Have you ever faced the challenge of completing a jigsaw puzzle that had a lot of pieces missing? This is what it feels like to initially investigate a data breach. After working a few cases like this, there is nothing better than figuring out what happened. Tools like memory dumps, log replay and impersonator timelines make this much easier. Here is how I would explain them in more detail.
A memory dump will reveal:
Log replay allows you to:
Timeline analysis gets you to:
I ask myself the refrain, “Does this look normal?”
If it does not, I would allow myself to dig into that piece of information deeper. This is the section where the complete story develops and makes sense—for example, how it started, spread, and logical breakdowns.
You will:
These tools truly relieve the task of a much more frightening venture. And once you learn and practice them, you will feel much more assured and will find breaches a much simpler investigation.
Who knows, you may someday be the one that solves the big breach.
Memory Dump: Visualization of System Processes
When I start my investigations, I always begin with a memory dump since this tells me what the computer was doing at the exact time it was breached.A memory dump will reveal:
- The programs which were running
- Active network connections
- Hidden malware in memory
- Commands the hacker executed
Log Replay: Reviewing the Attack Step-by-Step
Once that is complete, I begin log replay. I like to think of it as rewinding your favorite movie to watch a scene all over again.Log replay allows you to:
- Reassemble events in chronological order
- Identify questionable authentication attempts
- Follow potentially malicious IP addresses
- Discover how they obtained access
Timeline Analysis: Putting all of the information together
Next comes timeline analysis, my favorite part. At this step, everything is woven together like putting together a puzzle.Timeline analysis gets you to:
- Understand how memory data correlates with
- Log data
- Network traffic
- File activity
- User activity
I ask myself the refrain, “Does this look normal?”
If it does not, I would allow myself to dig into that piece of information deeper. This is the section where the complete story develops and makes sense—for example, how it started, spread, and logical breakdowns.
Why These Three Tools Work Together Well
Using memory dump, log replay, and timeline analysis together gives full visibility and a comprehensive understanding of the attack.You will:
- Be able to understand what happened,
- Be able to understand how it happened,
- Know who did it, and
- Understand how to prevent it in the future.
Conclusion
I tell my friends in cybersecurity, "Don't panic, track the attack"These tools truly relieve the task of a much more frightening venture. And once you learn and practice them, you will feel much more assured and will find breaches a much simpler investigation.
Who knows, you may someday be the one that solves the big breach.
