If you look up forensics in the dictionary, you'll see that it's defined as a discipline of applying scientific knowledge to the compilation of evidence and the presentation of that evidence in court. Computer forensics depends on whom you ask. There are situations where you have to compile all relative data on a hard drive or network, capture it, analyze it and present it in court. It's similar to a guy looking at blood spatters at a crime scene. What are some of the types of crimes you investigate?
I do a lot of work with clients on internal and external matters. Some examples are the theft of trade secrets, intellectual property, patents -- things companies don't want to get out that somehow do. In several cases, we've found people who leave a company, take particular information with them and start their own business. There are other internal issues like objectionable e-mail, where people are harassed over e-mail, or illegally reading others' e-mail. We also do both sides of incident response. As an incident is ongoing, we gather evidence. We also do litigation support where we find evidence on hard drives for ongoing litigation. We also investigate for libel suits where people are accused of going into chat rooms and slandering the company. We cover the whole gamut of internal and external cases. Is there a common theme to some of the security breaches you've seen in recent months?
Yes. Traditionally, insider problems have been far more dangerous than outsider attacks. Recent surveys show that trend moving toward the external. I tend to question that. Insiders have the upper hand because they are on the inside. They know what they are up against and they know how to avoid getting caught. The severity of an insider attack is astronomically much more than an external threat. Because of the relative infancy of the Internet, do forensics specialists feel like pioneers in the field? Are the rules being written/rewritten "daily"?
The field changes dramatically -- almost daily. And that's why we like it. We're on the cutting edge of something that's going to be a big deal in 10-15 years. We're in on the ground floor. In 1985, forensics was really in its infancy, and I've seen it grow and change a lot in those 15 years. It's been pretty interesting and that's why we do this. Every time we turn around, there's a new technological challenge and a new change in the law. Sounds like exhaustive work.
It can be very exhaustive and very tedious work. I've been in this field since 1985, and now we have tools we did not have then when we had to look at a hard drive bit-by-bit. It can be very tedious and time-consuming. I don't think the average person understands how much data can be put on a hard drive: anywhere from 1,000 to 10,000 files. We have tools today that have the ability to search a hard drive via keywords. It takes not only technology knowledge, but also investigative knowledge. That's why the guys who work on my team are all former investigators like I am. We all have technical and investigation backgrounds. We know what questions to ask. One final question: Can you give us a look inside your toolkit? What kind of software tools do you use?
Before we look at a hard drive, there is a strict protocol we follow. We first make a forensic sound image of the disk, which is essentially a bit-by-bit copy of a hard drive. Then we take that hard drive and put it in secure storage and do our analysis on the copy. The imaging tool is called SafeBack. We also use a tool called EnCase, an image/analysis tool. Do you see lax security practices as the primary culprit?
There are so many patches for so many operating system problems, but there are those who have not had patches applied or updated. Basic security is not taken into account. For example, companies with, say, 75 employees, 20-25 have system administration access. So many have access they don't need because it's convenient. When something happens, or people leave a company, it's difficult to tell where the problem is. Some don't have the security resources they need. For many security administrators, security is an additional job. As the economy lowers, traditionally where cuts come are in security. And it's a mistake. In the e-commerce world, people have to trust a site if they are going to send credit card and personal information to it. They have to know it's not going to be abused. A healthy percentage of computer users don't use e-commerce. They are afraid of the security and privacy issues surrounding it. I'd like to see companies make security a top-line figure rather than a cost. Security is not a bottom-line figure.