TDI used industry standard forensic data collection methodologies for WebMD to investigate and assess a recent cyber security incident. We followed a strict set of procedures that addressed security, authenticity, and chain-of-custody of the original media. TDI conducted assessments to perform forensic analyses. We supported our efforts through the use of Tripwire to establish an incorruptible "chain of evidence." We also used Tripwire to help to create a "post-attack" database. We used AFind to list files by their last access time without tampering with the data, HFind to scan disks for hidden files, and SFind to scan media for hidden data streams. As with any cyber security incident, the exact arsenal of tools depended very much on this particular situation and its unique requirements. In this case, TDI employed the use of EnCase, BadCopy Pro, File Scavenger, and OfficeRecovery to help in either recovering the files or revealing incongruous activity. For emails, programs such as Search and Recover were leveraged.
TDI was able to help WebMD locate and recover previously inaccessible documents, files, and e-mails through computer forensic processes. This involved search, identification, restoration, and backup.
At the end of our forensic effort, TDI summarized activities with written reports about the data collected and produced to support the case. Throughout our work, we maintained a detailed account of our forensic analysis activities as well as the results of each action. Ultimately, TDI's efforts provided WebMD with the key analysis and data to help them successfully address the incident and develop enhanced policies and procedures to mitigate the risk in the future.