Digital forensics: The inside story

Jelle Niemantsverdriet is the Principal Consultant, Forensics and Investigative Response EMEA, Verizon Business Security Solutions. In this interview he introduces the reader to the world of digital forensics and talks about computer forensics tools, privacy concerns, the fundamental differences in investigating different operating systems, and offers advice for anyone interested in learning more about computer forensics in general.

Niemantsverdriet will be teaching what can be learned from investigations into confirmed data breaches at the 2011 European Digital Forensics and Incident Response Summit.

Many security professionals are curious about digital forensics. What advice would you give to those just starting out?
Start reading. There is a lot of information out there, I would recommend to keep a good balance between reading about the technical stuff, the investigative strategies and especially also about reporting. There is also a very active community on Twitter or the various forums which is keen to share experiences – as long as you show you are not afraid to do some work yourself and that you participate as well.

The field is very broad on one hand (there are a lot of devices or systems that can hold information and be used in an investigation) but can also be very detailed and specific: you can become a super specialist on forensic artifacts on a specific operating system or type of mobile phone.

And again, I keep stressing that: it is way more than just the technical side of things. Having an investigative mindset, being able to interpret and report your findings are key characteristics on top of knowing ‘how things work’.

What are the essential steps involved in conducting a forensics investigation in a large organization? How do you approach such a challenging effort?
I think the main challenge is to take and maintain the ‘trusted advisor’ role, which stretches from providing advice on technical and investigative steps to providing crisis management recommendations. Imagine, such a company is – especially during a data breach or security incident – in crisis-mode and everybody is under a lot of stress. You are one of the few persons who deals with these situations on a regular basis and are brought min to get them through this, so be prepared for a lot of heads turning your way. And those heads are not only IT or security related, but often also HR, general management or other involved departments within the organization.

On an investigative level, these cases really start out as a puzzle where you don’t even know what the pieces look like and where they are. It’s essential to try and get a good overview of what happened as quickly as possible, so you can focus your efforts. One of the things we often do, is to get the involved system, network and security teams in a room to start drawing a ‘consensus network diagram’ of the relevant systems. The existing network diagrams are often outdated (or don’t exist at all…), so we have experienced that having everybody in a room with a whiteboard is often faster than updating the old diagram.

What forensics tools do you prefer and why?
The tool that gets the job done. There is no single ‘silver bullet’ tool that works for every situation. Most important for me here is to understand the strengths and weaknesses of the tools and to use that knowledge to pick the right one. But in general, we should not put too much emphasis on the tools as the most important element lies in the knowledge and skills of the person using it – just like buying the most expensive hammer does not make you a world class carpenter.

On the subject of commercial or open source tools I am also indifferent – the two main commercial tools are definitely part of my toolkit but if I can’t solve a problem or I need a second tool to verify my findings, I’m just as happy to grab a freely available or other commercial tool. Or in the worst case (or best case – if you’re up for some coding), there is no tool for your particular problem and you have to start scripting or programming something yourself.

How can a forensic investigator make sure he strikes a balance between his work and a users’ right to privacy?
I think it’s very important here to make sure that your actions are as least invasive as possible. For example, rather than manually reviewing every file on a user’s hard drive, ensure you have some very relevant keywords to conduct an automated search that will either exclude the user from your investigation or at worst only require you to review a handful of documents.

This is also something that you can very well explain to a user: you as an investigator are generally not interested in their vacation pictures or the postings they made on Facebook, you are brought in to investigate a very specific problem and will use your tools to filter out as much ‘noise’ as possible.

Also, and this is something that in a lot of countries is required by law, properly assess the need for an investigation before you start, as it is a very ‘heavy’ measure to use. Ensure you are not hired to do ‘management by forensics’ and don’t be afraid to say ‘no’ if you feel the suspicions are not strong enough to warrant an investigation.

What are the fundamental differences in investigating Windows, Linux and Mac OS X systems?
I would say that there are actually a lot of similarities in the general way of approaching such an investigation. The methods for imaging the systems, the method of analysis according to Locard’s principle and the need for complete, factual and understandable reporting is the same regardless of the operating system. Of course the systems then require different types of analysis, store their data and logs differently and so on, but in a broad sense the same principles apply.

What does your SANS training course look like? What skills can attendees expect to acquire?
My presentation session at the 2011 European Digital Forensics and Incident Response Summit will provide an overview of the ‘state of cybercrime’, as described in our ongoing series of the ‘Verizon Data Breach Investigations Report’. In these reports, we use a standard framework to describe all the factors leading to data breaches – based on the forensic investigations that our team has done. Since last year, we have also included data from investigations done by the United States Secret Service and this year we have added the Dutch High Tech Crime Unit’s cases to the report. We think that providing this insight can really help organizations in prioritizing their defense efforts. Just because something is technically possible, does not mean it is a very likely threat or something you should immediately focus on – something we sometimes forgot in the ongoing news cycle of new vulnerabilities and clever and exciting hacks.

I hope to raise awareness about the need for sharing data between organizations to get a better picture for everybody about what is going on in this field and will show attendees how such data sharing can be done without compromising on case confidentiality.

Don't miss