Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:30 AM
Paul Shomo
Paul Shomo
Connect Directly
E-Mail vvv

Why Security Investigators Should Care About Forensic Research

Despite the promise of expanded visibility into the user trail behind a data breach, the security industry has largely ignored the meticulous advances of forensic researchers. Privacy is just one reason for the snub.

This summer, thousands of forensic specialists will descend on the desert of Las Vegas to hear original research at conferences such as EnFuse, HTCIA and to a lesser degree, Black Hat. They’ll learn of breakthroughs made in discovering new varieties of evidence left when users and software interact with the OS.

This almost-naturally occurring residue exists without monitoring software present, and is far more comprehensive than log file data. Yet, despite its promise of new visibility into security breaches and the privacy implications of a forensic trail on our PCs and phones, it will receive little publicity.

Unlike new malware and vulnerability research, there’s no financial incentive for forensic researchers to shout findings from the mountain tops. Vendors typically pay bounties for vulnerabilities; for new forensic “artifacts,” they generally do not. Years ago, Apple was “Slashdotted” for tracking user GPS coordinates, and Facebook for not stripping GPS data from images. Yet outside these two cases of vendors “patching” away GPS artifacts, most have seemingly resigned themselves to the fact that forensic tools will learn an uncomfortable amount about us.

Little Publicity for Shocking Forensic Discoveries

Outside of the GPS tracking stories, little media attention has been paid to forensics. Possibly the research has been ignored because it’s not as sexy as stories of hacked planes or lawsuits over vulnerability disclosure. In the media’s defense, the forensic privacy onslaught has occurred in tiny increments, and with a technical subtlety few would appreciate.

Take several years ago, someone decoded .bmc files left when users remotely performed a login to a Windows system. Encoded in these files were partial screen images, sent tile-by-tile during a Windows session. In forensic circles, many were shocked: they’re leaving behind images of all our remote Windows sessions, really? Outside forensic circles, no one noticed. By itself this is not a headline, yet it adds another piece to the puzzle, allowing investigators to take a machine and travel back in time to see almost all prior activity.

It’s not just about what users leave behind; there is a wealth of evidence left when malware runs, but the user trail is increasingly helpful during security breaches. Consequently, since the InfoSec group can’t patch employees, social engineering attacks are today’s most common entry point -- and they leave plentiful evidence.

The forensic motherlode accrues during the command-and-control phase of a breach, which occurs over many months. Bad actors own boxes, steal credentials, and hijack user accounts early in yearlong breaches. In many cases, user accounts are used to remotely log into new machines and search for sensitive data. These breadcrumbs are remarkably similar to those of whistleblowers or disgruntled insiders. As a matter of fact, it often takes a forensic investigation to distinguish between internal and external threats.

Forensic Professionals Are Paid for Discretion

I think another reason forensics falls under the radar is its culture of discretion, which stems from the circumstances of a forensic examiner’s job. Within corporations, they may work with InfoSec, compliance, HR, or even legal departments. They might read your work email, or -- having investigated intellectual property cases -- might be one of the few knowing all 11 of KFC’s herbs and spices. Hell, they’ve even seen your CEO’s browsing history. Think about how personal that might be, especially in the BYOD era, where business and personal mix within our phones and tablets.

I’ve heard a forensic examiner call one’s browsing history a “window into the soul.” Browsing history is apparently interesting for even the most bland user. “Everyone has a dark side, or different personality on the Internet,” the examiner said. But, again, while forensic visibility into our browsing habits might be a concern for our individual privacy, it also allows forensic security professionals to investigate links clicked in phishing emails, or activity related to malicious “watering hole” sites.

Forensics’ culture of discretion runs even deeper outside corporate circles. There’s a good chance an examiner may have spent time in law enforcement, or done forensics for the military or intelligence agencies. At a conference like HTCIA or EnFuse, be careful discussing work over a few beers. Internal filters are often broken, as yours would be if you’d seen the disturbing crimes they’ve seen. For instance, I learned what it sounds like when an estranged wife dissolves her unconscious husband in a giant barrel of acid. Don’t worry, I won’t tell the serial killer stories here.

From Law Enforcement to Cyber War

Simon Key, who develops training curriculum for a leading forensic security company and presents original research every few years, is an example of one such colorful fellow. Simon was a sergeant in the UK’s Northamptonshire Police. His forensic work related to cases of stolen property, drug trafficking, and a murder or two, but the majority of his work involved child abuse images. Simon Key was part of “Operation Avalanche,” one of the larger child pornography investigations, which saw 100 arrests and 144 suspects.

While forensics provides visibility into computers which convict bad guys, the truth can also set men free. Mr. Key was able to examine old cached Web pages to determine which users were actual pedophiles versus those visiting in the context of a payment gateway for a legitimate adult site.

As a forensic researcher, Mr. Key is most well-known for a nifty trick to locate long deleted file fragments by hashing pieces of files called blocks, allowing identification of partial files. He has also reverse-engineered numerous Mac OS X artifacts, including QuickLook images, which can contain the rendered content of files. Sorry, Mr. Mac user, regarding that private file you took painstaking steps to encrypt: it’s possible the OS grabbed some of its content in QuickLook artifacts and will reside on your disk for years. A privacy annoyance for sure, yet when Macs are hacked and sensitive data is encrypted before exfiltration, this artifact can help assess the damage.

Forensic Research Matters

Traditionally, the security industry has focused on malware, email filters, and patching machines. Yet, we must look at the bigger picture. The promise of perimeter defense is gone. Breaches are now fought inside our walls, over many months, and across many endpoints. We should start looking at where breaches intersect user accounts -- initially, during delivery of social engineering attacks against employees, and then in the many-month campaigns of lateral movement, and exploration of sensitive data, which often involves remote sessions from compromised accounts.

In an age where so much of our lives is touched by the Web and mobile computing, and where our hidden personal lives leave forensic residue everywhere, society should pay more attention to this summer’s digital forensic discoveries.

Related Content:


Prior to becoming an independent analyst, Paul Shomo was one of the engineering and product leaders behind the forensics software EnCase. In addition to his work in the digital forensics and incident response (DFIR) space, he developed code for OSes that power many of today's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gary Scott
Gary Scott,
User Rank: Strategist
5/24/2016 | 1:15:29 PM
Under the Radar - Forensic Examiners Shred Hard Drives
I can confirm forensic examiner's culture of discretion.  Our onsite hard drive destruction division shreds 1,000's of drives for litigation and discovery clients.  Every job seems to be completed quickly and quietly. 
User Rank: Apprentice
5/24/2016 | 1:05:31 PM
Under the Radar - Forensic Examiners Shred Hard Drives
I can confirm forensic examiner's culture of discretion.  Our onsite hard drive destruction division shreds 1,000's of drives for litigation and discovery clients.  Every job seems to be completed quickly and quietly. 
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...