Security

Digital forensics: The science behind 'who done it'

Forensics comes of the Latin word "forens" -- "belonging to the public". Michael Kassner decided to find out what that means in the digital world.

After a recent talk with students, someone asked me about digital forensics. Not the subject of my talk, I stumbled badly attempting to answer. After a bit of soul-searching the next day, I realized how little I knew about digital forensics. While contemplating that, I checked my email.

What luck. There was my answer, "A Fistful of Dongles". That's Eric Huber's newsletter, He knows all about digital forensics:

  • Internationally-recognized in the field of cyber investigation, information assurance, and incident response.
  • Respected author and speaker on digital forensics.
  • Instructor for the SANS Institute providing cyber-investigation support to individuals, corporations, and governments.

Eric also belongs to the following professional organizations: The American Academy of Forensic Sciences, FBI Infragard, and IEEE. He is on the board of directors for the Consortium of Digital Forensics Specialists and named the 2010 Person of the Year by the Northeast Chapter of the High Technology Crime Investigation Association.

See what I mean?

Now all I have to do is get him to explain digital forensics to a rookie. Fortunately, he was willing.

Kassner: According to Wikipedia, digital forensics is a branch of science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. How would you define digital forensics?

Huber: Digital forensics is a convergence of law and technology. But, there's quite a bit of digital-forensic activity in the incident response and intelligence world that does not involve the legal system. You will find many definitions for digital forensics. My definition is simple: Digital forensics is the collection, examination, and reporting of digital evidence.

Kassner: I was under the impression that digital forensics was solely used for criminal investigations. Are you referring to eDiscovery or Electronic Discovery?

Huber: Traditional digital forensics involves a digital-forensic examiner first collecting and examining digital evidence. Then, the examiner issues a report that answers questions related to the criminal investigation or an intelligence-gathering task.

eDiscovery is slightly different. eDiscovery specialists collect and process information, more or less getting it ready for review. They are not tasked with answering investigative questions. That's the job of the attorneys.

eDiscovery can be challenging, fulfilling work for people who like dealing with vast amounts of data and complexity. However, it can be a disappointment to people who think they will be doing actual investigative work.

For people who want to put bad guys in jail, I recommend sticking to traditional digital-forensics.

Kassner: You mentioned first being a law-enforcement officer. How did you end up a digital-forensics expert?

Huber: I began as a patrol officer for a police department. Early on, I became interested in the technical side of investigation - that meant making a decision. Stay in law enforcement, hoping someday, I would land a digital-forensics position; or accelerate the process by going private?

I took a chance and went private, joining a newly-formed consulting firm specializing in both digital forensics and eDiscovery. That turned out to be a great decision. Currently, I am an information-security investigator and team leader for a large corporation.

Kassner: When someone interested in digital forensics comes to you looking for advice, what do you tell them?

Huber: I tell them, if they are interested in putting bad guys in jail, they should consider a career in law enforcement. However, I will also warn them. Even with a degree in digital forensics, it's rare to get hired directly into a digital-forensics position.

State and local law-enforcement agencies generally require street time, like pushing a black and white squad car around. After that, an officer can apply for a specialized role. Federal law-enforcement agencies can be more flexible in this respect. So, if that is a consideration, talk to recruiters from agencies such as the FBI, Secret Service, and US Postal-Inspection Service to learn how their respective career paths work.

For those not interested in law enforcement, I recommend they start in the consulting world. It's a demanding lifestyle, but rewarding, particularly for entry-level digital-forensics examiners.

Kassner: It seems many of the skills required by digital-forensics experts would be helpful to IT administrators. Do you agree?

Huber: Some of the qualities I look for in a digital-forensics examiner are attention to detail, tenacity, a passion for technology, and insatiable curiosity. These are excellent qualities for anyone involved with Information Technology.

The reverse is true as well. System and network administration work can be a great way to prepare for a career in digital forensics. I tell people already in these roles and interested in digital forensics, to sharpen their skills and get more involved in information security and digital forensics.

Kassner: Are there any forensic tools or software that would be useful to IT professionals in the corporate world?

Huber: There are. Tools range from expensive enterprise-grade network-forensic tools to free open-source tools such as SANS SIFT Workstation. And the availability of free and low-cost tools particularly excites me. It allows people to learn about digital forensics hands on.

Kassner: Let's say, I — as a systems administrator — suspect that something illegal has happened. What should I do?

Huber: Stop, drop, and roll. If you, as system administrator suspect unlawful activity, immediately engage your legal and information-security departments.

One of the biggest mistakes someone can make is diving into a digital-forensics exam without the proper background or authority to do so. What a system administrator can and should do is detect unlawful behavior. Once they have determined something criminal may have happened, it's time to get help.

Kassner: Under what circumstances would it be advisable for a private enterprise to hire a digital-forensics expert?

Huber: You should hire an expert whenever your project requires the proper collection, analysis, and reporting of digital evidence. That sounds like a stock answer, but what digital-forensics people do is complicated.

You don't want to go into a courtroom setting for a criminal case or an employment action and have the opponent's expert who will rip your unprofessional efforts apart. If you have any doubt, call an expert.

Kassner: A company wants to hire a digital-forensics expert. What considerations should be looked at?

Huber: Experience and training can be two of the best indicators you are dealing with someone who knows what they're doing. Certifications can provide some assistance in determining minimum competency, but I've run across certified people I wouldn't hire.

Finding a qualified expert requires reviewing their background in its entirety. Experience is the most important indicator, then look at education, additional training, if published, and held certifications. The more experience someone has in law enforcement and digital-forensics consulting, the better.

I also feel it's important to look for those experienced in situations similar to the one that occurred to the company. For example, someone who has spent their career chasing child pornographers might be perfect for a case dealing with inappropriate use of corporate resources, but very unsuited for incident-response work.

Kassner: Sorry. I have to ask. Why is your blog called, "A Fistful of Dongles"?

Huber: In digital-forensics, USB dongles (thumb drives) are used to authorize programs. After a decade of doing this work, it's to the point where my team has a ton of them.

I once joked, if I wrote a book about digital forensics, I'd call it "A Fistful of Dongles", based on the classic Clint Eastwood western titled "A Fistful of Dollars". When I first created my blog, I used a stunningly-uncreative title, "Eric Huber's Digital Forensics Blog". I decided that would not do. So, I rolled out the "A Fistful of Dongles" moniker.

An explanation

I wanted this article to delve much further into the deep, dark secrets of digital forensics. I peppered Eric with several pointed questions — no luck, though. Eric mentioned he answered the ones he could, but respectfully declined to answer others due to the sensitive nature of his work. I get that. And, I am grateful he answered the ones he did.

Final thoughts

Forensics is an apt name for what professionals like Eric Huber accomplish. I also know I do not have that expertise. So, I will stop when confronted with a forensics situation. Not sure about dropping and rolling though.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks