Why Security Investigators Should Care About Forensic Research

Despite the promise of expanded visibility into the user trail behind a data breach, the security industry has largely ignored the meticulous advances of forensic researchers. Privacy is just one reason for the snub.

This summer, thousands of forensic specialists will descend on the desert of Las Vegas to hear original research at conferences such as EnFuse, HTCIA and to a lesser degree, Black Hat. They’ll learn of breakthroughs made in discovering new varieties of evidence left when users and software interact with the OS.

This almost-naturally occurring residue exists without monitoring software present, and is far more comprehensive than log file data. Yet, despite its promise of new visibility into security breaches and the privacy implications of a forensic trail on our PCs and phones, it will receive little publicity.

Unlike new malware and vulnerability research, there’s no financial incentive for forensic researchers to shout findings from the mountain tops. Vendors typically pay bounties for vulnerabilities; for new forensic “artifacts,” they generally do not. Years ago, Apple was “Slashdotted” for tracking user GPS coordinates, and Facebook for not stripping GPS data from images. Yet outside these two cases of vendors “patching” away GPS artifacts, most have seemingly resigned themselves to the fact that forensic tools will learn an uncomfortable amount about us.

Little Publicity for Shocking Forensic Discoveries

Outside of the GPS tracking stories, little media attention has been paid to forensics. Possibly the research has been ignored because it’s not as sexy as stories of hacked planes or lawsuits over vulnerability disclosure. In the media’s defense, the forensic privacy onslaught has occurred in tiny increments, and with a technical subtlety few would appreciate.

Take several years ago, someone decoded .bmc files left when users remotely performed a login to a Windows system. Encoded in these files were partial screen images, sent tile-by-tile during a Windows session. In forensic circles, many were shocked: they’re leaving behind images of all our remote Windows sessions, really? Outside forensic circles, no one noticed. By itself this is not a headline, yet it adds another piece to the puzzle, allowing investigators to take a machine and travel back in time to see almost all prior activity.

It’s not just about what users leave behind; there is a wealth of evidence left when malware runs, but the user trail is increasingly helpful during security breaches. Consequently, since the InfoSec group can’t patch employees, social engineering attacks are today’s most common entry point -- and they leave plentiful evidence.

The forensic motherlode accrues during the command-and-control phase of a breach, which occurs over many months. Bad actors own boxes, steal credentials, and hijack user accounts early in yearlong breaches. In many cases, user accounts are used to remotely log into new machines and search for sensitive data. These breadcrumbs are remarkably similar to those of whistleblowers or disgruntled insiders. As a matter of fact, it often takes a forensic investigation to distinguish between internal and external threats.

Forensic Professionals Are Paid for Discretion

I think another reason forensics falls under the radar is its culture of discretion, which stems from the circumstances of a forensic examiner’s job. Within corporations, they may work with InfoSec, compliance, HR, or even legal departments. They might read your work email, or -- having investigated intellectual property cases -- might be one of the few knowing all 11 of KFC’s herbs and spices. Hell, they’ve even seen your CEO’s browsing history. Think about how personal that might be, especially in the BYOD era, where business and personal mix within our phones and tablets.

I’ve heard a forensic examiner call one’s browsing history a “window into the soul.” Browsing history is apparently interesting for even the most bland user. “Everyone has a dark side, or different personality on the Internet,” the examiner said. But, again, while forensic visibility into our browsing habits might be a concern for our individual privacy, it also allows forensic security professionals to investigate links clicked in phishing emails, or activity related to malicious “watering hole” sites.

Forensics’ culture of discretion runs even deeper outside corporate circles. There’s a good chance an examiner may have spent time in law enforcement, or done forensics for the military or intelligence agencies. At a conference like HTCIA or EnFuse, be careful discussing work over a few beers. Internal filters are often broken, as yours would be if you’d seen the disturbing crimes they’ve seen. For instance, I learned what it sounds like when an estranged wife dissolves her unconscious husband in a giant barrel of acid. Don’t worry, I won’t tell the serial killer stories here.

From Law Enforcement to Cyber War

Simon Key, who develops training curriculum for a leading forensic security company and presents original research every few years, is an example of one such colorful fellow. Simon was a sergeant in the UK’s Northamptonshire Police. His forensic work related to cases of stolen property, drug trafficking, and a murder or two, but the majority of his work involved child abuse images. Simon Key was part of “Operation Avalanche,” one of the larger child pornography investigations, which saw 100 arrests and 144 suspects.

While forensics provides visibility into computers which convict bad guys, the truth can also set men free. Mr. Key was able to examine old cached Web pages to determine which users were actual pedophiles versus those visiting in the context of a payment gateway for a legitimate adult site.

As a forensic researcher, Mr. Key is most well-known for a nifty trick to locate long deleted file fragments by hashing pieces of files called blocks, allowing identification of partial files. He has also reverse-engineered numerous Mac OS X artifacts, including QuickLook images, which can contain the rendered content of files. Sorry, Mr. Mac user, regarding that private file you took painstaking steps to encrypt: it’s possible the OS grabbed some of its content in QuickLook artifacts and will reside on your disk for years. A privacy annoyance for sure, yet when Macs are hacked and sensitive data is encrypted before exfiltration, this artifact can help assess the damage.

Forensic Research Matters

Traditionally, the security industry has focused on malware, email filters, and patching machines. Yet, we must look at the bigger picture. The promise of perimeter defense is gone. Breaches are now fought inside our walls, over many months, and across many endpoints. We should start looking at where breaches intersect user accounts -- initially, during delivery of social engineering attacks against employees, and then in the many-month campaigns of lateral movement, and exploration of sensitive data, which often involves remote sessions from compromised accounts.

In an age where so much of our lives is touched by the Web and mobile computing, and where our hidden personal lives leave forensic residue everywhere, society should pay more attention to this summer’s digital forensic discoveries.

Related Content:

Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio

Recommended Reading: