Security

Digital forensics: The science behind 'who done it'

Forensics comes of the Latin word "forens" -- "belonging to the public". Michael Kassner decided to find out what that means in the digital world.

After a recent talk with students, someone asked me about digital forensics. Not the subject of my talk, I stumbled badly attempting to answer. After a bit of soul-searching the next day, I realized how little I knew about digital forensics. While contemplating that, I checked my email.

What luck. There was my answer, "A Fistful of Dongles". That's Eric Huber's newsletter, He knows all about digital forensics:

  • Internationally-recognized in the field of cyber investigation, information assurance, and incident response.
  • Respected author and speaker on digital forensics.
  • Instructor for the SANS Institute providing cyber-investigation support to individuals, corporations, and governments.

Eric also belongs to the following professional organizations: The American Academy of Forensic Sciences, FBI Infragard, and IEEE. He is on the board of directors for the Consortium of Digital Forensics Specialists and named the 2010 Person of the Year by the Northeast Chapter of the High Technology Crime Investigation Association.

See what I mean?

Now all I have to do is get him to explain digital forensics to a rookie. Fortunately, he was willing.

Kassner: According to Wikipedia, digital forensics is a branch of science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. How would you define digital forensics? Huber: Digital forensics is a convergence of law and technology. But, there's quite a bit of digital-forensic activity in the incident response and intelligence world that does not involve the legal system. You will find many definitions for digital forensics. My definition is simple: Digital forensics is the collection, examination, and reporting of digital evidence. Kassner: I was under the impression that digital forensics was solely used for criminal investigations. Are you referring to eDiscovery or Electronic Discovery? Huber: Traditional digital forensics involves a digital-forensic examiner first collecting and examining digital evidence. Then, the examiner issues a report that answers questions related to the criminal investigation or an intelligence-gathering task.

eDiscovery is slightly different. eDiscovery specialists collect and process information, more or less getting it ready for review. They are not tasked with answering investigative questions. That's the job of the attorneys.

eDiscovery can be challenging, fulfilling work for people who like dealing with vast amounts of data and complexity. However, it can be a disappointment to people who think they will be doing actual investigative work.

For people who want to put bad guys in jail, I recommend sticking to traditional digital-forensics.

Kassner: You mentioned first being a law-enforcement officer. How did you end up a digital-forensics expert? Huber: I began as a patrol officer for a police department. Early on, I became interested in the technical side of investigation - that meant making a decision. Stay in law enforcement, hoping someday, I would land a digital-forensics position; or accelerate the process by going private?

I took a chance and went private, joining a newly-formed consulting firm specializing in both digital forensics and eDiscovery. That turned out to be a great decision. Currently, I am an information-security investigator and team leader for a large corporation.

Kassner: When someone interested in digital forensics comes to you looking for advice, what do you tell them? Huber: I tell them, if they are interested in putting bad guys in jail, they should consider a career in law enforcement. However, I will also warn them. Even with a degree in digital forensics, it's rare to get hired directly into a digital-forensics position.

State and local law-enforcement agencies generally require street time, like pushing a black and white squad car around. After that, an officer can apply for a specialized role. Federal law-enforcement agencies can be more flexible in this respect. So, if that is a consideration, talk to recruiters from agencies such as the FBI, Secret Service, and US Postal-Inspection Service to learn how their respective career paths work.

For those not interested in law enforcement, I recommend they start in the consulting world. It's a demanding lifestyle, but rewarding, particularly for entry-level digital-forensics examiners.

Kassner: It seems many of the skills required by digital-forensics experts would be helpful to IT administrators. Do you agree? Huber: Some of the qualities I look for in a digital-forensics examiner are attention to detail, tenacity, a passion for technology, and insatiable curiosity. These are excellent qualities for anyone involved with Information Technology.

The reverse is true as well. System and network administration work can be a great way to prepare for a career in digital forensics. I tell people already in these roles and interested in digital forensics, to sharpen their skills and get more involved in information security and digital forensics.

Kassner: Are there any forensic tools or software that would be useful to IT professionals in the corporate world? Huber: There are. Tools range from expensive enterprise-grade network-forensic tools to free open-source tools such as SANS SIFT Workstation. And the availability of free and low-cost tools particularly excites me. It allows people to learn about digital forensics hands on. Kassner: Let's say, I -- as a systems administrator -- suspect that something illegal has happened. What should I do? Huber: Stop, drop, and roll. If you, as system administrator suspect unlawful activity, immediately engage your legal and information-security departments.

One of the biggest mistakes someone can make is diving into a digital-forensics exam without the proper background or authority to do so. What a system administrator can and should do is detect unlawful behavior. Once they have determined something criminal may have happened, it's time to get help.

Kassner: Under what circumstances would it be advisable for a private enterprise to hire a digital-forensics expert? Huber: You should hire an expert whenever your project requires the proper collection, analysis, and reporting of digital evidence. That sounds like a stock answer, but what digital-forensics people do is complicated.

You don't want to go into a courtroom setting for a criminal case or an employment action and have the opponent's expert who will rip your unprofessional efforts apart. If you have any doubt, call an expert.

Kassner: A company wants to hire a digital-forensics expert. What considerations should be looked at? Huber:  Experience and training can be two of the best indicators you are dealing with someone who knows what they're doing. Certifications can provide some assistance in determining minimum competency, but I've run across certified people I wouldn't hire.

Finding a qualified expert requires reviewing their background in its entirety. Experience is the most important indicator, then look at education, additional training, if published, and held certifications. The more experience someone has in law enforcement and digital-forensics consulting, the better.

I also feel it's important to look for those experienced in situations similar to the one that occurred to the company. For example, someone who has spent their career chasing child pornographers might be perfect for a case dealing with inappropriate use of corporate resources, but very unsuited for incident-response work.

Kassner: Sorry. I have to ask. Why is your blog called, "A Fistful of Dongles"? Huber: In digital-forensics, USB dongles (thumb drives) are used to authorize programs. After a decade of doing this work, it's to the point where my team has a ton of them.

I once joked, if I wrote a book about digital forensics, I'd call it "A Fistful of Dongles", based on the classic Clint Eastwood western titled "A Fistful of Dollars". When I first created my blog, I used a stunningly-uncreative title, "Eric Huber's Digital Forensics Blog". I decided that would not do. So, I rolled out the "A Fistful of Dongles" moniker.

An explanation

I wanted this article to delve much further into the deep, dark secrets of digital forensics. I peppered Eric with several pointed questions -- no luck, though. Eric mentioned he answered the ones he could, but respectfully declined to answer others due to the sensitive nature of his work. I get that. And, I am grateful he answered the ones he did.

Final thoughts

Forensics is an apt name for what professionals like Eric Huber accomplish. I also know I do not have that expertise. So, I will stop when confronted with a forensics situation. Not sure about dropping and rolling though.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

20 comments
mmatchen
mmatchen

OSForensics is pretty handy. It's in beta right now and free. It comes paired with OSFMount, to mount either the drive or the image. The GUI is easier to navigate for certain things when compared to AccessData's Forensic Tool Kit (FTK). The free version of FTK is limited to 5,000 files, but you can selectively target certain areas. OSForensics will let you analyze the entire drive. I used both of these tools at a recent forensics competition and found them both good to use. I downloaded SIFT but haven't used it yet.

Agatsu
Agatsu

Some of the freely available tools mentioned (helix bootdisk, autopsy, etc) are even taught as part of some forensics courses (SANS springs to mind). I personally use Forensic Toolkit by AccessData. It serves my purposes better than EnCase. One piece of advise that an instructor of mine gave me; the two most important tools you will ever need - a comfortable chair and a good monitor. Most forensics cases are interesting when explained after the fact in short story form, but the reality is that a lot of very painstaking (aka tedious) work goes into gathering evidence, using it to reconstruct events, and substantiating or disproving speculation.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

From what I understand there are some USB to hard drive adapters that are read only adapters. Connect a regular hard drive using one of these devices means that you won't accidentally time stamp anything. The first step is to make a low level copy (the linux DD command is an option) of the original and generate a hash of both drives so you can verify the original and copy are exactly the same. Next you put the original in a secure location and don't touch it again. I believe that some people then make another copy of the copy and then use the second copy to do scan's of the drive content. The stuff I have read sounds fun and interesting, but I haven't ever done this. There is also a lot of down time involved with all the copying and scanning of the hard drive so have a good book handy. Bill

bobp
bobp

Thanks Michael and Eric.

bobp
bobp

It would have been interesting to find out what he thinks of free forensics boot disks such at BackTrack, CAINE, Deft Linux, Helix, and STD. Distrowatch.com lists these as forensics tools and also lists BackBox Linux, GnackTrack, NetSect, and Swift Linux which must be newer since I have not seen them in a forensics search before. I have downloaded a few of these, but haven't had time to delve into them and learn them.

pgit
pgit

I always try to avoid any contact with user's content when dealing with their machines. I frequently back off data for a wipe and reinstall, and it's hard not to see a filename that raises a flag on occasion. I also need to verify integrity of backups before I go wiping the original. Using Linux I can just mouse over a few files in whatever folder and see a preview, whether it's text, a picture or what have you. Thank God I've never found anything that would have put me in the position of wondering whether I should call the police. There was one instance of a Mac mini getting so horrifically hijacked you couldn't even format the drive low level from a separate machine. That one did have a bit of illegal content, but it had been loaded on the thing (and apparently shared with other users) "some time in the night" you might say. One thing I do know about forensics is your efforts are all for naught, will be thrown out as evidence, if there's any indication of writing or deleting on the drive once in the hands of the forensic expert. I have a friend who does this for all the local authorities who'd ever have need for such. He has some very clever methods of booting into a system that will access the drive without putting any access time stamps on it, literally a "read only" system on the target device. He says that's the whole ball game right there. BTW these systems he uses are mostly on USB thumb drives, and any data he needs to copy as evidence goes on USB devices as well. Maybe that's the "fistful of dongles." Oh, another thing he's told me is after the physical evidence people are done looking at/around any digital device that needs forensic analysis, he goes to work, removing the drive so he can put it in his specially tweaked system he's assembled for such work. That system boots to USB, so he says he rarely has to use optical media. I haven't asked him what one does with a smart phone or a computer with solid state storage. I'd imagine there's some sort of method for doing a bit-wise straight dump to another device, also preserving original access (and other) time stamps. I should get in touch with this fellow and catch up on the state of the art. It'll take a day out of me, he now works for a huge university an hour or so away. I haven't checked but I believe he has moved over there closer to his work... his pets don't show up at the vet clinic anymore. (how's that for 'forensics?' ;) )

Michael Kassner
Michael Kassner

It's helpful to get member input about available tools.

Michael Kassner
Michael Kassner

I remember about a year ago, when someone found drone video on a computer. The military finally determined that the traffic to and from drones is not encrypted. Enuff said.

Michael Kassner
Michael Kassner

My research is pointing to the legal skill set is as if not more important. Chain of custody is also interesting when it comes to digital evidence.

robo_dev
robo_dev

There's this wonderful godawful expensive tool called EnCase from Guidance software. Typically at least $3K + annual support fees for one copy. http://www.guidancesoftware.com/ediscovery.htm It's not rocket science, you connect the hard drive to a write-blocker and use a tool like EnCase or DD to image the drive. EnCase, like many commercial software tools, does the work for you. There are lots of great open source forensics tools (autopsy, sleuth, etc) that all basically start with grabbing a copy of the drive with DD and then let you go to town on the copy. http://www.sleuthkit.org/ http://wiki.sleuthkit.org/index.php?title=Main_Page Of course, the difference is that the free/open source apps typically do fewer things auto-magically, so you need to do more work to do the same job. I won't go into the whole evidence-capture procedure, but it's critical not only that you use a write-blocker, but that you follow and document every step of the procedure, or the evidence will be thrown out of court faster than an old man in a girls locker room.

Michael Kassner
Michael Kassner

If you are interested, Eric has a weekly blog that you can sign up for.

Michael Kassner
Michael Kassner

I'm a big fan of these sort of tools that are available for the public. Some of these boot disks like Helix are set up so they can be used to make forensic images. When properly used, they will not alter the contents of the drive being imaged. Other distros are mission-specific platforms for investigative purposes such as SIFT (digital forensics), BackTrack (pen testing), and REMnux (Malware reverse engineering). We live in an era where there has been an explosion of interest in cyber investigation which has resulted in a tremendous amount of energy and development work in the open-source world and I encourage people to use these tools to learn more about cyber investigation and sharpen their skill sets. Eric Huber

Michael Kassner
Michael Kassner

Thanks for sharing your experiences. It is a fascinating subject, with all sorts of black ops and stuff.

HAL 9000
HAL 9000

Is much more important than anything else. You need to Maintain a Chain of Evidence and prove that nothing you have done has contributed to the results that you have made. It gets worse when you have to give evidence as those asking the questions or running the case generally speaking have no idea of what you are saying. So Both Sides in the form of Solicitors, Barristers, QC's don't understand what you say and the Judge certainly has no idea. Most times it's either what you say goes unchallenged or there is a disagreement between different [b]Experts[/b] and if there is a Jury involved they get confused and just want out. You know you have a problem when the Judge wants out and is doing everything possible to dump the case and get some other unsuspecting Fool to hear it. :D The real problems however happen when you start a job that you are told is an Internal Company Issue and it ends up going to Court for something else that no one suspected. Things get really difficult proving that the Chain of Evidence has not been broken when it was most likely already destroyed before you got involved to begin with. I'm certainly no expert in this stuff but I will say if you want to get involved you need to walk into Courts and watch the way that things happen. If you feel unable to maintain your [b]"Cool"[/b] and remain detached don't get involved. There will be instances where one of the Lawyers will try to tear you to bits one day and you'll be their new best friend & Expert Witness the next. If you take it personally your as good as dead as it will drive you nuts. You also need to be able to sit in that chair giving evidence and not get stressed which honestly isn't that easy for me at least. I personally find court cases Stressful and you need to be able to not get worked up internally when things don't go the way that you expected. Or you get asked the same question 100 times in a different way and you have to not give a different answer. I remember one case where the Judge was tearing into one of the Barristers which shook me as it was so unexpected. I felt that I was worse than a jabbering idiot after I had finished giving evidence and I knew both the Judge and Barrister personally before that. However in that case it was the Judge preventing the Barrister asking leading questions that where improper but it was [b]"Interesting"[/b] at the time. Latter I was told that the Barrister had represented the Judges Wife in the divorce so the moment that the Barrister stepped out of line things got jumped on. But hearing a Judge say to the Defendants Barrister [i]What Court do you practice in here we deal in [b]Facts not Feelings[/i][/b] was more than a bit off putting. :D Col

Michael Kassner
Michael Kassner

I was curious as to if you are experienced in the line of work? Thanks for the tips and comment.

Michael Kassner
Michael Kassner

I guess I did not say it clearly in my previous comment. I do feel the legal aspect is more daunting, particularly when it comes to digital chain of custody. Thanks for sharing your experiences. I am not anywhere near an expert, so I have not been involved in any cases.

Editor's Picks