My phone rings whenever an IDT911 client is hacked, suffers a data breach, or is a victim of identity theft via digital means. My job as chief information security officer is to look at all the digital evidence.
When possible, I reconstruct the cyber attack. It’s C.S.I. work. By reconstructing the attack, often I can tell where it came from, how it unfolded and—most importantly—who did it. It’s a way of finding and preserving digital evidence. There’s a reason that it’s called forensics.
Digital forensics can be divided into four categories. Knowing what they are and how to handle them in the event of an attack can help me do my job and restore your company’s daily operations.
When I tell people I work in forensics they always mention CSI: Geeks in white lab coats standing over test tubes of blood, or slides of hair, running computer programs with GUIs that look more like Avatar than Windows 7, Ubuntu, or Mac OS.
Then I explain that it’s digital forensics—that I collect information in computer chips instead of tissue samples—and they get that look like I just let them down. OK, hard drives aren’t as cool as hand gun ballistics, I get that, but the process of data collection and case-building is remarkably similar whether the subject matter is Western Digital or Smith and Wesson.
Recently I wrote an , a leading network forensic website, on open source toolkits for analysts. These are computer programs that help me do my job. As I mention in the article, it’s important to plan for digital-evidence-gathering when building security systems. In hundreds of cases, network forensics has stood up to legal scrutiny as primary evidence and has put more than one black hat in jail.
There’s been a lot of commentary and gotcha-style journalism surrounding the Sony data breach, but not much constructive criticism.
Yes, the breach could have easily been prevented. Had Sony enabled fairly standard firewall technology and kept its systems up-to-date with the latest patches, none of this most likely would have happened.
Since most of us have enabled firewalls on our personal computers and are aware of the risks if we don’t, Sony’s mistake immediately smacks of foolishness. But setting up protection for a network of 100 million users is a little different than protecting the Mac in your living room.
I’ve touted the benefits of fast, new solid-state drive technology (SSD) and the recent push toward hardware drive encryption more than once. Now, it seems, they might be making my job harder.
A group of that the algorithms used to keep SSDs running in tip-top shape also destroy a host of hidden data—data that forensic investigators look for when researching drive usage and recovering forensic artifacts.
The team found that after a quick drive format the SSD began purging drive data almost immediately—a process of deep cleaning the disk or overwriting the old data with 1s and 0s. This is required for SSDs to write again, unlike magnetic media that can write new data on old data. In the researchers’ test case, only 1,064 evidence files were recoverable out of 316,666 files on the drive.