Beyond Timelines and IOC Matching: An Action Oriented Data Model for Automating Pattern Matching and Analysis in Incident Response Investigations

Digital forensics investigations typically ingest many sources of information, even if all sources come from one computer or even a single hard drive. This is particularly true with security incident response investigations, where the goal is to look into suspicious or anomalous events, determine their cause and assess their consequences. Such investigations typically rely on evidence culled from file systems, various system and user account configuration files, log files, and memory. Anything that stores some record of an event, activity, or configuration change can be a valuable artifact in an incident response investigation, especially if accompanied by a timestamp.

The tedious and exacting task of parsing, extracting, and otherwise transforming disk and memory artifacts into data intelligible to an investigator lends itself well to automation. Many commercial and freely available tools provide some capability to automate forensic evidence processing. Examination of the processed forensics data, however, remains a time-consuming manual task, highly dependent on the skill, experience, and attention of the investigator. To augment and assist the investigator, and thus improve the efficiency and accuracy of security incident response investigations, we have been developing a system that can apply formalized rule sets to forensic data to identify patterns of activity meaningful to incident response investigations. Our goal is to automate forensics analysis for specific types of common security incidents and fact patterns.

Automating forensic analysis presents some interesting challenges. Chief among these, and the problem we will address in our presentation, is how to consolidate and normalize data derived from the wide variety of different artifacts common to forensics investigations—file systems, configuration files, logs, file content, etc. Different types of artifacts provide different facts about a security incident. More importantly, different artifacts have different formats, schemas, and levels of reliability and probative value. While an investigator might readily link facts derived from different artifacts, automated analysis requires data from different artifacts to be more formally described.

We will present the data model that we have been developing to normalize and aggregate forensics data from different artifacts into unified compilation amenable to the logical algorithm. We describe our approach, which we call Action-Based Forensics Facts (or simply “Action Facts”), and explain our basic methodology for consolidating and normalizing and data from different forensics artifacts or sources. We will then explain how logical rules can be applied to the Action Facts data model to identify fact patterns of forensic significance to various security incident response scenarios. Finally, we show how we are currently using the Action Facts model was in combination with formalized logical rules to automate analysis around brute force activity.

Location: Track 2 Date: April 23, 2020 Time: 11:30 am - 12:30 pm Troy Larson Svetlana Gaivoronski