliberate these decisions in advance, but keeping in mind that quickly knowing what happened makes everything easier.

Final Thoughts

Reactive forensics is inevitable because, sooner or later, you’ll have a security event requiring an investigation. Preparation is key and is the difference between a quick and easy resolution and a prolonged and costly outcome. Don’t wait for a breach only to find you don’t know what to do, have no data, and no way to figure out what happened. Ensure you have sufficient information and can quickly react when the time comes. Core Audit will let you do that, so contact us today to learn more.

Ask a Question

If you have a question or a comment, please let us know. We’ll be happy to hear from you.

You might also like

What is the Difference Between Auditing and Monitoring?

When people hear auditing and monitoring, they can easily assume they refer to the same thing. Af

How to audit an Oracle database?

Introduction Oracle auditing is a large, complex, and confusing subject with many technology o

How to audit a SQL Server database?

Introduction SQL Server auditing is a large and complex subject with many technology options.