Ask the computer forensics (and general computer security) guy

I know there are a lot of IT people around here and at least some security specialists, so maybe there won’t be much of a demand for this thread. But I’ll give it a whirl.

I’m an IT guy with about 14 years of overall IT experience. The last 8 years or so, I’ve been focused on information security, and most recently on forensics and investigations. I’m currently the lead forensic investigator on the in-house incident response team of a Fortune 50 company with over 30,000 employees. I’m a member of a team that responds to suspected external breaches, suspected insider abuse, and legal discovery requests.

I’ve done security of one kind or another, including forensics, for big for-profit companies, large and small healthcare organizations, and a medium-sized university.

Among my industry certifications is the Certified Computer Examiner (CCE) from The International Society of Forensic Computer Examiners (terrible website, but a respected organization and credential in the forensic community.)

Almost all of my forensic and investigative experience has been as an in-house incident response guy for private organizations. So, I’ve never done any criminal defense, divorce cases, child porn cases, etc. Somehow I’ve also managed to avoid being called to testify in court (got close recently, but the other side settled the day before the trial was supposed to start).

So, is there anything you’ve always wanted to know about computer forensics? Security incident response? Computer security in general?

A few disclaimers:

[li]I am not a lawyer.[/li][li]Please don’t ask me how to destroy evidence of whatever bad thing you’ve done.[/li][li]I don’t watch a lot of TV, but the few times I’ve seen TV characters try to do computer forensics, it has made me cry. If you ask me how realistic a particular show is, I probably have no idea. My guess is “not realistic at all.”[/li][li]I have not been following the Lois Lerner thing, and I don’t know what the deal is with her emails.[/li][/ol]

Ask away!

  1. What did you do in IT before you entered computer forensics? E.g. were you mostly a developer, help desk tech, technical writer, QA, etc.?

  2. How easy is it for someone with experience in IT to break into (no pun intended) computer forensics? If I have ten years of experience as a developer and manage to achieve CCE certification, is that generally good enough to get hired as a real forensic investigator, or does it really depend on who you know and whether that opportunity of a lifetime happens to pass by at the right time?

  3. Do you generally deal with non sophisticated targets (e.g. employee uses corporate email account to mail confidential documents to his home email, gets caught), or do you commonly find yourself in an arms race to counteract countermeasures that get thrown against your investigation by people who want privacy?

No child porn? I thought most of forensics was about porn.

Do you mostly concentrate on after-the-fact investigations (e.g. employee is accused of stealing data, they are put on administrative leave and their computer is taken and sent to your office for analysis), or do you do live, time-is-of-the-essence real-time investigations? E.g. you suspect someone is downloading inappropriate stuff, and you have to race through server logs hoping to find an IP address before the culprit leaves the premises.

I started as a help desk grunt in 2000. I was under qualified for the job (my undergrad degree is in English Lit). But in 2000, it was fairly easy to fall backwards into an IT job. I never did go back and get a Computer Science degree, but I did some CS-type courses and a lot of self study. I spent most of my time before getting into security in Access development, DBA, and generic system admin roles. I weasled my way into security projects at small employers and got some certifications (CISSP among others) and finally lucked into a real security job after trying for several years. I had some good fortune. I think someone coming out of college today without a CS background would have a very difficult time getting into a forensics role like the one I have.

Good experience like that plus the CCE would probably get you close. It would be better to have some time in other security roles. Like maybe a few years in development or sys admin work, then some time in general security work like managing firewalls or being a Security Analyst. Then with the CCE you’d be in a pretty good position to get a forensics job. The tough part is that it may still be hard to find an open job. Big companies like the one I work for may have in-house forensics folks, but if you can’t get on a place like that, you’re looking at consulting companies that will require a lot of travel. Even once I built up a decent security background and got the CCE, I had to wait a few years before finding an opening where I didn’t have to travel 75-100%.

I spend more of my time dealing with unsophisticated insiders. One of my jobs is watching our Data Loss Prevention (DLP) tool, where I catch a lot of people sending our data home (usually to work on it off-hours, but sometimes maliciously). We do find some people who go out of their way to avoid detection. Those people don’t work here long. Of course, some people are successfully avoiding detection, and I just have no idea.

Not so much in the corporate world. I’m mostly looking at data theft and external breach attempts. I’ve never yet run into anyone using his or her work PC to get child porn. I know it happens; I just have been lucky not to have found it myself. If I were working for a consulting company that provided services to criminal defense attorneys, I’m sure I’d run into a lot of those cases.

Both. We have some real-time alerting, so if someone is doing something really bad, we have to act fast to catch them. More often we do after-the-fact investigations. We have a lot of tools to help us get evidence. One of them in an enterprise forensic tool. From my desk, I can take a forensic image of any PC in our environment without touching it or alerting the user. But depending on the circumstances, I might also get PCs shipped to me for analysis.

What is your recommended password policy? It seems like such a simple thing, but it really isn’t.

Also, what is your mother’s maiden name?

No more midnight raid teams to visit desks, disassemble PCs, “Encase” the drive, then put it all perfectly back together so nobody suspects anything the next day?

I was going to ask if you came in with a law enforcement background, but you’ve answered that. Most of our forensics people that I’ve met seem to be former LEOs or military. Mm

I did this a few times a long time ago (1990-ish) when I was a tech for a local computer store. Back then hard drives had a jumper that would prevent writes, but otherwise allow it to work normally. Do they still have that method to preserve data?

What’s the most malicious act you have caught?

If I delete my browser history (from, say a tablet thing or notebook) on a wireless network, can it be retrieved “downstream” from the router or something?

Not that this is real important, or anything…


Can a solid-state drive be erased, if, apparently, a drive-wiping utility meant for spinning discs won’t work on an SSD or ruin it?

Is it more difficult than it would be with a Windows disk to glean information from an OS X non-SSD disc after it’s been wiped once, twice or three times through the use of Apple’s Disk Utility? Or is doing so merely different?

Have you ever taken a class in ethical hacking?

Suppose I want to give my computer to a friend. I’m going to give her the PC and the CD-ROM with the OS. Before I pass it on I boot from CD and run some utility that performs a hard disk wipe function, writing binary zeroes or random patterns on the entire disk. The file system is intact, insofar as the disk is visible as a usable (empty) volume when you boot from the CD. The directory structure is empty.

In books and TV the forensics folks can magically find and recover my erased data. I think the books and TV are totally bogus and there is NO POSSIBLE way to recover truly erased (i.e., overwritten) files. Do you agree?

Do you deal mostly with in-house systems, or (as I would hazard to guess) much more cloud-y stuff these days? And if so, how do you manage investigating that? I might suspect that my company’s information was accessed through some insecure cloud panel dealy, but that provider might not want to have anything to do with my investigation.

Yeah, talking about password recommendations winds up in a religious debate. At home, I use LastPass to manage all my passwords. Then my passwords can be crazy long random strings and I don’t have to remember them. At work, we have a corporate-approved password management application, but I’m blanking on the name right now. For passwords I need to remember and type in (like my password to get into LastPass or my primary user account password at work), I pick a few gibberish words and separate them with special characters. So, I go someplace like Random Gibberish Generator, get a block of nonsense text, pick a couple of “words” at random, and make a password like “Tumom]Hunucu]Batenas”. Maybe use numbers instead of the special characters if the system requires numbers. Since the words sound like real words, they’re not that hard to remember after the first few times you type them. And I wind up with a password of 20 or so characters that isn’t going to fall to a password cracker that easily.


Faulkner fans? Anyone?

Nope! EnCase Enterprise annoys me in lots of ways. Doing a search for a simple string is way too complicated and counterintuitive. But being able to get an image of a workstation across the wire is freakin’ awesome. Or, if you don’t want to get an image, you can do a live analysis with a very small footprint, and still be able to capture in-use files.

I run into a fair number of former LEOs and military. The guy I consider my mentor in the field was a police officer before getting into IT. But in the corporate world you run into a fair number of people like me that don’t have that background.

Some hard drives do still have the jumpers (at least old IDE drives do; I don’t think SATAs do), but I think the only time I ever set a jumper was in class. More often now, if I’m not doing a live image acquisition with EnCase, I use a hardware imager with built-in write blocking like a Tableau device. You plug the subject drive in one side, plug the target drive in the other, and off you go. Tableau also makes acquisition devices for USB drives, which also don’t have jumpers (to my knowledge), so you need some other method to make sure you don’t write to the subject media.

Hmmm. Tough question, mostly because I catch a lot of petty theft of corporate data and not a lot of really sexy stuff. But here are a couple of more malicious folks I caught or helped catch.

I was working for a big regional healthcare organization. One of our registration clerks had a little side scam going. When a patient would come to the window to check in, the clerk would bring up the patient’s record, check the patient in, then jot down the patient’s info on a post it note. The clerk would then use that info to apply for online loans. (Pro Tip: don’t use SSNs as the unique identifier in your patient database). Anyway, we only found out about it because one of the victims suspected what was going on and reported it. Through investigation, including digging through the clerk’s browsing history, we identified something like 10 or 15 patients she had done this too. (Pro tip for thieves: if you’re using patient data for identity theft, don’t complete the theft from your work PC. Do that shit at home.)

At the university I worked at, one Monday morning I was minding my own business when a DBA came into my office and said, “Our logs recorded 500,000 failed logins to the Enterprise SQL Cluster this weekend.” Uh, I’ll clear my calendar. Turned out a guy, probably in Germany, was able to exploit a vulnerability in a poorly-managed, internet-facing server to gain a foothold in the network. Once in, he used a tool to find MS SQL Server instances across the LAN and brute force guess the passwords for the SA account. Once got into the SA account on any SQL instance, he used the xp_cmdshell stored procedure to get a command prompt on the server hosting the SQL instance. Many poor configuration choices had to be made for this guy’s attack to succeed. But this was a university, where poor configuration choices and poorly managed servers are the rule. Anyway, the guy gained control of over two dozen servers and used them to host movies he was sharing online (not porn, just feature movies he’d pirated). It took a long time to find all the servers he controlled and remediate them.

An aside to that one, on the first night of that investigation, I told my wife about the 500,000 failed logins. My wife is not an IT person. She’s a doctor. Anway, she said, “Well that’s really noisy. Must not have been a very sophisticated attacker.” That’s my girl!

Last example of real malice: at one workplace, a guy who was a pretty high level manager in a sales division uploaded a bunch of corporate sales data to a file sharing site the day before he left to go work for the competition. He tried to claim it was a mistake. He had only intended to take personal files, and the corporate files got uploaded by mistake. But I was able to show how he’d placed a folder on his desktop, named the folder the name of our competitor, and gathered sensitive files into it for weeks before quitting. Then, he uploaded the contents of the directory to the file sharing site from off our network (because our network blocked the site), and tried to cover his tracks by deleting the folder. It then became harder for him to continue claiming it was all a big whoopsie.

Can my employer tell how often I visit the SDMB during work hours? Can they tell how many minutes or hours I’ve been there?

If I read a thread titled “Hot Sex With Toddlers” will they know that?

ETA: All hypothetical, especially the last line, please.

It depends, but probably so. When you fire up your browser and go to or whatever, that request gets processed by the internet service provider. Depending on how long they keep logs (like DNS logs), some record of you activity may be available if law enforcement takes an interest in what you’re up to. (There are ways to hide your tracks, but in general, the answer to your question is “Yes, at least for a while.”)

If you’re in a corporate setting, your traffic probably goes through a proxy server that will retain logs of your activity for however long the company wants. My company keeps proxy logs for at least three years.

The drive-wiping tools I’m familiar with don’t care if it’s an SSD or plate-spinning drive. They just send an instruction to the drive to put a 0 in each bit, and the drive does it. I’ve wiped USB SSDs with the same tools I use for wiping other kinds of disks, and I haven’t had an issue.

I’ve never done an examination of an OSX disk. Here in corporate world, we force everyone to use Windows. Mwuahahaha! Anyway, if you have a decent wiping tool, and you fill a drive up with zeroes, no matter what the original OS was, nothing is going to be recovered from it. (The whole “Wipe seven times!” thing is kind of a myth, but that’s a story for another time.) I’m not familiar specifically with Apple’s Disk Utility. I would wipe a drive by booting to something like DBAN, which if it can detect the drive will destroy the data completely. My understanding is that DBAN will see and wipe most MAC drives. If you DBAN a drive, no forensic examiner is going to recover data from it.

I took the Certifed Ethical Hacker course from EC-Council. It was not very good, but I got to add some letters to my resume. I’d probably recommend the SANS ethical hacking courses to anyone who wanted to get into ethical hacking and pen testing.