Digitial investigations have matured

Sit down with a forensic investigator for an hour and you're sure to hear some interesting stories.

Like the time a digital investigation was initiated after a university student in Western Canada, who was using his school's internet connection to distribute child pornography, left a thumb drive containing illicit material in a public computer. The perpetrator was, incidentally, nabbed by police after stopping by the school's IT department asking if anyone had turned in the missing device.

Or, there was the time a forensicator – what digital investigators often call themselves – had to dig into a deceased employee's computer to determine if anything work related caused the person to take their own life.

The field of computer forensics is still a relatively new discipline, and is constantly evolving. A combination of law and computer science, the field is defined as the practice of gathering and examining data from computer systems, networks and wireless devices in a way that, if necessary, will hold up as evidence in a court.

Historically driven by human relations and legal issues, in cases like the examples above, digital investigations are now increasingly being launched following data breaches and suspected computer intrusions, experts say.

With the frequency and sophistication of today's cyberattacks, computer forensics has become an integral aspect of information security incident response plans, especially for those in government and the technology and defense industries.

A new reality

“Digital forensics in IT security is necessary to provide a new component called threat intelligence,” says Rob Lee, faculty lead for digital forensics at the SANS Institute, a leading source for information security training. 

Lee, a forensicator for more than 15 years who has worked for the special investigations branch of the US Air Force Office and as a contractor for the National Security Agency and CIA, says digital investigations can provide critical information about the tools, techniques and procedures leveraged by adversaries. Given today's flourishing threat landscape, where advanced persistent threats (APTs), financially-motivated cybercrime and hacktivism are rampant, the necessity of integrating forensics into incident response plans is becoming “a new reality,” he says.

Most organisations have already deployed a host of layered security defenses that are helping to keep intrusions at bay, experts say. Still, recent compromises of government agencies, security firms and international corporations show that no defense is foolproof, and determined adversaries can usually make their way in, says Dave Merkel, CTO of Mandiant, a firm that specialises in cyber incident response and computer forensics.

“Even with a great security staff and a high budget, the likelihood that you can be compromised is high,” says Merkel, who has been a digital investigator for a decade and a half. “Every organisation we see can be breached.”

And that's precisely the reason why many forward-thinking organisations, which are looking for better ways to fight back, have bolstered their forensic capabilities. Forensic investigations are a central part of the federal cybersecurity strategy, according to an analyst at US-CERT, the agency tasked with responding to and defending against cyberattacks targeted at the executive branch of government. US-CERT currently has seven full-time staffers to analyse federal government hard drives in response to evidence of intrusions, and the team is growing rapidly, having doubled in the past 18 months.

Cybersecurity investigations are a different breed of forensics than traditional human relations and legal cases, experts say. While any digital investigation necessitates forensic best practices, such as maintaining a so-called chain of custody, the goal of a cyber incident response-driven inquiry is not necessarily to catch a criminal and get a successful prosecution, says SANS' Lee.

The main purpose is, rather, to determine the extent of a compromise and fully eradicate adversaries from all their hiding places within the network. In addition, such investigations are meant to determine how an intruder gained access to enterprise systems, where they went, what they were after and whether any data was taken. The US-CERT analyst, who asked not to be named, says forensic examinations begin as a reactive information security activity, but often turn into a proactive investment.

Within the agency, such examinations often yield information about how a piece of malware operates and how an attack was carried out. This information is fed back to the network analysis team, which can come up with ways to better detect similar threats in the future. This information is also shared, when appropriate, with the public.

Staying ahead of threats

Besides the government, every company within the defense indusial base is currently using forensics to better its security posture, Lee says. Such organisations, along with commercial technology firms, have historically faced some of the most frequent and advanced attacks. They consequently began using forensic threat intelligence to their benefit several years ago. 

“The only way to stay ahead of [today's threats] is to have a team that will help you generate additional threat intelligence,” Lee says. “That's where digital forensics is becoming extremely useful in commercial and government organisations.”

Many other companies are behind the curve, however, according to a report released in March by McAfee and Science Applications International Corp., a scientific, engineering and technology applications company. The “Underground Economies” report, based on a survey of more than 1000 senior IT decision-makers, reveals that just a quarter of organisations conduct a forensic analysis after sustaining a data breach.

Further, just half of organisations take any steps at all to remediate and protect systems following breaches or attempted intrusions, according to the report. More than half of organisations have, at some point, decided to forego the investigation of a security incident due to the cost.

“This lack of investigation means that potential vectors of attack are not shored up and future penetration is possible or the threat persists,” the report states. “Insiders are not identified, and incongruities are not investigated to identify a larger threat.”

Even so, some firms that were less aggressively targeted in years past, such as those in the energy sector, are now starting to consider the benefits of integrating forensics into their plans, Mandiant's Merkel says.

Next: A common pattern