IT forensics: Detectives in the digital age

The search for digital clues

What do you do when hackers strike or employees steal important business information? Keep calm and start looking for clues, advises IT forensics expert Volker Wassermann.
The culprits might be in North Korea, Russia or the office next door. They do not leave pools of blood or ransacked cupboards. Nevertheless, digital forensic scientists like Volker Wassermann and Dr. Alexander Schinner, Security Consultant at Telekom, know how to find valuable clues about the crime between the bits and bytes. An interview with IT forensics expert Wassermann – the Sherlock Holmes of IT.
Volker Wassermann
Volker Wassermann is a certified, freelance IT expert and IT forensics analyst. The IT specialist is the managing proprietor and founder of birdge4IT.

Do hackers leave any traces?

Usually, some traces can be found. To find them, I analyze servers and users’ end devices such as smartphones or laptops. I evaluate log files and other records and also get in touch with providers and the IT service providers. Essentially, I examine all devices and networks the attacker was able to reach. This way I can reconstruct how they might have operated.

So you basically work like a detective?

The comparison with Sherlock Holmes is very apt. Every detail can help to track down the attacker. Is there anything in the network or on computers that is behaving differently to normal? Is there data where it doesn’t belong? Have any employees that have recently been dismissed tampered with data? With these individual pieces of the jigsaw, I can compose the whole picture at the crime scene.

Isn’t the crime scene just PCs, smartphones or servers?

Above all, when the attacker is an insider, you need to take a close look. They may have hidden something at the last minute. I have found secure digital (SD) cards inside lampshades and under the stand of a computer monitor.

Do you have to follow certain rules doing your work?

A key element of IT forensics is ensuring the digital evidence and all of the following activities will stand up in court. Otherwise, evidence would be rejected during a trail. I therefore document my methods comprehensively and completely. You cannot allow any mistakes. You can never let data media out of your sight. The evidence is therefore clearly labelled and secured in police storage facilities, just as with any other crime.

Doesn’t every intervention in an IT system change the status quo?

An IT forensics experts require a recognized certification. For the analysis, I use forensically certified software and hardware. There are additional forensic devices that prevent anything being written on the hard drive that needs to be secured. Thus, I make a copy that cannot be changed, a complete copy of the data media, which I can then analyze. I also have the option of reconstructing deleted data, for instance on a smartphone.

What should companies do if they notice they have been the victim of an attack?

Stay calm, because an overhasty and incorrect first step can erase all clues. Then contact an IT forensics specialist. Why not the provider? They probably have knowledge about IT security, but not necessarily IT forensics or the procedures for dealing with such an event.

Is there anything the affected companies can do themselves?

Companies should be prepared and should develop a backup plan. They should know how to act in case of an attack. Which systems can be turned off and which should be kept running? Only then can you start disconnecting the right devices from the network. It is generally a big mistake, in contrast, to disconnect the device from its power source. Potential evidence could be deleted from the RAM as a result.

Won’t malware keep spreading across the server?

This is true for ransomware, which encrypts data on the hard drive. In order to prevent this, an exception should be made in this case and the power disconnected. This will prevent it spreading to other computers.

Can all attacks be prevented?

No, but you can prevent small or large volumes of data from continuously being withdrawn from the company, for example. Today, there are very good methods for encrypting data. The data is readable on an authorized device only.

You have probably encountered some unusual methods of attack?

One of my customer once received a phone call from someone claiming to be Microsoft Support. Everything was done very professionally, including the background noise of a call center. According to the support worker, a threat had been detected on my customer’s computer but the support worker offered to rectify the fault straight away via team viewer. This would cost around 270 euros. He would check via team viewer that the sum had been transferred using online banking and, after that, he would be able to solve the problem straight away. My customer said he did not use online banking. The support worker said that wouldn't be a problem: He could give the money to a courier who was about ten minutes away. It is hard to believe, but some people fall for this kind of thing. My customer did not, by the way.

Can hackers actually be arrested?

Dr. Alexander Schinner
Dr. Alexander Schinner and his colleagues from the T-Systems Security Consultant Team ( advise companies on how they can protect their IT systems against cyber attacks and how they should react in case of an attack.
Internal attacks or theft of important data is easy to reconstruct and prove. Attacks from abroad are, however, hard to investigate. All of the clues combined often tell you the country in which the attack was initiated. That does not solve the case but does provide some new information about how a company can protect itself better.

Can you tell us about one of your most spectacular cases?

A production company suddenly had unusually high network traffic. An infiltrated software had been continuously collecting data and sending it out of the company in the background. We then discovered that this software was made up of several smaller programs which had unzipped themselves. The culprit was one of the company’s foreign competitors which had attached an external device to the server. How? An external service provider that had access to the server had installed the device. My advice is: Always check your partners, even if you have had a good relationship with them for years. You need to know which of your service provider’s employees are where in your premises. They could be a visitor or an enemy.

How did the company react?

After the attack, the company decided to move to the cloud as it was no longer able to manage the security risks itself. At the time of the attack, it was using old software systems and had not installed patches. This alone can open the door to hackers.

Your order book must be full!

A lot of companies still do not want to talk about attacks. They sweep them under the carpet for as long as possible. But I have noticed that customers are increasingly coming to me before alerting the police. This is because normal police stations are hardly specialized in IT forensics. Once I have ascertained that something has happened, the customer reports the case.

Further articles