Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

Why Security Investigators Should Care About Forensic Research

Despite the promise of expanded visibility into the user trail behind a data breach, the security industry has largely ignored the meticulous advances of forensic researchers. Privacy is just one reason for the snub.

This summer, thousands of forensic specialists will descend on the desert of Las Vegas to hear original research at conferences such as EnFuse, HTCIA and to a lesser degree, Black Hat. They’ll learn of breakthroughs made in discovering new varieties of evidence left when users and software interact with the OS.

This almost-naturally occurring residue exists without monitoring software present, and is far more comprehensive than log file data. Yet, despite its promise of new visibility into security breaches and the privacy implications of a forensic trail on our PCs and phones, it will receive little publicity.

Unlike new malware and vulnerability research, there’s no financial incentive for forensic researchers to shout findings from the mountain tops. Vendors typically pay bounties for vulnerabilities; for new forensic “artifacts,” they generally do not. Years ago, Apple was “Slashdotted” for tracking user GPS coordinates, and Facebook for not stripping GPS data from images. Yet outside these two cases of vendors “patching” away GPS artifacts, most have seemingly resigned themselves to the fact that forensic tools will learn an uncomfortable amount about us.

Little Publicity for Shocking Forensic Discoveries

Outside of the GPS tracking stories, little media attention has been paid to forensics. Possibly the research has been ignored because it’s not as sexy as stories of hacked planes or lawsuits over vulnerability disclosure. In the media’s defense, the forensic privacy onslaught has occurred in tiny increments, and with a technical subtlety few would appreciate.

Take several years ago, someone decoded .bmc files left when users remotely performed a login to a Windows system. Encoded in these files were partial screen images, sent tile-by-tile during a Windows session. In forensic circles, many were shocked: they’re leaving behind images of all our remote Windows sessions, really? Outside forensic circles, no one noticed. By itself this is not a headline, yet it adds another piece to the puzzle, allowing investigators to take a machine and travel back in time to see almost all prior activity.

It’s not just about what users leave behind; there is a wealth of evidence left when malware runs, but the user trail is increasingly helpful during security breaches. Consequently, since the InfoSec group can’t patch employees, social engineering attacks are today’s most common entry point -- and they leave plentiful evidence.

The forensic motherlode accrues during the command-and-control phase of a breach, which occurs over many months. Bad actors own boxes, steal credentials, and hijack user accounts early in yearlong breaches. In many cases, user accounts are used to remotely log into new machines and search for sensitive data. These breadcrumbs are remarkably similar to those of whistleblowers or disgruntled insiders. As a matter of fact, it often takes a forensic investigation to distinguish between internal and external threats.

Forensic Professionals Are Paid for Discretion

I think another reason forensics falls under the radar is its culture of discretion, which stems from the circumstances of a forensic examiner’s job. Within corporations, they may work with InfoSec, compliance, HR, or even legal departments. They might read your work email, or -- having investigated intellectual property cases -- might be one of the few knowing all 11 of KFC’s herbs and spices. Hell, they’ve even seen your CEO’s browsing history. Think about how personal that might be, especially in the BYOD era, where business and personal mix within our phones and tablets.

I’ve heard a forensic examiner call one’s browsing history a “window into the soul.” Browsing history is apparently interesting for even the most bland user. “Everyone has a dark side, or different personality on the Internet,” the examiner said. But, again, while forensic visibility into our browsing habits might be a concern for our individual privacy, it also allows forensic security professionals to investigate links clicked in phishing emails, or activity related to malicious “watering hole” sites.

Forensics’ culture of discretion runs even deeper outside corporate circles. There’s a good chance an examiner may have spent time in law enforcement, or done forensics for the military or intelligence agencies. At a conference like HTCIA or EnFuse, be careful discussing work over a few beers. Internal filters are often broken, as yours would be if you’d seen the disturbing crimes they’ve seen. For instance, I learned what it sounds like when an estranged wife dissolves her unconscious husband in a giant barrel of acid. Don’t worry, I won’t tell the serial killer stories here.

From Law Enforcement to Cyber War

Simon Key, who develops training curriculum for a leading forensic security company and presents original research every few years, is an example of one such colorful fellow. Simon was a sergeant in the UK’s Northamptonshire Police. His forensic work related to cases of stolen property, drug trafficking, and a murder or two, but the majority of his work involved child abuse images. Simon Key was part of “Operation Avalanche,” one of the larger child pornography investigations, which saw 100 arrests and 144 suspects.

While forensics provides visibility into computers which convict bad guys, the truth can also set men free. Mr. Key was able to examine old cached Web pages to determine which users were actual pedophiles versus those visiting in the context of a payment gateway for a legitimate adult site.

As a forensic researcher, Mr. Key is most well-known for a nifty trick to locate long deleted file fragments by hashing pieces of files called blocks, allowing identification of partial files. He has also reverse-engineered numerous Mac OS X artifacts, including QuickLook images, which can contain the rendered content of files. Sorry, Mr. Mac user, regarding that private file you took painstaking steps to encrypt: it’s possible the OS grabbed some of its content in QuickLook artifacts and will reside on your disk for years. A privacy annoyance for sure, yet when Macs are hacked and sensitive data is encrypted before exfiltration, this artifact can help assess the damage.

Forensic Research Matters

Traditionally, the security industry has focused on malware, email filters, and patching machines. Yet, we must look at the bigger picture. The promise of perimeter defense is gone. Breaches are now fought inside our walls, over many months, and across many endpoints. We should start looking at where breaches intersect user accounts -- initially, during delivery of social engineering attacks against employees, and then in the many-month campaigns of lateral movement, and exploration of sensitive data, which often involves remote sessions from compromised accounts.

In an age where so much of our lives is touched by the Web and mobile computing, and where our hidden personal lives leave forensic residue everywhere, society should pay more attention to this summer’s digital forensic discoveries.

Related Content:


Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking, and storage. Paul has spent several ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gary Scott
Gary Scott,
User Rank: Strategist
5/24/2016 | 1:15:29 PM
Under the Radar - Forensic Examiners Shred Hard Drives
I can confirm forensic examiner's culture of discretion.  Our onsite hard drive destruction division shreds 1,000's of drives for litigation and discovery clients.  Every job seems to be completed quickly and quietly. 
User Rank: Apprentice
5/24/2016 | 1:05:31 PM
Under the Radar - Forensic Examiners Shred Hard Drives
I can confirm forensic examiner's culture of discretion.  Our onsite hard drive destruction division shreds 1,000's of drives for litigation and discovery clients.  Every job seems to be completed quickly and quietly. 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Planned vacation simulation
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-15
couchcms 2 is affected by: Web Site physical path leakage. The impact is: disclosure the full path. The component is: includes/mysql2i/mysql2i.func.php and addons/phpmailer/phpmailer.php. The attack vector is: network connectivity.
PUBLISHED: 2019-07-15
borg-reducer c6d5240 is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Output parameter within the executable.
PUBLISHED: 2019-07-15
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated use...
PUBLISHED: 2019-07-15
libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136...
PUBLISHED: 2019-07-15
Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact is: A remote attacker can execute arbitrary commands by sending a crafted request to the server. The component is: Message handler & request validator. The attack vector is: Remote unauthenticated. The fixed version is: after ...