(Hackers use “fileless” malware precisely for this reason.) To preserve evidence in cases like these, incident responders need to make an image-essentially a copy of the server in that exact same state at that exact same time-so they can look at it afterwards. It could be in the server’s memory, the RAM, and not stored on its hard drive. What Rid means is that after a hack, some of the evidence of who did it and how they did it may be fleeting.
The idea a physical server would add any value doesn’t make any sense.” That physical piece of hardware is less valuable for an investigation than the onsite image and data extraction from a machine that is up and running. It’s unplugged, so there’s no memory content because it’s powered down. “You have that image from the machine live in the network including its memory content, versus a server that someone physically carries into the FBI headquarters.
CrowdStrike goes in, makes a complete image including a memory dump of everything that was in the memory of the server at the time, including traffic and connections at the time,” Rid said. “To keep it simple, let’s say there’s only one server. "For decades, it has been industry-standard forensic and digital evidence handling practice to conduct analysis on forensic images instead of original evidence"Įven so, what CrowdStrike gave the FBI is likely better than if it had seized and analyzed a physical box. “You have to look at the infrastructure-the command and control sites that were used to get in that are not going to be on any server … looking at one server is just one isolated piece of infrastructure.” “To really investigate a high profile intrusion like the DNC hack, you have to look beyond the victim network,” Rid said. Rid, who wrote a detailed explanation about why Russia was likely behind the DNC hack for Motherboard in July 2016, told me that “from a forensic point of view, the question of a server at this stage doesn’t make any sense.” I called up Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies to help explain the technical details behind this type of forensic investigation. CrowdStrike declined a request for comment from Motherboard. However, in March 2017, former FBI Director James Comey told Congress that the FBI got an “appropriate substitute” from CrowdStrike, and Mueller’s indictment makes clear that the FBI has lots of information about the hack from both within the DNC and from other sources. I say “widely believed,” because we don’t know exactly what CrowdStrike gave to the FBI. It is widely believed that CrowdStrike, a cybersecurity firm hired by the DNC to respond to the hack, gave an identical image of some of the servers to the FBI, which experts I’ve spoken to say would be more useful than giving the FBI a physical server itself. The long answer is that there is no "server"-there are many different servers and pieces of internet infrastructure in question, and the United States intelligence community and independent security researchers have examined much of it and have all reached the same conclusion: Russia hacked the DNC.
0 kommentar(er)
