Dr. Alexander Schinner, IT forensics expert and Senior Cyber Security Consultant at T-Systems, on the forensic capture, analysis and evaluation of digital clues and how companies can protect themselves from cyber attacks.
Author: Thomas van Zütphen Photos: Dominik Pietsch, Foto Sexauer
Dr. Schinner, who do your clients tend to be?
They all have one thing in common: fear for their company, panic even. That’s a perfectly normal reaction, though. Especially since our callers – and first-time clients invariably contact us by phone – tend to fall into two groups: either they had a security architecture that they trusted completely, or they took no adequate precautions at all, usually for cost reasons, and hoped not to get caught. The longer they get away with the second strategy, the more baffled they seem when their calculated risk-taking blows up in their face. It’s important that large corporations, critical infrastructure operators and midsized hidden champions in particular appreciate the futility of expecting not to get attacked every single day of the week.
What do you advise them to do first?
To stay calm. For two reasons: not only can a wrong first move destroy all forensic evidence, but a rash response such as shutting down everything will only inflict more damage. Once again, the best thing clients can do is not change anything and secure the crime scene for us. That’s the only way to guarantee that no evidence is destroyed before we arrive.
Does this kind of digital forensics involve actual detective work?
We are quite a bit like Sherlock Holmes. For him, clues and evidence ranged from dead bodies to cigar ashes. Our evidence is just digital. However, both types of criminals find it very difficult to make no mistakes and leave absolutely no traces. And one clue is all we need.
What do you do in digital forensics?
It’s fairly standardized. First, we listen and ask questions. Then, we go through log files and other data. Occasionally, we’ll bring in employee representatives and data protection officers if there are data privacy issues. For example, we may have to consider or rule out the possibility that the perpetrator was an employee or used an employee’s hardware. Only then do we go to the crime scene.
What happens there?
It depends on what we’re looking for. Did the hackers target a server or an employee’s workstation? Was it an inside job or an outside one? W e even go to the trouble of taking pictures of everything first. Later, we can use the pictures to answer basic questions – like what cables were plugged in where. After that, we make a complete forensic copy of the hard drive or even secure the entire laptop.
And it doesn’t matter if it was an inside or an outside job?
Of course it does. It depends on what the client wants to accomplish. It makes little sense to identify a hacker in China. Who wants to press charges against a government intelligence agent in a Beijing court? Even an e-mail would be a waste of time. Then, what clients want to know is: What did the hackers do? How did they get in? What have I lost? And how can I kick them out again? Things are very different if the presumptive Chinese hacker turns out to be Bill from Accounting, though. In that case, it’s worth identifying the perpetrator and taking him or her to court. One of the essential things about digital forensics is that our findings have to be admissible as evidence in a court of law and that our subsequent activities, when seamlessly documented, have to be able to stand up in court, too. That goes for everything from contract disputes and patent disagreements to criminal prosecutionsand disciplinary proceedings. Otherwise, the court could reject evidence in a trial.
What does your job demand?
A genuine digital forensic analyst – and there are very few of us in Germany – needs to be focused, disciplined and meticulous. We don’t destroy evidence when we burrow past the operating system and penetrate deep into systems and processes. Did anything act strangely on the network or computers? Did data appear where it wasn’t supposed to? Or did any employees who were entrusted with handling data quit shortly before the incident occurred? By looking carefully at the pieces in this jigsaw puzzle, either at the crime scene or in our laboratory analysis, we can find out what actually happened.
So when you’re at the crime scene, you don’t just look at PCs, smar tphones and servers?
That’s right. Hardware alone won’t protect you. You see, security is about maintaining a status quo. But it only works when companies combine their conceptual, operational approaches with a strategic view that encompasses all the links and interdependencies between hardware, software, services, organizational structures and planning. And this architecture is the actual crime scene that we investigate. In fact, much of the time, the employees whose computers turn out to be the launchpad for the attack are themselves victims.