Arguably the most significant change in forensics since the 1990s is the fracturing of what was a single title into specialist fields like database forensics, mobile forensics and network forensics. This shift reflects the dynamic change in technology used by both criminals and detectives to hide or reveal information that can often prove vital in criminal and civil legal cases.
Scott Mann recalls the challenges of digital forensics during his time in the Victoria Police force in the early ‘90s.
“What we talked about back then was disk forensics, mostly hard disks,” said Mann – who is now director of Melbourne-based Invest-e-gate. “We would come up against a 10GB drive to image with a 16-bit DOS-based command tool. That took hours to copy, let alone conduct the analysis.”
Mann and others in the field have an arsenal of comprehensive and capable forensics tools to address modern challenges of encryption, solid state drives and storage that runs into terabytes. Curiously, its the latter – the sheer size of the data to analyse – which remains the biggest challenge.
“The tasks we did back then were not dissimilar from what we do now – we face massive amounts of storage that can take hours to copy.”
It is easier for targets to use defensive mechanisms such as encryption, as the technology has been commoditized across almost every device. But the crucial evidence trails that lead to successful investigations still remain.
“Data hiding has always been around,” Mann said. “It comes down to how determined an individual is to cover their tracks. It’s still difficult to commit the perfect crime.”
He points out that in crimes such as hacking, the offender usually wants to steal, store and sell something – the latter often bringing about their undoing.
Investigators, meanwhile, rarely have a single lead or skill set. Teams of forensic professionals with specialist skills work together on large corporate data breaches to analyse evidence. Network traffic is analysed, malicious code is reversed and disks and logs are examined.
“This is where digital investigation has evolved - there are all of these expert silos. It used to be that it was enough to know the disk forensics component to be able to call yourself a well-rounded digital investigator.”
Evidence trails have changed too, and become more complex. The proliferation of mobile devices in the corporate world has stretched the boundaries within which data could be lost or stolen. Employees can send data from mobile phones, laptops or unauthorised wireless access points.
This can create legally complex scenarios. Mann said other avenues of inquiry must be pursued when data is suspected to have been compromised on personal devices.
Breach victims thrown into the new but familiar world of forensics can place themselves in the best possible position with preparation. The most important advice is a timeless rule that applies to almost any crime scene: don’t touch anything.
Or rather, “act minimally”, Mann said. Downtime in modern businesses can be unacceptable, so IT administrators should access only the bare minimum of resources on IT infrastructure and be weary of what could become forensic evidence.
“I call it the quality and quantity of evidence,” he said. “Every time you run a tool on a machine, you must at the very least accurately document it. This will give your forensics professionals an idea of impact and they can adjust their audit to your footprint.”
The last decade has also seen big businesses more prepared and aware of due process during data breaches. Many have Computer Emergency Response Teams located in-house that maximise the effectiveness of forensic work while individuals at smaller organisations tend to avoid trampling digital evidence.
See Mann’s brief guide to responding to breaches: (pdf) http://bit.ly/tr0iu7