±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 2 Overall: 36779
New Yesterday: 2 Visitors: 98

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Amateur (IT Department) Investigators

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 21, 17 21:33

I come from an IT background. For the purpose of this thread, I'm not concerned with where people started. I'm curious about others experiences working on investigations that were started by IT staff with no training, education, experience or specialized knowledge related to computer forensics.

Here's a couple that I'm aware of, but not first-hand.

IT staff at a school searched for pornography on a female teacher's computer. They believed her when she said that she didn't know it was there and that a student must have downloaded it. Weeks later, the teacher was arrested for soliciting minors online. Oops. [Edit: I don't know what tipped them off in the first place.]

A colleague in IT security (with forensic training) works at a financial institution. The IT staff investigated something (that my colleague wasn't at liberty to describe to me) before it was turned over to him. They apparently changed quite a bit and he was not able to salvage the investigation.  

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 21, 17 21:54

Most mistakes were correctable (example: creating a disk image with allocated space only using a proprietary format and sharing it with an external examiner) or mitigable (example: creating copies of suspicious files and/or log entries on a suspect system before imaging and without documenting this). Totally ineligible actions of an IT department (like reinstalling an operating system on a suspect computer right after a malware incident) are not counted. Legal issues (admissibility, etc.) are not counted too.

The really exciting "this is what I warned you about" moment was when the only piece of evidence in a malware case was found in the $LogFile, while another drive (from the same case) had the $LogFile wiped, because someone from an IT team used Ubuntu / Ubuntu-based distribution to acquire the image.  

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 21, 17 21:56

Thanks Thefuf.  

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 21, 17 22:34

- jpickens
The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?

I am sure that this was a bit tongue in cheek, but while it might be nice to know this, it is usually not our concern.

On the cases I have worked where IT have been in and had a play first I have found it useful to still keep them 'on-side'. The last thing you want to do is piss someone off or have them overly worried about their mistake, particularly if genuine.

You want them to help by describing to the best of their recollection (they're unlikely to have any notes) what it is they did and why. You do not want them trying to hide things from you...
Paul Sanderson
SQLite Forensics Book

Forensic Toolkit for SQLite

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 22, 17 01:27

All in all it seems to me (when talking of PC's) most of the (irreversible) issues come from a not-fully-compliant method to image the original disk or failure to image it.

So to solve a large part of the possible issues it would be enough to:
1) Let the IT guys know that they MUST always make a proper forensic image of the disk
2) provide them with a suitable program/way

For #1 all is needed is to repeat this message over and over, before or later it will become "common knowledge" (though I suspect that it already is - at least for a large part of the IT community).

For #2 the task is to find a suitable, simple tool and validate it, through support from the Forensics community, *like* Osfclone, which was discussed in the past but which validation was not finalized:

(if I remember correctly last time Thefuf found a possible issue with it but it wasn't corrected and re-verified, still if I recall correctly Question )

Or fully validate one of the WinFe builds and related Windows tools ...

With tablets, smartphones, etc., i.e. every device where it is not possible (or doable for non-specialists) to image the storage, the issues seems to me much bigger, as it seems to me that even the forensic specialized tools and methods (due also to the ever-changing devices) are far from being fully validated Shocked .

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Amateur (IT Department) Investigators

Post Posted: Mar 25, 17 01:18

I spent the earlier part of my career doing IT techy dogsbody stuff, working my way up. I remember a situation where we needed a director's laptop looking at as we were aware that there was pornography on there in some quantity and HR wanted all the facts, particularly if any IIOC was present, before turning it over to LE if necessary. I knew enough and had enough clout by then to stop anybody taking it upon themselves to 'have a quick look', but it took some doing. I then fabricated an issue with the laptop so I could take it into my custody (no CoC done though) and then locked it in our backup tape safe until a properly qualified consultant came on site - he wasn't allowed to take the laptop offsite as it was a defence company.

I persuaded the IT director that putting the consultant into a meeting room for the week that everybody walked past was a bad idea and instead found him an empty out of the way office with a lockable door that he could work from. He was nice enough to show me a few things that he was doing as I had a bit of interest in CF by that point, and I can credit that experience with putting the idea in my head that it was a really interesting field that I might want to specialise in one day, though it took another 6 or 7 years before I started my first job as a Forensic Analyst. And sure enough the director was pretty smutty and was travelling to the Far East to do very bad things but nothing that required LE involvement, to HR's immense relief, and the director was strongly advised to keep that stuff on his home computer. I then got a member of staff to flash a clean image onto his laptop Smile

I was working for a different IT company a few years later when I decided to take the plunge and go back to uni to learn about Digital Forensics. I will always remember sitting down with the owner of the company and explaining how grateful I was for everything but I had taken the decision to follow a long held dream and train in Digital Forensics. He evidently took personal offence at this as his manner immediately changed and he coldly informed me that he didn't think I was technically experienced enough to be any good at it, would probably fail my degree, and that there was no demand for those skills anyway as he would just get his cleverest engineers to 'do the forensics' if it was ever needed. I smiled and said thanks again and walked away.

In the years since I have encountered similar attitudes when I have been trying to work with IT 'leaders' who don't understand why specialists are needed, and had to patiently explain that their engineers could find themselves in the box trying to explain the unexplainable with no notes, or even worse, could find themselves inadvertently committing criminal/regulatory offences and so on. Most 3rd line engineers don't need that additional stress in their lives...  

Page 2 of 2
Page Previous  1, 2