Inside the mind of a computer forensics investigator

Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he introduces the reader to the world of computer forensics and talks about cyber crime scenes, how forensics experts testify in court, privacy concerns, changes in the field of forensics in the past decade and offers advice for anyone interested in learning more about computer forensics in general.

Garcia will be teaching “Forensics 508: Computer Forensic Investigations and Incident Response” at SANS London 2010.

Let’s say we’re looking at a cyber crime scene comprised of several still powered on computers. When the forensic investigator arrives, what does his workflow look like?
The most important first step is to do a careful analysis of the situation and use your common sense and experience to make an educated decision about the actions to take.

Even in such an apparently simple scenario, there are multiple possible variations such as type of incident or crime, corporate environment, operating systems and hardware environment which will determine your course of action. It is important to gather as much information as possible about what happened before you start making any move. So the first step typically is to perform a quick interview of anyone who can provide that information and a review of the crime scene environment.

After that, going down to the technical procedures, the first thing you will do is acquire the volatile evidence first, i.e. that evidence that may disappear or change quickly with your actions such as the information stored in memory, the network connections, running processes, etc. This may or not be easy (or at all possible) depending on the degree of access to the computer. Fortunately for us, the latest advances in forensic research have provided useful techniques that have opened new possibilities for the investigator, such as acquisition of memory through the Firewire port, acquisition of “cold” memory (Cold Boot Attack), advanced analysis of the memory and others.

Then you would do an acquisition of physical storage such as hard drives, USB drives, memory cards and removable disks. There are multiple ways and utilities, hardware and software to do the job: from forensics hard drive duplicators and write blockers, to forensically sound live CDs or software utilities. In the real world some of them will be more suitable than others depending on the situation.

You will typically create one or two copies of those original drives (one for analysis and one for backup in case something happens to the first one). Eventually, if you need to retain the original hard drive as evidence, you will also need to clone it and restore it into the system to ensure its operational continuity. You will place all this evidence in appropriate anti-static bags and then in tamper-proof evidence bags.

These steps need to conform to an appropriate set of processes and procedures that guarantee that you do not modify the original evidence or as little as possible according to the circumstances. Careful documentation of all the steps taken, integrity hashes, and everything that can be considered relevant in that process are vital.

What advice would you give to those interested in specializing in computer forensics?
Computer forensics is a fascinating world. It is the only area in computer security that you will get to deal at the low level with all types of operating systems, network devices, CCTV cameras, VoIP/PBX systems, network traffic, etc.

Knowledge is the first requirement any investigator needs. Even for highly experienced network and system administrators, computer forensics is a new world, so everyone needs to undergo the appropriate training.
There are multiple resources on the Internet and books that provide very valuable information on this field. The best way to boost your knowledge is to undergo professional training such as the SANS Institute Computer Forensics Curriculum.

Computer forensics is definitely all about experience, so the only way to really learn how to do the job is actually doing it many times so you get to encounter the real world problems, you get to polish your processes, and you get to develop your investigative skills, which are different from the standard IT or Security ones.

As computer forensics is non-destructive, aspiring investigators can practice with their personal systems, corporate systems and forensic challenges that can be found on the Internet. Having a mentor by your side to lead your steps is ideal, but that’s often not a possibility due to the low amount of digital investigators in our community.

An experienced forensics examiner is about to testify in court for the first time. Any suggestions about the way he talks about his work?
It is extremely important for the investigator to remember that the real world is very different from the technical world. Things are not binary, normal people are moved by situational perception, and therefore it is of the utmost importance that the investigator is able to translate technical forensic “lingo” to standard concepts people can understand. A perfect investigation with a poor presentation in court will typically not succeed. That’s not an easy job and not everyone is ready for it, but with time and dedication, it can be accomplished.

People and courts don’t understand concepts such as bits and bytes, unallocated, metadata, clusters, artifacts, prefetch, plist, and the million other terms we use. We need to bridge that knowledge so they can make their decisions based on a correct interpretation of the reality.

We carry a great responsibility for, if we don’t do our job right the wrong people can end up in jail, and guilty people may go free.

Also, it is important to remember that a court is typically a very hostile environment for an investigator. We are not used to it. You really need to keep cool your temperament and your mind focused on the topic, and only answer what you are asked about. We tend to speak too much!

How can a forensic investigator make sure he strikes a balance between his work and a users’ right to privacy?
That is a really tough question. Even the legal system and our society is struggling to find an equilibrium between protecting people’s privacy and stopping bad guys from using that protection to cover their actions. I find that challenge everyday in my cases in Europe. I guess we all will have to work together to find a solution. Technology can certainly help in that sense.

How has computer forensics evolved in the past 10 years and what can we expect in the next decade?
The evolution of computer forensics in the last 10 years cannot be easily described in a few words. Thanks to the joint effort of the many professionals in this community, and investments in the industry, we can do incredible things today, things that just a few years ago were wishful thinking. And it is getting better. There are and always will be many challenges, because forensics deals with all types of technologies, and that’s an ever changing environment. But our society needs forensics in order to fight the increasing wave of cybercrime that is becoming stronger and more organized.

The most difficult part will be to adapt our legal and law enforcement systems to this new scenario. I’m seeing slight movements in this direction in many countries, but the pace is too slow and we are suffering the consequences. We need to do better in this sense.

Technologically speaking there are many things to work out. We now have the building blocks for basic forensic analysis of our cases, but we certainly need our tools and techniques to evolve into a more holistic approach, a higher level type of analysis, in which the tools provide us real world facts instead of individual low level events.

There are many other challenges such as the analysis of massive amounts of data, multimedia analysis, the cloud, the increasing use of social networks and its corresponding online evidence gathering. This opens exciting fields for research that we will certainly need to address in the near future. As society evolves, new challenges will arise and we will need to be ready to address them.

Give us an overview of your SANS training plan and what attendees can expect to learn if they attend.
There are right now 5 courses in the SANS Forensics Curriculum and several more are on the way. Our objective is to provide the knowledge required by any investigator across many areas of computer forensics.

For all of them I would recommend starting with FOR408 – Computer Forensic Investigations – Windows In-Depth. It’s an amazing course which covers all core skills an investigator needs to know in order to perform best practice based acquisition and in-depth analysis of the Microsoft Windows operating system. The natural next step is FOR508 – Intrusion Investigations and Advanced System Analysis , in which you learn tools and techniques that not many investigators are familiar with, and which take you to a whole new level of expertise.

From there you can specialize in Mobile Devices Forensics with FOR563, in Network Forensics with FOR558, or Malware Analysis with FOR610, depending on your role, your skills, the type of cases you deal with. We will continue to grow the curriculum with courses on Linux Forensics, Mac Forensics, and any other relevant area of expertise.

In summary, computer forensics is a promising and exciting career for anyone motivated, willing to learn and work hard. You can get quickly immersed in the field and it is undoubtedly one of most fascinating IT field of our times.