Integrity Blog

Editor’s Note: This post was originally published in January, 2010 and has been updated for freshness, accuracy, and comprehensiveness.
Digital Forensics - Should you do a live analysis of a system while performing a breach investigation?

When I first began dabbling in digital forensics, the year was 1999. At the time it was little more than tepid curiosity for me. It wasn’t but a couple of months before I was thrust into my first “investigation”. The issue turned out to be a non-issue but it sure had us worried. Looking back on my procedure, I still had a lot to learn about digital investigations.

Here we are in 2016 and the practice of digital forensics must continue to change with the advances in technology. We used to think that live analysis of a system was taboo. First rule of thumb was turn it off and write block everything before you attempt to do any discovery. Changes in technology have necessitated a shift in thinking of live acquisitions during a forensic examination. Let’s look at a couple of the scenarios which offer highly compelling arguments for live acquisition.

Commercialization of Localized Encryption

Ten years ago it would have been rare to find a desktop with any sort of local drive or file encryption. Today however, full drive or volume encryption is commonplace. The drive or files to be analyzed may be unencrypted while booted and logged in but will revert to an encrypted state once the system is rebooted. Encryption is the bane of every digital investigators existence. Sure you can get around some of it, but the time and frustration added to your investigation is a reality. (Wouldn’t it be nice if the encryption keys were still loaded in RAM and you could just capture it for future use? JUST KIDDING!)

Use of Volatile Memory for Malware Applications

We used to tweak and tune our machines to scrape together an additional 2 or 3 megabytes in RAM to get an application to run. Attackers typically had to rely on placing some part of their payload on a physical disk to ensure a high rate of success. Today a PC comes with 8, 12 or even 16 gigabytes of RAM, and we have plenty to spare. Attackers have become adept at building small but powerful apps, which are completely memory resident. Shutting down a system may eliminate any evidence that was once there.

Advent of Flash Storage as System’s Primary Storage

Devices often use “blade” type solid state drives (SSD) to replace hard drives. These blade drives use a myriad of connectors, some of which are proprietary. In many cases, you can’t just pull a drive out and stick it in a duplicator. Some of the drives require connectors with special firmware or controllers, which are on the motherboard. Booting to a forensic image on a USB stick may not allow the controller firmware to load correctly, and the drive will not be recognized. Sometimes a live acquisition is the only way to get data.

As you can see, shutting a system down prior to acquisition could cause significant loss of evidence. Our first goal in digital forensics is to preserve evidence. It is equally important to prove what is present as it is to prove what is not present. Rob Lee of SANS once gave a presentation to the ISSA chapter in Des Moines. He explained it well by saying when an EMT shows up at a shooting and the victim is still alive, they don’t worry about contaminating the crime scene when trying to save a life. Their footprints and residual evidence left behind can be identified and explained in the bigger picture. The traces left by our “prodding and poking” of a live system can be tracked and explained once the full forensic detail is laid out.

So the next time you prepare for an investigation, think about this. Would you have a better overall picture of that system’s current state by doing a live analysis and explaining away your tracks, or by shutting it down and doing a more conventional acquisition? And so my dear Watson…what’s your answer?

Quickly discovering and effectively managing a security breach or attack

Build an Incident Response Plan with Integrity

Incident Response

PCI DSS 3.2 Update

If your business stores, processes, or transmits cardholder data, then of course the PCI Data Security Standards (PCI DSS) apply to your cardholder data environment (CDE). PCI DSS version 3.1 was implemented in April 2015, and, according to the PCI Security Standards Council, PCI DSS version 3.2 is being planned for release in the first half of 2016 (instead of late year release as has been typical with past releases).

How will version 3.2 be different than its predecessor version? You can expect changes around four primary items :

  1. Version 3.1 was released with language around the issues with Secure Socket Layer (SSL) and early Transport Layer Security (i.e., TLS 1.0). In December 2015, the Council released an announcement “extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).” In version 3.2, you can expect the standards to reflect the new migration completion date.
  2. Having administrative rights within a system provides privileged accesses and the ability to perform key functions. For this reason, hackers and cyber criminals would love to have those administrative rights. To address security around administrative accesses, PCI DSS version 3.2 will provide additional criteria for further evaluating multi-factor authentication for administrators within a CDE.
  3. Protecting cardholder and payment card information from being viewed by unauthorized persons is important from a physical security perspective. Many businesses have a brick-and-mortar presence, with customers who could potentially see credit/debit card information as it is entered, such as if a small business is using a virtual terminal and manually entering information. Version 3.2 will clarify the criteria for masking primary account numbers (PANs) when displayed.
  4. PCI DSS version 3.2 will incorporate some of the Designated Entities Supplemental Validation (DESV) criteria for service providers. Just what is DESV? Payment brands or acquirers may designate certain organizations as having an environment or history that places that entity at a level of risk high enough to warrant additional (supplemental) validation of existing PCI-DSS requirements. The supplemental validation is used to provide greater assurance that controls are used and maintained effectively on a continuous basis.

Finally, as threats against payment card systems and cardholder environments become more sophisticated, and lessons regarding EMV (EuroPay, MasterCard and Visa) chip cards and their effectiveness in supporting card-present security come to light, you can expect the Council to push out new PCI DSS versions more quickly. Integrity will keep you apprised of developments.

Why Executives should be Included in Email Phishing Training

Email Phishing for Company Executives - Whaling for Dollars

Executives can be very busy people, loaded with responsibilities, tight deadlines, and numerous business decisions to make. Not to mention all those emails to sort and respond to while leading the organization. There are seemingly endless things to work on and complete. Alas, time for information security awareness and training is lacking. “Please let the security and HR teams know that I can’t attend the information security training again this year… I’ll try to make it next year.”

The above may not describe your organization’s executives. However, it describes many organizations and the issues they face. Annual security awareness training is on the schedule, yet there is another business meeting or conflict an executive attends instead. The staff may simply choose to omit executives from the training that other “users” receive. Sometimes, executive’s emails are “out of scope” for phishing testing, whether that testing is performed by a third-party vendor or internal testing resource.

Unfortunately, if executives and other senior leadership are not part of the awareness, training, and phishing testing efforts, the business’ overall information security program will suffer. Let’s face it – if they are not involved, employees will then have reason to ask, “If the executives are not involved or do not care, why should I care?” As a result, a lack of executive participation will undermine security efforts, not to mention diminish effectiveness of awareness and training efforts for the organization’s employees.

Phishing testing can be very effective in lowering security incidents, especially if conducted often enough. This testing needs to apply to everyone across the organization, including executives. Whaling attacks – a form of social engineering/phishing attack targeted at high-profile persons or roles, such as executives, or using their identities – are increasing in scale and sophistication. Therefore, businesses need to ensure executives can detect and identify attacks targeted against them. This makes executive participation in awareness, training, and phishing testing efforts an imperative. In addition, employees need to be aware of whaling as an increasingly common social engineering tactic. For example, an attack may look as though an executive has authorized a money transfer from the business’ account to an external recipient. Is an email from an executive directing a funds transfer legitimate? It may look so, yet be completely fraudulent.

If you do not think this can happen in your organization, think again. Reporting provides some food for thought:

  • In a 2015 international survey, over 50% of participating organizations indicated their executives had been targeted in whaling attacks1
  • One whaling attack against a large commodities trader netted cyber criminals over $17 million2
  • According to the FBI, these types of social engineering attacks illegally netted over $1.2 billion across the global economy during the period October 2013 to August 20153
  • The BusinessWire cited an FBI report indicating another $800 million has been lost by businesses due to whaling in the six months since August 20154

What helps mitigate the risk of falling prey to whaling attacks? Include whaling and other social engineering threats as topics within your risk management discussions. Ensure executives are involved and participate in awareness, training and phishing testing activities… they are increasingly in the sights of cyber criminals, and they are no less susceptible to an attack than anyone else. Do not rely on one-time per year awareness, training, and testing activities. Instead, provide multiple opportunities so that if one event is missed, there are other opportunities to participate. Finally, look at security awareness, training, and testing activities as a part of the business culture. Weave those activities into your business fabric. Incorporate the latest threat intelligence into those activities and risk discussions. By doing the above, your business, and your executives, stand a much better chance of detecting and identifying potential attacks and taking appropriate actions.

1Mimecast press release, 23 December 2015, Mimecast Warns of Heightened Whaling Threat. Available at:
2Russell Hubbard, Omaha World-Herald, 5 February 2015. Article available at:
3FBI Public Service Announcement, I-082715a-PSA. Available at:
4BusinessWire article, 1 March 2016. Available at:
Get our blog posts delivered to your inbox: