Exploring the world of digital forensics

Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he talks about mobile forensics, cyber crime scenes, how forensics experts testify in court, privacy concerns, and more. Garcia will be teaching at SANS Forensics Prague 2012.

Let’s say we’re looking at a cyber-crime scene comprised of several still powered on computers as well as confiscated smartphones. When the forensic investigator arrives, what does his workflow look like?

Mobile devices are typically the most volatile of all the evidence, because they are constantly exchanging data (via wifi, 3G, Bluetooth, calls/SMS, etc.). The typical first step is to isolate those devices using appropriate measures (such as Faraday bags), to prevent a potential remote wipe or alternative technique directed to alter or destroy evidence in the device.

Certain precautionary measures should also be taken into account, like disabling access passwords or PINs in case the device is unlocked (for preventing re-locking), connecting it to a power source (to prevent battery exhaustion), etc. Similar steps should be taken with computers (in case they are connected to the network).

After that, a traditional forensics process can be carried out: on-site triage and pre-analysis if required, forensic acquisition of memory, hard drives, evidence preservation, etc.

Mobile devices can at times be acquired at the forensic lab, where you work in a more friendly environment with a better signal isolation. In that case, you need to make sure the device is kept connected to a power source at all times, since the signal isolation will quickly drain the batteries.

What forensics tools do you prefer and why?
I literally have hundreds of forensic tools in my “bag”, both open source and commercial, Windows, Linux and Mac. Each case typically requires different tools and techniques, and sometimes a specific small utility can save you hours of work. It is important to be up to date with the latest versions, keep an eye on new tools and new features of your current tools.

If I have to mention just one tool, I will mention the SANS SIFT, which is open source and freely downloadable from the SANS website, and which comes with a myriad of forensic tools ready to use in a forensically friendly environment.

What advice would you give to a forensic investigator that needs to present his findings in front of a jury in court?
Court is a weird, confusing and at times hostile environment for technical professionals. In our world things are binary, black or white. Law is all about interpretation.

If you need to testify in court, just be objective, translate to normal words any non-technical person can understand your findings and conclusions, in a professional and scientific way.

There is an excellent book, A Guide to Forensic Testimony, which I love and I always recommend to my students. It is a must read if you are going to testify in court, as it will open your eyes to how things work. A perfect case can be a lost case if the expert witness is not able to properly translate the findings for the audience.

How can a forensic investigator make sure he strikes a balance between his work and a users’ right to privacy?
In a corporate environment there should be policies that take care of this, defining what a forensic Investigator can or cannot do. However, in many cases they are actually not in place, and you will have to use your common sense. But beware: the boundaries and interpretation of law are not easy to understand for a forensic examiner, and our common sense is sometimes not valid.

I always recommend to check with a lawyer as required. My advice would be: “be conservative and ask for expert advice if in doubt.”

Said that, our forensic tools can also help, as they allow us to do “blind searches” over the evidence which, with the right keywords, might be enough evidence that something is fishy.

What are the fundamental differences in investigating Windows, Linux and Mac OS X systems?
The difference is that in the Windows environment almost every artifact is a proprietary format and requires a different tool and technique for analysis, while in the Linux and Mac OS X worlds (which are part of the same *NIX family) artifacts are typically text or pseudo-text (some plist files can be compressed, but they can easily be decompressed on the fly).

This allows easily automating many of the tasks in Linux/Mac investigations, consequently speeding them. Also there are many more obscure artifacts in the Windows world that we tend to discover day by day, being the Registry a world on its own.

When I teach the SANS FOR408 course, in which we cover many of those artifacts, the vast majority of the students are not familiar with most of these artifacts, including very experienced professionals.

What does your SANS training course look like? What skills can attendees expect to acquire?
Think of a SANS course like one of the most extreme learning experiences you’ve ever had. One of the old sayings that students repeat is: “It feels like drinking from a firehose!” A SANS course is much more than just teaching some material.

Every instructor makes an effort to share his own real world experience (which in my case is 15+ years in computer security and forensics), in an intense and passionate way. We cover lots and lots of content, in a VERY hands-on way, with demos, in-class discussions, experience sharing, real world examples, etc.

We all love this field, students and instructors, and both enjoying and learning as much as possible is the final objective. Always with a focus on real world practical things, on things that you can put to use as soon as you go back to the office.