An eye on forensics

Powered by SC Magazine
 

The digital forensics industry has undergone significant change in the last 15 years.

Arguably the most significant change in forensics since the 1990s is the fracturing of what was a single title into specialist fields like database forensics, mobile forensics and network forensics.  This shift reflects the dynamic change in technology used by both criminals and detectives to hide or reveal information that can often prove vital in criminal and civil legal cases.

Scott Mann recalls the challenges of digital forensics during his time in the Victoria Police force in the early ‘90s.

“What we talked about back then was disk forensics, mostly hard disks,” said Mann – who is now director of Melbourne-based Invest-e-gate. “We would come up against a 10GB drive to image with a 16-bit DOS-based command tool.  That took hours to copy, let alone conduct the analysis.”

Mann and others in the field have an arsenal of comprehensive and capable forensics tools to address modern challenges of encryption, solid state drives and storage that runs into terabytes. Curiously, its the latter – the sheer size of the data to analyse – which remains the biggest challenge.

“The tasks we did back then were not dissimilar from what we do now – we face massive amounts of storage that can take hours to copy.”

It is easier for targets to use defensive mechanisms such as encryption, as the technology has been commoditized across almost every device. But the crucial evidence trails that lead to successful investigations still remain.

“Data hiding has always been around,” Mann said. “It comes down to how determined an individual is to cover their tracks. It’s still difficult to commit the perfect crime.”

He points out that in crimes such as hacking, the offender usually wants to steal, store and sell something – the latter often bringing about their undoing.

Investigators, meanwhile, rarely have a single lead or skill set. Teams of forensic professionals with specialist skills work together on large corporate data breaches to analyse evidence. Network traffic is analysed, malicious code is reversed and disks and logs are examined.

“This is where digital investigation has evolved - there are all of these expert silos. It used to be that it was enough to know the disk forensics component to be able to call yourself a well-rounded digital investigator.”

Evidence trails have changed too, and become more complex. The proliferation of mobile devices in the corporate world has stretched the boundaries within which data could be lost or stolen. Employees can send data from mobile phones, laptops or unauthorised wireless access points.

 

Mapping avenues of inquiry

 

This can create legally complex scenarios. Mann said other avenues of inquiry must be pursued when data is suspected to have been compromised on personal devices.

Breach victims thrown into the new but familiar world of forensics can place themselves in the best possible position with preparation. The most important advice is a timeless rule that applies to almost any crime scene: don’t touch anything.

Or rather, “act minimally”, Mann said. Downtime in modern businesses can be unacceptable, so IT administrators should access only the bare minimum of resources on IT infrastructure and be weary of what could become forensic evidence.

“I call it the quality and quantity of evidence,” he said. “Every time you run a tool on a machine, you must at the very least accurately document it. This will give your forensics professionals an idea of impact and they can adjust their audit to your footprint.”

The last decade has also seen big businesses more prepared and aware of due process during data breaches. Many have Computer Emergency Response Teams located in-house that maximise the effectiveness of forensic work while individuals at smaller organisations tend to avoid trampling digital evidence.

See Mann’s brief guide to responding to breaches: (pdf) http://bit.ly/tr0iu7

Copyright © SC Magazine, Australia


An eye on forensics
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 331

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  56%
 
No
  44%
TOTAL VOTES: 137

Vote