Analyzing the collected data – digging deep
Analysis of the gathered data is a long and time-intensive process. As network forensic experts, we need to work towards the goals defined for us within the available time frame. In this specific case that we have been discussing, the situation is extremely time critical. Looking at the huge volume of potential evidence available to us, we have to take a call on the triaging process and decide what we wish to focus on first.
One very valuable input that we deduced was that the data had been exfiltrated just over two days before the receipt of the mail by the CEO. The process of exfiltration of data by any criminal actually involves a chain of events. These links in the chain or steps are shown in the following:
Reconnaissance
Compromise
Setup of command and control
Data identification, acquisition, and aggregation
Exfiltration
While each of these stages will leave some traces on the victims systems, the major role of a forensics investigator comes into...
