Happy National Cyber Security Awareness Month! In light of this October being the tenth anniversary of NCSAM, thanks to the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center, Threat Geek is taking the time to share perspective on the industry in a multi-part blog series. Three experts weigh in on the changing role of forensic teams, ethical hackers and security strategists in the past decade, examining how the industry has evolved.
A Decade of Cyber Forensic Examiners: Looking Back
Here’s a question for cyber forensic examiners: How has your examinations changed in the past ten years? The answers range from ROFL hilarious to OMG sad. For me, the change is exciting with plenty of funny moments when I think about how we performed examinations in the past decade.
The past ten years has been a whirlwind of change in an industry that is still finding itself. Even the National Academy of Sciences released a report where they conclude that “although the occupations comprising the field of cybersecurity do require specialized knowledge and some form of intensive advanced training, they have not yet sufficiently crystallized into specific professions.” In other words, cybersecurity, and cyber forensics by inclusion, is still young and immature, even in an industry that bridges into the hundreds of billions of dollars. Cyber forensics is an interesting animal within the cybersecurity zoology in that it takes its foundation from traditional forensics that most people see on the television. Most non-technical adults can wrap their heads around concepts like finding a hair at a crime scene or looking at where a bullet travels to determine the source of a shooter. But, if you mention injecting malware through a web server into a database, most listeners’ eyes glaze over.
Cyber forensics is still evolving and maturing as anyone who works in this field can clearly see over the past ten years. However, it is still very young. Cyber forensics is itself barely 30 years old when in the mid 1980s the FBI started analyzing digital devices for use in their cases. 30 years is small when you compare it to other forensic fields, such as fingerprints. 150 years ago, while the U.S. was embroiled in a bloody civil war, the British and French were setting precedent for the use of fingerprints. So if fingerprints are your average professor in the U.S., then cyber forensics is just starting second grade getting the hang of adding, subtracting, and learning how to read the hands on a clock.
Ask any forensic examiner who has been working on computers and networks about how they performed their job ten years ago and you are sure to get a giggle or more often a full belly laugh. The reason for the jocularity is that the way forensics was performed ten years ago is way different than the way we do it today. Since back then the software, hardware, and methodologies have all changed for reasons that include changes in technology, hacker methods, and response methods by examiners. Forensic examiners use hundreds of separate software and hardware in their examinations, and in countless configurations. I can’t tell you all of the changes that have happened, but I know enough to fill a book with all the changes in operations and terms in the industry.
A Change in Operations
10 years ago, cyber forensic processing of child pornography cases was manageable, and over the past decade challenges have emerged. Now, forensic laboratories do not have the capability to capture all child pornography from a case like they used to ten years ago. A decade ago, digital media (hard drives, floppy disks, CDs, DVDs, etc.) would come into a laboratory, be forensically copied, examiners would review (according to the search warrant) all pictures and video from the device, produce a report, and then send this report to the case agent and/or prosecutor. With the emergence of networks that move data at faster speeds (7.4 Mbps versus 700 Kbps), the number of people on the Internet growing (569 million then versus 2,270 million now), and the storage levels have tripled (the biggest hard drive was 1 TB and now it’s 4 TB). Back then, examiners would look at every single image and video. Today, some laboratories use tools that determine whether a naked person or specific body parts are displayed in a picture or video. These files are then exported automatically into a report and sent to law enforcement and prosecutors for further analysis on their end. Still, some analysis of child pornography is performed traditionally, especially when the source of the image is suspected to be computer-generated; but examiners today leverage more sophisticated point-and-click tools.
A Change in Vocabulary
Here’s a term we don’t hear much that we heard every single day ten years ago: RIAA. For as much as we heard the term RIAA then, we hear the term APT today. Ten years ago, examiners were stuck in the middle of public debates on whether files were purchased, stolen, or traded on the Internet. Cases ranged from university students to large groups of hackers hosting millions of movies and music files for people to download. Today, most examiners focus on more important cases such as attacks from nation-states or hacktivist groups bent on doing physical damage to infrastructure or steal millions of dollars. So it seems that hackers grew up in the past ten years, but so have forensic examiners.
Ten years ago forensic examiners rarely had the opportunity to look at network traffic to determine crimes committed from one system to another. Today it is a standard function of all examiners to be aware of network traffic and logs when performing their cases. Communicating over-the-wire is so ingrained into every aspect of computer usage today that examiners are obligated to have these skills in their toolbox. Ten years ago most forensic laboratories did not have intrusion sections or maybe they had one or two individuals that understood network forensics or things such as firewall log analysis, PCAP analysis, etc. Today, every forensic laboratory I am aware of has an intrusions section. Some laboratories have even broken their intrusions section into subsections where subsections focus on types of network intrusions. Cyber forensics upped its game by adding intrusions capabilities in the past ten years to match the types of cases occurring over the past decade.
Another word you rarely heard in forensics laboratories was reverse engineering. There were always engineers that reversed malware ten years ago. These individuals were typically those examiners who were really bright, already knew how to do systems forensics, and wanted to learn new things. It wasn’t unheard of to have the same person at the laboratory perform intrusion forensics, network forensics, and reverse engineering.
Then and Now
Today it is pretty standard for any organization that performs forensics (in both the public and private sectors) to have dedicated reverse engineers on their staff. Malware has become more prevalent in the past ten years and there are enough bad files to analyze during cases to have individuals with their sole focus to do reverse engineering.
I can remember ten years ago being asked from friends or acquaintances “how do I get into your field or do what you do?” My answer often started with get a degree in computer science or software engineering. You then take this degree and get into an IT security role that has exposure to forensics or intern at a laboratory. Ten years later, my answer is very different. There are 19 schools that offer Computer Forensics as a degree. I tell my friends or acquaintances to go get a computer forensics degree. The conversations are much shorter, but it leaves more time for beverage consumption.
For me, the past ten years has been fun and crazy at the same time. I ask you, how has your forensic procedures changed in the past ten years?