A hand is typing on a laptop keyboard.

It Forensics Experts: Searching for Clues Between Bits and Bytes

After cyberattacks, IT forensics experts collect evidence, determine the damage, and send the attackers packing.  

October 30 2020Prof. Dr. Alexander Schinner

What is digital forensics?

In 2019, one in three companies experienced at least one serious security incident – right across all sectors. For a speedy resolution using digital evidence, IT forensics experts are indispensable. The steps we take when looking for clues and how companies can prepare for cyberattacks.   

In case of suspicion: alert an IT forensics expert.

Bird’s eye view of a person typing on a laptop

Last year, digitalization at Berlin’s Superior Court of Justice came to an abrupt end: after an attack from an Emotet Trojan, the lawyers lost connection to the network and had to revert back to analog operations for several months. Security specialists from T-Systems wrote a forensic report at the time: cybercriminals wanted to tap into sensitive data. To achieve better IT security, we then recommended that the court reconfigure the IT infrastructure and the servers.

When companies or authorities alert us in IT forensics and incident handling, it’s always about determining the extent of the damage and limiting it, finding the perpetrators and their motives, and analyzing their approach. The IT experts then close the gateways and introduce countermeasures. Absolutely crucial: the IT forensics team must deliver facts which can be proved, and used in a court of law so that the courts do not later reject the digital evidence in subsequent proceedings. Or that companies come across problems when claiming for the resulting damages with their insurance company.

Safeguarding evidence, minimizing data loss

When it comes to claims, I recommend that companies keep calm. It’s not at all that easy when data is at risk or when blackmail is involved. But one false step at the outset can eradicate all traces and escalate the damage. My request: close off the scene of the crime for us forensics experts and don’t change anything yourself. 

We, too, are not allowed to change or even destroy evidence – data carriers, saved images, or log data. This is why, when securing evidence, we always document and photograph all potentially relevant physical clues, too. Because what the environment looked like or where each cable was plugged into the laptop may be important at a later stage. Forensics experts work closely with the affected companies. This means that we require the trust of our clients and access to log files, hard drives, laptops, mobile phones, network data and plans, or emails with headers. It goes without saying that a forensics expert also gathers statements from those affected in order to complete the picture. They then create a fully forensic copy of the hard drive or secure the laptop. 

Consequently, our crime scene is always both analog and digital: in addition to analyzing individual systems – generally workstation computers or servers – the investigation can also stretch to the entire IT landscape made up of hardware, software, services, organization, and planning. Our research looks for traces in the network and on computers. When data crops up in places it doesn’t belong, our ears prick up. Then we drill down deeper and follow the route to the malware: Where did the initial infection happen? How did the virus spread in the company network? Where did it come from? Did it come from inside or outside? Who was attacked and how big is the damage?  

Many perpetrators remain undetected for a long time

Binary codes in front of a human eye

Attacks by encryption Trojans, Emotet, Cryptolockers or the blackmail Trojan Locky are less complex and actually comparatively easy to defend against. Nevertheless, the attackers always find interesting loopholes: for example, a 17-year-old recently hacked the Twitter accounts of well-known people – including Elon Musk, Bill Gates, Joe Biden, and Barack Obama. The objective is to acquire Bitcoins. Cybercriminals like to utilize current events as a decoy such as, right now, the coronavirus pandemic

When it comes to industrial espionage or governmental sabotage, the perpetrators are more specific in their choice of target – and proceed in a much more skillful manner. According to the BSI, companies only detect these kind of Advanced Persistent Threats (APT) after an average of 205 days. Plenty of time to penetrate deep into the company’s structures and to worm out the desired information from the systems. Employees usually inadvertently become springboards into the company. The attackers communicate with their victims via a spear phishing email. These methods are known as social engineering. This means that the attackers first investigate the recipient, even their private life, so that they can send them a tailored email. The football fan receives a manipulated invitation to a football game involving their favorite team, and the controller receives a malicious invoice. This means that the employee or their computer unwittingly and unknowingly becomes an internal accomplice of the external attacker. 

The Telekom security experts often identify that cybercriminals have infiltrated company systems before external parties inform the companies about it. Digital forensics experts are used, for example, when customers’ IT administrators notice that the IT systems are behaving differently to normal. For example, if the bookkeeper stumbles across transfers for which there are no invoices. Or the managing director wonders why their company has recently been outbid on every tender, or the competition from the Far East is arriving on the market with an innovation which is remarkably similar to the company’s own design. 

Emergency planning in preparation for a crisis

Of course you can never achieve one hundred percent protection against a cyberattack. But with clearly agreed codes of conduct, you can at least limit the consequences. 

  1. Set up an emergency plan with clear rules
    Does every colleague know who to turn to if they notice something suspicious? Provide emergency numbers that are easy to find when needed.  
  2. Look for weaknesses yourself
    Seek advice from an experienced security service provider in advance: A penetration tester allows you to detect the weak points in your IT infrastructure. Reactions to typical threat scenarios can be practiced with the forensics expert and then the question: “Could I protect my company against this kind of attack?” can be answered.
  3. Be strict with access rights
    Is the backup up to date and physically separated from the network? Have you ensured that employees only have access rights that they need for their specific work? Is your network segmented? For security reasons, you should divide it into different areas which are separated from one another. 
  4. Practice the crisis scenario on a regular basis
    The best emergency plan will not save you if you do not regularly practice with your employees how to behave in the event of a cyberattack. 
About the author
Portrait of Dr. Alexander Schinner

Prof. Dr. Alexander Schinner

Squad Lead Incident Response Service, Deutsche Telekom Security GmbH

Show profile and articles
Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.