Guest Blogger: Anthony Dourra

When learning DFIR skills, there are many sources that teach how to use tools to collect evidence and how to maintain a chain of custody to ensure the integrity of evidence. And there are many sources that teach the analysis of evidence. But in textbooks and conceptual videos, blogs, and certification programs, you will not often encounter lessons which teach decision making and pivoting during analysis. To make the right decisions in investigations, especially when one is under a time constraint and is not able to or does not have access to all of the facts, being able to make the right decisions is essential. 

This decision could be to determine if an event needs to be declared and escalated as an incident or if it is benign. It could be decided if there is a policy or regulation violation which could have a big impact on an employee’s future as well as on the company as a whole. Making responsible decisions is directly related to the types of evidence one has at hand.

The main types of evidence that I will use to emphasize this idea are direct and circumstantial evidence.

• Direct evidence: Directly proves a fact without needing any inference.
• Circumstantial evidence: Needs inference and context to connect it to a conclusion.

The best and clearest type of evidence is, obviously, direct evidence. In a previous investigation during one of my past roles, I investigated an instance where the company was notified through an EDR alert that malware existed on an employee laptop. The company’s internal SOC declared the alert a benign event, a false positive. However, after analyzing the file’s hash, I was able to find that although the file wasn’t a virus, the program was a tool used to steal software licenses from a very well-known software vendor. Using the direct evidence in this investigation, I was able to prove that there was a policy violation along with a legal violation, and this needed to be declared as an incident. The direct evidence in this case potentially saved the company thousands of dollars and potentially saved them from being sued in the future and, for sure, protected the integrity of the company and its reputation if nothing else.

However, many times, DFIR analysts deal with circumstantial evidence. In one of my cases, I investigated an instance where an EDR alert fired. The detection that the alert was based on aimed to detect “ClickFix” or “FileFix” attacks, in this case, it was an internet browser spawning rundll32.exe, and there was a command involved. The IT manager believed that someone clicked on something by mistake and that this was a for sure case of malware.

Looking at the timeline of events, the employee inserted a USB drive just before the alert triggered. And the command detected as being malicious by the EDR, involved a command for safely removing hardware, which is expected to be called by Windows in relation to USBs. Also, the telemetry showed the browser “opening” many files within a minute. It was concluded that the browser was likely in focus at the time of the employee inserting a USB drive, and the browser enumerated all the files on the drive at the same time Windows called the rundll32.exe process to safely remove hardware. Because these events occurred so rapidly, it was concluded that the EDR interpreted this as the browser spawning a process (rundll32.exe) which isn’t normally spawned by browsers. So, the employee did nothing wrong and there was no malware. This was a case of the EDR interpreting something benign as being potentially malicious.

In this second case, the context and circumstantial evidence was important in exonerating the employee and in ensuring management that there was no malware or violation of policy even though there couldn’t be a conclusion made beyond doubt. In my next example, I will discuss another case that wasn’t cut and dry and using circumstantial evidence was used in making the correct decision.

This is an example where a file in an employee’s Downloads folder was flagged as malware but was prevented by the EDR, which means there is nothing in quarantine to analyze, which in turn means there is no direct evidence to prove or disprove this file as being malicious. The file’s signature wasn’t enough to decide and there wasn’t any widely known information online regarding the file. After investigating, there were no execution events found, no persistence methods found, and the employee involved stated that he did not remember downloading anything during the time of the alert. Even though there was no direct evidence proving that there was nothing malicious happening beyond the shadow of a doubt, it was concluded that this alert was benign.

You can see in these basic examples that there isn’t always a black and white answer when conducting DFIR investigations, especially when dealing with circumstantial evidence only. But when there is direct evidence, as there was during the software theft case, decisions are taken in a different manner. The type of evidence directly correlates with decision making. To make the right decisions during investigations, one must understand the type of evidence they are analyzing.