Pratum Blog

As I thought more about my previous posting I realized I had more to say regarding digital investigations. One thing I've learned over the years is that investigations often lead you down a road you never thought you'd travel. You start out one Friday afternoon investigating a seemingly simple virus infection and 6 months later end up a material witness in a criminal fraud case. I can't count the number of times I've walked into work one morning thinking about the day I have ahead of me wondering "How did we get here?"

The valuable lesson to learn here is this. Assume that every investigation you go into could end up turning into a criminal case. I know that sounds horrible. You're thinking, "Dave, you sure live in a dark world" or "How about a little faith in humanity, huh?" My response is…I wish I could see into the future to tell which cases would become criminal so I could avoid them. They really are a pain.

So why the difference? Why worry if a case will become criminal? What's that mean to the organization or investigator? All very good questions…thanks for asking!

First and foremost is the workload associated with a criminal case is significantly higher. The cases take longer to develop, include multiple parties (you, law enforcement, lawyers, expert witnesses, etc), typically have lots of negotiations, and the best part…cost you a TON of money.

The real reason to treat every case as criminal is the standards required for burden of proof, evidence handling, etc. are much higher in criminal cases. Your procedure for collecting, storing and analyzing data during an internal investigation may be fine for an administrative procedure or maybe even a civil suit. If however during the investigation you decide to press criminal charges, your procedures may have ruined the evidentiary value of any information you collected. If the proper steps were not taken to safeguard the integrity and non-repudiation of the information, it's useless. It's an irreversible process. Evidence only has to have had the ability to have been modified (in general terms) for it to lose its value and become inadmissible in court. Nobody will care if it was altered. Could it have been altered will be the question.

So the answer is to use the higher standard for all cases you're working on. I know what you're thinking…"Thanks for all the extra work Dave…REALLY appreciate it". All I can say is welcome to the world of digital investigations. Trust me though…the few times your cases do move into the criminal realm, you'll be glad you spent the extra time processing the case accordingly. You certainly don't want a data theft left unpunished because the rock-solid evidence you collected wasn't done according to best practices and won't ever see the inside of a courtroom.

So "Hey…Let's be careful out there".

The Electronic Crime Institute (ECI) is a federally funded program at Des Moines Area Community College that is designed to help fill the void we currently have in trained digital forensic investigators. The title of the course I taught was Operating Systems for Forensics. It was a great course which forced me to get back and focus on some of the core aspects of an OS and file systems. As I went through the semester though, I realized most organizations are woefully unprepared to deal with a situation which requires true digital forensics.

It seems that most people who choose this career path are either law enforcement officers or IT professionals who have naturally gravitated to the investigative side of the profession. The problem I saw though is the mindset needed to perform investigation of a system is quite different than that required for administration of that same system. I had some very talented individuals in the class but their questions often appeared to come from an operational mindset. They knew how the system worked, or how to perform a task, but might not have fully understood the architecture of the underlying technology. If you don't know what a Master Boot Record (MBR) is, where it's located on a drive or when it is or isn't used by an OS, you'll never be able to find data that's been hidden there. I realized I needed to take a different approach to help students make the transition.

Early on in the course, one of my lectures covered the conversion of decimal, binary and hexadecimal values. Now obviously we have tools which do this for us, but an investigator has to know what his or her tools are doing in the background. I told the class if they didn't like reading hex and being able to at least identify patterns in file signatures they might want to reconsider their career choice. One student dropped later that week. Those who stuck it out till the end were really digging into the meat of the OS and file systems by the end. They were learning about the journaling functions in NTFS and EXT3, how to convert hex values into the date stamps for files and directories and were finding data hidden in multimedia files which played or displayed fine in their native viewers. They had transformed from a troubleshooter to an investigator. No longer were they looking at an OS as simply an obscure tool used to run their applications. It was a powerful tool which could be manipulated to move and hide data.

It was really quite interesting to see this transformation. I personally think you have to have a natural flair for investigation as there are some things that just can't be taught. The investigative instinct simply can't be taught in a classroom. It takes years of training and field experience to develop and some develop it better than others. Even as I do investigations today I'm continually learning and developing my investigative skills. It's a long road but a great journey.

There was a story on the front page of this morning about the dangers of public wifi. (Click here to read) It's actually a pretty good story for the masses. They however did not address some of the quickest things you can do when traveling with mobile devices (laptops, PDA, smartphones, etc.) to improve security.

  1. Change your firewall settings from "Private", "Home Network", "Work" or other settings to "Public Network". This automatically enables a stricter set of access restrictions which will help deter people from getting access to your network

  2. Disable automatic Bluetooth pairing. This will keep someone from synchronizing with your system without your explicit approval.

  3. Turn off any network sharing or media sharing while you are mobile. These protocols are ripe for exploitation and your device is broadcasting to the world "I have lots of open doors…come hack me!"

  4. Keep your Anti-Virus definitions up to date. Even when on vacation, log in to a network and update your AV every couple of days. New threats are added daily and having definitions a week or more out of date is asking for trouble.

  5. Don't be cheap. If you have a mobile device and it's important enough to keep with you at all times, buy access to a mobile data plan or a nationwide hotspot network. These are typically more secure and actively monitored for nefarious behavior. Consider the monthly cost an "insurance" policy against logging into a free hotspot hosted by a hacker. (BTW…if you have Qwest DSL, the 14,000+ AT&T hotspots nationwide are now free for you to use. (click here for details). Check with your ISP for similar offers.

I could go on and on but following these 5 tips will improve your security posture while traveling. Remember, most hackers are opportunists. They're not going to spend hours hacking into a system that's somewhat secure when 5 others next to you are wide open. You just want to be more secure than the dufus with sunscreen on his nose, sitting under the Hawaiian Punch umbrella next to you. Happy Vacationing!!!!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.