Join Us!

Amateur (IT Departm...
 
Notifications
Clear all

Amateur (IT Department) Investigators  

  RSS
tracedf
(@tracedf)
Active Member

Like most everyone else here, I'm a believer in using the right tools, following good procedures and documenting what I do. I'm also aware that many organizations conduct internal investigations using their own IT staff who are untrained and who will download and run whatever their Google search recommends.

My questions Have any of you been involved in cases where the local IT department got the first crack at investigating the machines in questions? If so, what was the impact on the investigation? What was your role? Did the case make it to court? Did mistakes made by IT cause the case to be resolved in a way that was different from what might have happened if the investigation was handed to an expert from the start? Anything you can share would be insightful.

Thanks.

Quote
Posted : 21/03/2017 9:14 am
jpickens
(@jpickens)
Active Member

The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?

ReplyQuote
Posted : 21/03/2017 4:57 pm
jaclaz
(@jaclaz)
Community Legend

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

ReplyQuote
Posted : 21/03/2017 7:38 pm
tracedf
(@tracedf)
Active Member

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

No; you don't have to assume that. Some organizations do have trained staff within IT or IT Security. I'm specifically interested, however, in cases where untrained IT staff got to investigate first. And Googling to locate a tool is fine, but blindly running things you've never tested without taking any measures to preserve evidence is no bueno.

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.

ReplyQuote
Posted : 21/03/2017 7:46 pm
jaclaz
(@jaclaz)
Community Legend

Strong opinions? Yeah. But, I'm interested in hearing experiences that are good, bad, neutral, strange, whatever.

Good ) , I posted because it seemed to me like you were only interested to the bad ones.

jaclaz

ReplyQuote
Posted : 21/03/2017 7:51 pm
armresl
(@armresl)
Senior Member

Agreed…

I'll play devils advocate here also to the OP. What if you are considered an "amateur" because you come from an IT background and not an investigative one?

Also, HTCIA?

Do we have to assume that all IT personnel, particularly those tasked with internal investigations, are untrained and will download and run whatever their Google search recommends (and do we also have to assume that all Google search recommendations are invalid)?

Playing the devil's advocate, of course wink , but I have the impression that the OP has already a strong opinion on the matter …

jaclaz

ReplyQuote
Posted : 21/03/2017 8:11 pm
sgreene2991
(@sgreene2991)
Member

Being trained in IT and being trained in investigations are two very separate ideas. On the LE side I have had officers muck up cases because they were good investigators, but next to zero IT experience. On the other hand, I have had IT personnel muck up cases because they knew what to do with the technology, but no idea what to look for and how to look for it.

My main point is this, is it necessarily a bad thing to have IT personnel take a stab at it first? Probably not, but, you run the risk of evidence being lost. So when those cases come in where in house IT has looked at it first, I have to sit down with that person (sometimes persons) and go through EXACTLY WHAT they did and HOW they did it. This does a few things you know going into the investigation whether it’s a lost cause, you know if there are going to be any problems with spoliation, you know if there are going to be problems with testimony.

Document, document, document has always been my motto. If something was done outside of my control, I want to know about it and how it can affect my investigation.

ReplyQuote
Posted : 21/03/2017 8:26 pm
tracedf
(@tracedf)
Active Member

I come from an IT background. For the purpose of this thread, I'm not concerned with where people started. I'm curious about others experiences working on investigations that were started by IT staff with no training, education, experience or specialized knowledge related to computer forensics.

Here's a couple that I'm aware of, but not first-hand.

IT staff at a school searched for pornography on a female teacher's computer. They believed her when she said that she didn't know it was there and that a student must have downloaded it. Weeks later, the teacher was arrested for soliciting minors online. Oops. [Edit I don't know what tipped them off in the first place.]

A colleague in IT security (with forensic training) works at a financial institution. The IT staff investigated something (that my colleague wasn't at liberty to describe to me) before it was turned over to him. They apparently changed quite a bit and he was not able to salvage the investigation.

ReplyQuote
Posted : 21/03/2017 8:33 pm
thefuf
(@thefuf)
Active Member

Most mistakes were correctable (example creating a disk image with allocated space only using a proprietary format and sharing it with an external examiner) or mitigable (example creating copies of suspicious files and/or log entries on a suspect system before imaging and without documenting this). Totally ineligible actions of an IT department (like reinstalling an operating system on a suspect computer right after a malware incident) are not counted. Legal issues (admissibility, etc.) are not counted too.

The really exciting "this is what I warned you about" moment was when the only piece of evidence in a malware case was found in the $LogFile, while another drive (from the same case) had the $LogFile wiped, because someone from an IT team used Ubuntu / Ubuntu-based distribution to acquire the image.

ReplyQuote
Posted : 21/03/2017 8:54 pm
tracedf
(@tracedf)
Active Member

Thanks Thefuf.

ReplyQuote
Posted : 21/03/2017 8:56 pm
PaulSanderson
(@paulsanderson)
Senior Member

The other question to ask is which in-house counsel thought it was a good idea to let the IT department do that sort of triage? Another could be similar, which CIO thought that was a good idea?

I am sure that this was a bit tongue in cheek, but while it might be nice to know this, it is usually not our concern.

On the cases I have worked where IT have been in and had a play first I have found it useful to still keep them 'on-side'. The last thing you want to do is p**s someone off or have them overly worried about their mistake, particularly if genuine.

You want them to help by describing to the best of their recollection (they're unlikely to have any notes) what it is they did and why. You do not want them trying to hide things from you…

ReplyQuote
Posted : 21/03/2017 9:34 pm
jaclaz
(@jaclaz)
Community Legend

All in all it seems to me (when talking of PC's) most of the (irreversible) issues come from a not-fully-compliant method to image the original disk or failure to image it.

So to solve a large part of the possible issues it would be enough to
1) Let the IT guys know that they MUST always make a proper forensic image of the disk
2) provide them with a suitable program/way

For #1 all is needed is to repeat this message over and over, before or later it will become "common knowledge" (though I suspect that it already is - at least for a large part of the IT community).

For #2 the task is to find a suitable, simple tool and validate it, through support from the Forensics community, *like* Osfclone, which was discussed in the past but which validation was not finalized
http//www.osforensics.com/tools/create-disk-images.html

(if I remember correctly last time Thefuf found a possible issue with it but it wasn't corrected and re-verified, still if I recall correctly ? )

Or fully validate one of the WinFe builds and related Windows tools …

With tablets, smartphones, etc., i.e. every device where it is not possible (or doable for non-specialists) to image the storage, the issues seems to me much bigger, as it seems to me that even the forensic specialized tools and methods (due also to the ever-changing devices) are far from being fully validated 😯 .

jaclaz

ReplyQuote
Posted : 22/03/2017 12:27 am
redcat
(@redcat)
Active Member

I spent the earlier part of my career doing IT techy dogsbody stuff, working my way up. I remember a situation where we needed a director's laptop looking at as we were aware that there was pornography on there in some quantity and HR wanted all the facts, particularly if any IIOC was present, before turning it over to LE if necessary. I knew enough and had enough clout by then to stop anybody taking it upon themselves to 'have a quick look', but it took some doing. I then fabricated an issue with the laptop so I could take it into my custody (no CoC done though) and then locked it in our backup tape safe until a properly qualified consultant came on site - he wasn't allowed to take the laptop offsite as it was a defence company.

I persuaded the IT director that putting the consultant into a meeting room for the week that everybody walked past was a bad idea and instead found him an empty out of the way office with a lockable door that he could work from. He was nice enough to show me a few things that he was doing as I had a bit of interest in CF by that point, and I can credit that experience with putting the idea in my head that it was a really interesting field that I might want to specialise in one day, though it took another 6 or 7 years before I started my first job as a Forensic Analyst. And sure enough the director was pretty smutty and was travelling to the Far East to do very bad things but nothing that required LE involvement, to HR's immense relief, and the director was strongly advised to keep that stuff on his home computer. I then got a member of staff to flash a clean image onto his laptop )

I was working for a different IT company a few years later when I decided to take the plunge and go back to uni to learn about Digital Forensics. I will always remember sitting down with the owner of the company and explaining how grateful I was for everything but I had taken the decision to follow a long held dream and train in Digital Forensics. He evidently took personal offence at this as his manner immediately changed and he coldly informed me that he didn't think I was technically experienced enough to be any good at it, would probably fail my degree, and that there was no demand for those skills anyway as he would just get his cleverest engineers to 'do the forensics' if it was ever needed. I smiled and said thanks again and walked away.

In the years since I have encountered similar attitudes when I have been trying to work with IT 'leaders' who don't understand why specialists are needed, and had to patiently explain that their engineers could find themselves in the box trying to explain the unexplainable with no notes, or even worse, could find themselves inadvertently committing criminal/regulatory offences and so on. Most 3rd line engineers don't need that additional stress in their lives…

ReplyQuote
Posted : 25/03/2017 12:18 am
Share: