Forensic Investigation Analysis

Forensic Investigation

Forensic Investigation Analysis is an Incident response team arrived at the client site and discovered that an employee’s machine was infected with malware and was sending out emails to everyone in the victim’s address book. In situations like these, the usual response is to start a traditional forensic investigation in which the investigators pore over the infected machine for malicious code samples. Then, specialists place the potentially malicious code in a protected sandbox environment, observe it in action, and reverse-engineer it when needed to determine its capabilities. Such a process can take days or longer, depending on the complexity of the malicious code.

The incident response team took a much faster and more effective approach during this case. The response team captured the unique “signature” of the malware by applying a hash function to a sample of infected code, and then checked that signature within threat intelligence platform. They quickly found a match, learning from the threat intelligence platform how the malware works and what the malware capabilities are. This revealed that the malware after installing itself on the victim’s machine is spreading self by sending emails to other users based on the sender’s address book. The threat intelligence platform also showed that the malware had a remote control and key-logging functionality. Threat intelligence platform also provided information on how to confirm the diagnosis and remove the malware. The response team checked for other Indicators of Compromise on the machines within that organization and identified that more machines were infected with the same malware. Within a short period, the incident response team cleaned up the infected computers throughout the organization.

Related Product:- EC-Council Certified Incident Handler | ECIH v2

Moreover, the threat intelligence platform offered a broader view of the attack. The malware was part of a known malware family and part of a wider campaign that could be attributed to a foreign group whose activities were being widely followed in the intelligence community. Using this knowledge, the incident response team was also able to inform the customer that this attack not only targeted them but was part of a treaded scope.


The forensic investigation has a highly important role in cyber defense, especially when new types of attack and code samples are discovered. Yet it’s a significant waste of time and resources to perform forensic analysis on code samples that have already been detected, analyzed, and distributed among cyber defense sharing communities. forensic Incident response drawing upon threat intelligence delivers the fastest and most effective method of neutralizing and finding (other) threats within the environment. Furthermore, by using threat intelligence in identify an adversary’s other modes of attack, an incident response team can perform a more thorough job of protecting diets.

Types of Computer Forensic Tools

  • Digital Forensics: Forensic techniques are used for retrieving evidence from computers. These techniques include identification of information, preservation, recovery, and investigation in line with digital forensic standards.
  • Mobile Device Forensics: Mobile device forensics refers to that branch of digital forensics that involves evidence found on mobile devices. These include personal digital assistants (PDAs), mobile phones, and tablets – basically, any computing device that has communication capabilities besides being portable. This branch of forensics suddenly gained popularity with smartphones, making it one of the most recent divisions of digital forensics.
  • Software Forensics: Software forensics determines whether the software has been stolen. This is performed by analyzing and comparing source code, and then detecting any possible correlation. Over the past few years, software forensics has been used in several high-profile intellectual properties (IP) litigations.
  • Memory Forensics: When sophisticated attacks occur, data existing in the hard drive could either be permanently erased or no data is left on the hard drive, leaving almost no evidence for a forensic investigation. Memory forensics is the process of searching for possible artefacts in the computer’s memory (RAM).

Also Read:- Forensics Investigation method of Computer

Organizational Scenarios Using Threat Intelligence

Discussed below are some of the organizational scenarios where threat intelligence is implemented:

Scenario: Understanding the Modus Operandi of an Attacker Challenge A company executive received an email, purportedly from the recipient’s mother, containing a suspicious attachment.


The email was detected as fraudulent and forwarded to the incident response team. The incident response team (IRT) performed a detailed analysis of the email, the attachment, and the infected payload that was part of the attachment. This analysis yields several data points: the subject line of the email, the filename of the attachment (an MS Word document), the IP address that was used to send the email, the domain name that was used as the “from” address, the intended behaviour of the payload (e.g., attempted outgoing connection to an IP address or domain), and the unique hash of the payload.

The incident response team then fed these data points into threat intelligence platform. This information about a known threat actor whose preferred attack method was to send “spear-phishing” emails to targets. The threat actor’s modus Operandi was to send infected attachments, using different filenames. In the platform, other filenames were stored, which have been seen in other attacks by the same threat actor.

Given that intelligence, the incident response team searched in the email logs for those suspicious filenames. While doing so, they identified other “spear-phishing” emails to other employees -that is, other company executives who may have opened an attachment from the same threat actor. The team investigated the other employee s’ machines that have received the emails with the other filenames but did not find any traces that the emails have been opened.


By using threat intelligence to identify the source of a campaign, the incident response team followed the most direct path to remediation not only for the original email but for other spear-phishing emails from the same adversary. Through this approach, the incident response team avoided the need to conduct an entire company-wide incident response search across the whole network, ultimately reducing cost and saving time.

Forensics is the scientific methods used to solve a crime. Forensic investigation is the gathering and analysis of all crime-related physical evidence to conclude a suspect. Infosavvy give training forensic investigation module in ECIH v2 Training and certification by EC-Council in Bangalore Location.

Questions related to this topic

  1. Which of the following can protect email from potential threats?
  2. What are the different threats to emails?
  3. What is a malicious email?
  4. What is Proofpoint threat response?
  5. Explain Forensic Investigation Analysis?

Top Incident Handling Knowledge

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com



Leave a Comment