My phone rings whenever an IDT911 client is hacked, suffers a data breach, or is a victim of identity theft via digital means. My job as chief information security officer is to look at all the digital evidence.

When possible, I reconstruct the cyber attack. It’s C.S.I. work. By reconstructing the attack, often I can tell where it came from, how it unfolded and—most importantly—who did it. It’s a way of finding and preserving digital evidence. There’s a reason that it’s called forensics.

Digital forensics can be divided into four categories. Knowing what they are and how to handle them in the event of an attack can help me do my job and restore your company’s daily operations.

The four categories of digital forensics:

1.  Static media. This is your computer or smartphone’s hard drive. It’s the storage media that’s fixed, unmoving and often the first thing we look at in an investigation.

2.  Volatile information. This is a little more complex. It’s the information in your system’s memory, or RAM, and the computer processes, or CPU. This can tell us what processes were running at the time of the attack.

3.  Network forensics. This is a top-down traffic analysis. Was your computer on a network? Or on the Internet? What types of calls were being made into your machine? Was it making outgoing calls?

4.  Binary and malware analysis. If and when we find malicious software on your computer, this is where and how we deconstruct it. We look at when the program was made and whether the author left any traces that could aid identification.

These are the four areas you want to try to preserve if your system is compromised. How you react depends on what’s happening. If you notice a digital crime in progress, it might be tempting to shut the machine down to stop it, but this could erase vital information. If you have reason to believe the malware or hacker will spend some time inside your machine—without causing devastating personal damage—keep the system running and contact a professional.

It’s safe to shut down the computer before you seek help if the hack happened months ago and files were affected. It may also prevent a follow-up attack.

If your computer is on a network, ask the administrator or owner if network traffic is recorded. Many businesses and government networks have banks of static drives that record network traffic in the event of an attack. This is a silver bullet in a forensic investigation because you can literally “watch” the hack unfold as if it were recorded on a surveillance camera.

Most importantly, if you’re hacked, breached or the victim of digital identity theft, you’ll need an information security specialist and digital forensic specialist to get to the bottom of the case. Knowing what we do, I hope, will make you a more informed victim, which ultimately will help us catch your bad guy.

Ondrej Krehel, Chief Information Security Officer,
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

2 Responses

  1. Tim Wander says:

    Ondrej,

    I want to thank you for your presentation yesterday at the RIMS workshop in wash d.c. Very interesting. I also appreciated that although your technical knowledge of the subject was far above the group, your presentation was on target and at the appropriate level for the group.

    …Tim

  2. admin says:

    Tim,

    Glad to hear that you enjoyed my presentation at the RIMS DC. It is indeed very challenging to find suitable level for the audience. I enjoyed being around such distinguished group of professionals.

    Ondrej

Leave a Reply