“Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.” – Wikipedia

The Clock is Ticking

Following an incident, the simple question “Who did what?” is one of the most critical, yet most difficult, questions to answer. When an incident occurs, managers want to discover the root cause as soon as possible. Security teams often need to analyze thousands of logs while investigating incidents, which is a time-consuming, resource intensive exercise. Incidents involving privileged accounts can be more challenging because a privileged insiders and external attackers with hijacked credentials, can delete logs to cover their tracks.  This post introduces practices for forensic investigation of incidents related to privileged accounts.

A Guide to Forensics

The U.S. National Institute of Standards and Technology’s (NIST) “Guide to Integrating Forensics Techniques into Incident Response” defines the following process. As shown on Figure 3-1, the forensics process transforms media into evidence, whether evidence is needed for law enforcement or for an organization’s internal usage. Specifically, the first transformation occurs when collected data is examined; this extracts data from media and transforms it into a format that can be processed by forensics tools. Second, data is transformed into information through analysis. Finally, the information transformation into evidence using the information produced by the analysis during the reporting phase. For example, it could be used as evidence to help prosecute a specific individual or actionable information to help stop or mitigate some threat.


forensic processGoing into more detail the NIST’s Guide defines the following procedure. The procedure can be supported by advanced forensics tools, which are also referenced below.

1.) Identifying data sources

The first step in the forensics process is to identify potential sources of data (evidence).
Security logs, operations logs and remote access logs created on servers, clients, OS, databases, network and security devices are the typical data sources. Configuration files and information in ticketing systems can be used as additional sources. In the case of investigations related to privileged account misuse, session recordings (i.e. replayable audit trails) can be extremely helpful.

2) Acquiring the data

After identifying potential data sources, the analyst needs to acquire the data from the sources. Data acquisition should be performed using a three-step process: developing a plan to acquire the data, acquiring the data, and verifying the integrity of the acquired data.
Log management tools can help here by centrally collecting, filtering, normalizing and storing log data from a wide range of sources. In a privilege misuse investigation scenario audit trails stored by privileged session recording tools are recommended to be also included in the data acquisition plan.

a) Verify the integrity of the data
After the data has been acquired, its integrity should be verified. It is particularly important for an analyst to prove that the data has not been tampered with if it might be needed for legal reasons.
Advanced forensics tools protect against tampering by providing encrypted, timestamped and digitally signed data. They can additionally secure sensitive information with granular access policies.

3) Examination

After data has been collected, analyst needs to examine the data, which involves assessing and extracting the relevant pieces of information.
Free search capabilities of some forensics tools provide quick navigation to the point in time where the suspicious event occurred. Combing log data with session metadata can accelerate examination of privileged account-related incidents.

4) Analysis

Once the relevant information has been extracted, the analyst should analyze the data to draw conclusions from it. The foundation of forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no conclusion can yet be drawn.
Privileged user behavior analytics make analysis of privileged activity easier: they provide alerting if deviation from the norm is detected and show the full context of the suspicious user activity. Replayable audit trails show logins, commands issued, windows viewed and texts typed during the session which are extremely useful information for analysis. You can build a timeline of events based on log data and get the context by viewing session recordings (audit trails).

5) Reporting

The final phase is reporting, which is the process of preparing and presenting the information resulting from the analysis phase.
Advanced forensics tools can generate custom reports of user activities.

Best Practices for Forensic Investigations

The info-graphic below shows a custom set of best practices to manage incidents related to privileged accounts. The graphic focuses on guidelines for companies running integrated security operations, such as a Security Operation Center (SOC) or an integrated SIEM environment.

To learn more download our white paper on How to Accelerate Your Incident Response with Privileged Access Management.