Forensic Analysis Research
Forensic Analysis Research
Timeline analysis is an integral component of digital forensic analysis in both the private and public sectors. Lin (2018) explains that this process is primarily tailored to collect and analyze event data to assess when and what has taken place on a file system for forensic reasons. Its understanding will help track down a recent incident where attackers used RDP to brute force a Domain Administrator account. Essentially, they used a Tor on a Domain Controller to execute a Meterpreter reverse shell and an RPD proxy. In the quest to determine the Indicators of Compromise (IOCs), this paper explores the importance of timeline creation and analysis, its contribution to the analysis of Tactics, Techniques, and Procedures (TTPs), and how TTPs help identify bad behavior.
Significance of Timeline Creation and Analysis
Timeline creation and analysis in incident response and forensic analysis are significant in the modern era with vehement cyberattacks. Its role precisely presents a list of events in a specific order within a certain timeframe. This approach makes it convenient for IT experts to make quick and easy inferences about a particular situation. MailXaminer (2020) highlights different timeline models conducted based on types of context including number timelines, text timelines, and graphical timelines. Each model facilitates a unique view of the data and collectively helps track down actual events that happened in the past. Most importantly, they help determine the events that happened and help figure out other potential occurrences that could have taken place at a particular time interval.
According to Millers (2020), timeline creation and analysis help narrow down to digital traces, which, in turn, present explicit details crucial for forensic investigation. Such a detailed view of evidence gained through timeline sequencing smoothens critical criminal investigations. At the same time, Rogers (2016) expounds that timeline visualization is usually combined with frequency analysis to present a detailed level of evidence. This mechanism helps categorize offenders and the times of the day and week when they are online for further follow-up. It becomes practical to develop a behavioral profile detailed later in the document.
Timeline Analysis Contribution to TTPs Analysis
Timeline analysis contributes to the analysis of TTPs used in an attack by reconstructing the actual events to better comprehend the cyberattack lifestyle (Gorecki, 2020). Notably, a tactic describes a behavior from the highest level; a technique perceives a behavior from a detailed description view, while a procedure provides a highly detailed description. Therefore, effective timeline analysis facilitates the comprehension of methodologies used in penetrating a behavior to help fight an attacker. This understanding edifies an offender’s behavioral profile to detect the potential attacks based on past patterns. In addition, the knowledge helps understand the attacks that are in the early stages (Azeria, 2017).
It becomes convenient to install the correct rectification measures by detecting the current vulnerabilities. It is imperative to understand the tactics, techniques, and procedures employed by an enemy in order to fight them back. Therefore, timeline analysis goes a long way in guaranteeing that the countermeasures are proactively instituted in organizational blind spots to minimize risk. In addition, timeline analysis in TTPs analysis ensures that a company understands what the attackers seek in the organization’s infrastructure. As such, it can be deduced that timeline analysis is a powerful approach that doubles up to facilitate TTP analysis. Its potency makes it much more necessary in large-scale investigations. Though it is relatively impossible to view procedures used in the reconnaissance stage, other phases leave trails used to reconstruct events and their implementation time.
The Role of TTPs in Identifying Bad Actors
TTPs play an irreplaceable role in identifying possible threat actor organizations. They help identify the bad actors by mapping evidence of attacker activity to the tactics, techniques, and procedures used in an attack (Gorecki, 2020). Generally, the different approaches used in TTPs have varied impacts making it convenient to categorize them. The magnitude of the attack and level of imposed risk tell more about the nature of the involved attacker. As for the tactics, one can analyze various aspects, such as the methods used in gathering information and the entry points hit in the invaders’ effort to gain a foothold on the target infrastructure (Azeria, 2016). The technique determines whether technological or non-technological measures were used to narrow down potential attackers. Based on the numbe