Computer Forensics

11 10 2011

If you have ever watched a modern TV crime drama such as CSI or Law and Order, chances are you have seen the “tech geeks” who are brought into a crime scene to investigate a computer and recover data and files for the investigation.  What you may not know is that these people do actually exist in the real world, and they are actively working each day to bring criminals to justice.  Their efforts help to find digital criminals around the world, and are an important part of digital crime investigations.

US-CERT defines computer forensics as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” [1].  Compiling this evidence is an important part of the investigative process for the two primary types of computer investigations, when one or more computers were used as an instrument to commit a crime or some other type of misuse, and when the computer or network is the target of a crime [2].  While analysis of the collected data is what ultimately provides the necessary evidence, it can sometimes be difficult to collect the information in the first place.

The two basic types of data collected by investigators are persistent data and volatile data.  Persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off [1].  Volatile data is any data that is stored in memory, or exists in transit, that will be lost when the computer loses power or is turned off [1].  It is the volatile data that can be difficult to collect, as it can be easily lost during the collection process if the investigators are not careful.  Additional complications to collecting data are damaged, deleted, or encrypted files that require investigators to use the correct tools to prevent further damage to the files during the collection process [1].

One example of forensics assisting in a court trial is provided in the recent information released regarding the death of pop singer Michael Jackson.  The computer forensics examiner in the trial recovered critical timeline emails, digital medical charts thought to be non-existent, and a damaging audio recording of an impaired Michael Jackson reportedly made by his personal doctor, who is on trial [4].  This example showcases the ability of computer forensics to recover data that is believed to be lost or undiscoverable.  Modern methods and training are still evolving and improving, increasing the number and skills of individuals who can provide support in cases such as this.

If you are wondering how you can get your foot in the door to the computer forensics world, one example of a training certification program is the Computer Hacking Forensic Investigator certification provided by the EC-Council.  This certification program provides people with the “necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law” [3].  Such individuals are in-demand, and can apply new and evolving technologies in order to recover evidence in the field.  While certification programs such as this one provide the training, it is also important to acknowledge that methods must adapt as the technology evolves.  For this reason, research facilities like CERT are looking into new methods for computer forensics.

At CERT, the forensics team works on “gap areas” that are not addressed by commercial tools or standard techniques [5].  These areas include resource amplification, memory extraction and analysis, and encryption counter-measures [5].  The study of these areas is intended to improve the performance of computer forensics and increase the ability of investigators to recover and analyze data.  If successful, the success and quality of digital investigations would be greatly improved.  As the field continues to evolve and improve, I think it would be great to be on the cutting edge of innovative ideas and techniques for recovering and analyzing data that can aid in the capture of cyber criminals.  While you may not have your own trailer or dressing room, you could be a real-life TV star working to bring criminals to justice, though you may have to bring your own camera.



The Art of Cyber War —- Keeping Hackers on a Tight Leash

29 09 2011

Many of us may have envisioned that future human warfare will be predominantly conducted in cyber space. Cyber warfare (CBW) may still be an abstract concept to the general population, but as information security professionals, we know that the battle has already begun. CBW includes not only international espionage, but also domestic intrusion into organizations’ information network systems, such as, corporate and banking networks and government databases. Countries are spying on each other and individual hackers are exploiting the vulnerability of information systems. The most frightening part of CBW is that it only takes one hacker to create extensive irreversible damages. Given the risk that we are facing, continuously revamping security systems and creating new techniques are not enough to confront invaders who are also upgrading and transforming and becoming more advanced. A more proactive effort to approach the challenge from other angles is needed.

The ancient Chinese military treaties, “The Art of War,” suggested a basic principle that applied to any kind of warfare; if you know your enemy as you know yourself, then you will always be in a win-win situation for every battle.  The underlying rationale of the principle is that one can only gain absolute control over the subjects or objects that they profoundly understand. In order to keep hackers on a tight leash, cyber security professionals need to study who and what they are against. This principle may sound exaggerated; yet its significance has been authenticated by the victory of wars won in Chinese history.

For this principle to work, a precondition has to be met.  We need to be experts of every aspect about ourselves, such as our goal for securing systems, our information management technology, our competence to secure the information networks, our ability to respond immediately to incidents, and our potential to improve and develop methodologies in the field. This is what many information security professionals are focusing on.

However, by accomplishing this precondition, we only have 1/3 of the probability to win the war, as Sun Tzu, the author of “The Art of War,” would say. To gain the other 1/3 of a chance to win, we need to study every aspect of the intruder’s aspirations. For example, who in the population is capable of being an intruder? What is the geographical information about this sub-population? Among them, do they have the kind of personality and motive to commit an intrusion? Are there any observable abnormal behaviors in their daily work? Where in the system would they be likely to start to act out? What kind of technique will they be likely to use?

Through scientific studies, including both experimental and non-experimental, we can have an objective understanding about the intruders. For instance, between 2002 and 2007, the inside threat study team at CERT collaborated with U.S. Secret Agents. Together they collected data about 250 cases of incidents that caused different levels of damage on the information system of affected organizations.1 The data significantly showed the general trends of the characteristic of the attackers.  Seventy-seven percent of the attackers were former or current full time employees.2  Eighty-six percent of the intruders held technical positions, including 36% system administrators, 21% programmers, 14% engineers and 14% IT Specialists.3 Although 96% of the 250 attackers are male, there was not enough evidence to support the hypothesis that hacking behavior is associated with gender.  The issues of random sampling and ratio of gender working in IT jobs can be two confounded variables. The subjects are demographically varied in terms of age, racial, gender, and marital status.

Researchers also found that the main motive of their action was revenge.4 The attackers, in 92% of the cases, were triggered by a unpleasant work-related event.5 After subjects experienced cognitive dissonant from the negative events, they were likely to develop a motivational drive to reduce their degree of discomfort by means of what was accessible to them. Thus, to use their specialty in technology and authentication to intrude into the network system is a way to retaliate against their employers. In addition, revenge is not only justified due to religious’ beliefs, but also it is due to concerns about social law reinforcement, such as the death penalty. For details of this finding, please refer to the original article.

After the above simply analysis, we now have a better idea of who are more likely to commit the violation of 18 USC §1030 and why they decide to do it. This sub-population needs to be studied explicitly to obtain the second 1/3 of winning probability.

For questions, you may contact me at or make a common on

1.   Insider Threat Study, CERT at Carnegie Mellon University, May, 2008

2.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

3.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

4.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

5.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005