“Expert vs. Expertise” – Computer Forensics and the Alternative OS

No longer a dark and mysterious process, computer forensics have been significantly on the scene for more than five years now. Despite this, they have only recently gained the notoriety they deserve. Expanded consciousness has also brought along the inevitable rise in self-proclaimed “experts” in the field of computer forensics.

Properly investigating incidents takes training, so don’t be fooled by the snake oil salesmen touting themselves as “experts” in this field. Many people attend courses without actually having taken part in significant investigations. Being a network detective boils down to one thing only: your level of expertise.

Essentially the era of computers ushered in a new type of criminal that pervades exclusive office echelons as easily as mid-western internet cafes. As technology progresses, so shall digital crime and the unwavering devotion of its miscreants to find newer and more complex routes to follow. The danger for the world’s corporations is that e-predators reside within the walls of their own organizations. These internal criminals are busy perpetrating crimes that range from identity theft to the disbursement of illegal internet images. Moving away from illegal activity on the standard operating system, more savvy criminals have utilized UNIX and Linux as their tools of choice. Seemingly more difficult to investigate, these alternative operating systems are a less explored area in the science of computer forensics.

The Evolution of Computer Forensics

Recently I had the opportunity to discuss alternative OS forensics with “Dave”, an agent with years of expertise who has asked that I do not identify his last name or office due to the secretive nature of his job.

In discussing the rise of computer forensics, I asked how technology has changed the face of corporate investigations for Dave and his colleagues.

“Like everything else, when people started to use computers on a daily basis, people soon figured out methods for doing illegal things. Fraud, threats, insider trading, and pornography just to name a few things. All of this was present before the dawn of computers, but the internet just makes it easier and faster to perpetrate crime. “

I was interested in some case examples of things that would have been impossible without t today’s available computer investigative tools. Dave answers, “Some of the tools that stand out are Firewire, faster machines and Gig E. In 1999, the common practice to image a single drive machine was to turn off the computer, boot from a controlled floppy disk and send the image to a 2GB Jaz drive. In practice, an 8 GB HDD would have taken about 8-10 hours. Using Firewire, I can image the same drive in 15-20 minutes. The major choke point of imaging single drive machines is the speed of the hard drive being imaged.

The problem still remains that you need to examine what you imaged. This is where high-end machines come into play. I can run numerous grep statements and finish within a few hours. Five years ago that would have taken all night.”

The Alternative OS

Security threats are prevalent in every computer network, but what about those networks employing a less standard OS such as Linux or UNIX? How much crime is occurring and how can the IT administrator investigate successfully?

Dave answers, “People are people. If they want to steal or do something illegal, then they will find a way. The security threats are present in any OS/network. The problem becomes worse the more people know about the network. Generally, everyone knows Windows and how to make things happen with it. If a particular criminal isn’t fluent in *nix then they’ll most likely move on to a different target.”

What are the major differences in investigating UNIX OS as opposed to MS OS?

“File systems basically work in the same manner. So the OS driving the file system is the major hurdle. A lot of forensic “experts” are dismayed when they have to investigate a UNIX box. Basically it comes down to a lack of training. Different OS’s create different files which can be used by the forensic examiner. For instance, /var/log/messages is a good source in Linux, and WINNTsystem23LogFilesW3SVC1 is a good source in Windows,” says Dave.

The customization of scripts is another challenge for UNIX administrators. I spoke with Jon Bair, Director of Professional Training at Guidance Software, about the issues a UNIX administrator faces in trying to customize scripts that run auto forensic-audits of their network.

Jon states, “In many cases, UNIX administrators are responsible for managing various types of systems at once and not all of these systems may be running the necessary components to allow the use of one script to effectively audit their infrastructure, let alone audit these systems in a forensically sound or trustworthy manner. What if during their audit he/she stumbles across a system that was being used in illegal activity; the very actions of their script may have just altered valuable data that may have proven important upon later investigation. What if their script requires specific files such as binaries or libraries to be present on the system they are auditing, but do not exist? Even worse, what if they are calling local system binaries from their script in order to gather data, but the binaries they are calling have been “trojaned” and do not produce true data?”

Peripheral and Large Scale Forensics

Then there is the subject of utilizing computer forensics to investigate PDA’s and cell phones. Both can be investigated utilizing computer forensic methodologies. The question arises as to their differences from the PC’s OS.

Dave explains, “PDA and cell phones handle data differently, but there is still a spot on them which identifies the location of all the files/programs. How different is this from Win98 OS? It really isn’t, the issue stems from how to get the data from a non-standard device in a forensically sound manner.”

Conducting an investigation on a single PC is a daunting enough task without having to search the entire network for criminal activity. I asked Dave to explain the major challenges between conducting a single PC audit and conducting a full-scale WAN based investigation.

“Basically, the major problem becomes the overwhelming size of evidence and preserving the chain-of-custody. If I seize a 2TB server, then I will need a 2+TB server to examine the data. I have had occasion to examine 29TB of data, and one must stay extremely organized and patient in such a case,” states Dave.


The meteoric rise of computer forensics is clearly noticeable when browsing today’s security conference agendas. There are numerous courses taught by what are termed “experts” in their respective fields. Since computer forensic technology is ever-evolving, it would be difficult to term oneself an expert in a field that has not yet finished developing. Many corporations get themselves into trouble when they hire an expert investigator with almost no real investigative experience. The use of poorly trained individuals for the purpose of conducting a digital investigation can prove costly to a corporation trying to recover both their reputation and their data.

Dave explains, “There are a lot of civil and criminal issues that could come into play if an untrained person (let’s use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X’s machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.

Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation.”

Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.

There has been an upsurge in the amount of computer forensics experts in the security field. This is especially apparent in the consulting industry. Wondering what the major differences were between a forensics consultant and a law enforcement investigator, I again went to Dave for answers.

“The difference between corporate and law enforcement is the training the individual examiner has received. In my opinion, the Federal Law Enforcement Training Center (FLETC) has the best training anywhere but it’s for law enforcement only. I have seen numerous seminars/conferences which charge a good sum of money and give inadequate training.”

It’s important to note that there are also numerous highly qualified forensics investigators available to assist with critical cases and successfully preserve evidence for trial. There are also several reputable courses taught nationwide through vendors and consultancies that are able to prepare investigators to face complex investigative circumstances.

A word of caution to anyone in need of computer forensics expertise, check references! All reputable forensics firms, including vendors with professional services divisions and independent investigators, should be able to provide a list of customers, and/or references that can bolster their claims. While details of actual cases solved will be highly confidential, the reputation and collective expertise of the investigators should be readily apparent. Past accomplishments, professional organizations, client references and provable experience are crucial to making the proper hire.

Compromising data and utilizing unproven forensic methodology can do much more damage than the crime itself. Choose your investigators with the same common sense that you would use to choose your surgeon.

Dave elaborates, “In my day to day dealings with people, 90% of computer forensics experts have never seen or touched a Unix system. There are a bunch of reasons for this: most due to the lack of official training in this environment. Most experts deal with Windows because it’s easier to understand. Taking several courses in a subject does not make a person an expert.

To give you an example of where experts fail with expertise: a federal investigator was told to image a single drive Windows2000 server. Instead of creating a digital image of the physical drive, he converted the file system from Fat 32 to NTFS, then made a logical backup of the drive. By his actions, he had destroyed the original evidence and damaged my case. Standard procedure would have been to boot from a controlled floppy, create a physical image of the drive and send it to another hard drive without writing a thing to the victim drive. I would not term this person an expert by any means, however, his title and rank indicate that he is.

I also know of a government employee who is a self-proclaimed forensic expert. It says as much on his email signature block. This person has never actually conducted an investigation. However, he did take numerous courses on the subject and he has an excellent resume. A classic case of expert vs. expertise.

Personally, I have been conducting active computer forensic investigations since 1999. All I do are forensic examinations. I have been teaching network investigations and computer forensics at FLETC since 2000. I have developed forensic tools which have become Armed Forces standard for incident response and those same tools are used by numerous US and foreign law enforcement agencies. But am I an expert? No, I know I am not. I just have an interesting and dynamic job.”

Is There Hope?

There is a lot to be learned for those in need of investigative services. The irony is that most every corporation is in need of investigative services and incident response. The ROI for not only implementing a top-of-the-line forensic solution and investing in proper employee training is virtually immeasurable. Across the years, those properly trained employees are going to stifle a large percentage of attempts to defraud the corporation, saving both the reputation and the irreplaceable data. Utilizing top-of-the-line enterprise forensic tools will enable the company to comply with newly enacted legislation, provide irrefutable data during audits and lawsuits, and basically monitor their network with unprecedented eagle eye efficiency.

A great place to start when looking for a competent forensic investigator would be your local electronic crimes task force team. The ECTF’s were organized by Congress as a branch of the Secret Service providing assistance to law enforcement in digital investigations.

You should also look into the High Technology Crimes Investigation Association (HTCIA) whose mission is to connect individuals involved in computer crimes investigation and provide critical, cutting edge training to their members on emerging technology and trends.

Further, there are computer forensic courses taught by software vendors, such as Guidance Software that offer very in-depth product training. These courses are usually multi-tiered by expertise and are designed to challenge both new and seasoned investigators in the field of incident response and computer investigations. These courses offer an overview of best industry practice and common methodology which a new investigator may not be familiar with.

For college-type training you should look into CompuForensics. A member of the HTCIA CompuForensics, in association with accredited universities and colleges in Ohio, Texas, Pennsylvania and Tennessee, offers government and private sectors a highly cost effective approach to upgrading the technical skills of their investigative and support personnel. Unlike pseudo certification training characterized by resort based lecture seminars with unsupervised testing, CompuForensics Initial Response Team and advanced Windows Analysis Using Linux courses are exclusively available through accredited universities or colleges.

By no means is this an exhaustive list of where to locate experienced computer forensic investigators or find out about appropriate training courses. These links are designed to point you in the right direction and hopefully assist you in avoiding the expert that lacks the expertise.

Note: The opinions expressed in this article are those of the author and her subjects. They are in no way indicative of the opinions of the publication or the publication’s staff. The publication’s policy is to encourage expression and explore differences in information exchange.

Don't miss