Gene, can you tell us a little bit about your background and how you came to work at CERIAS?
My academic PhD was work in reliable operating systems. I then did a post-doc in software testing, which I viewed as a follow-on to my work in reliability. During all that time I worked part-time as a system administrator and consultant. I was interested in computer & network security, but was told that it was not an area for an academic career unless I wanted to work in formal methods or cryptography.
I joined the faculty at Purdue in 1987. In 1988, the Morris Worm and some computer viruses became news. So did some of Cliff Stoll’s exploits. I found myself playing a role in all of those, as one of the few academics who was actually working hands-on with systems. So, I began to explore topics in applied computer security for my “day job” – including forensics. (I actually helped solve a computer crime (of sorts) back in 1983, so I’ve been involved in the area for longer than my time at Purdue.)In 1992, I established the COAST Laboratory at Purdue, to share research resources with a few other faculty interested in what I was doing. In 1998, I established CERIAS as a university-wide research center. I’ve been director ever since (or executive director).
One of CERIAS' research focus areas is "Incident Detection, Response, and Investigation" – can you give us some insight into current activities?
We have at least a half-dozen projects that fit under this title – basically, things we do to detect & investigate incidents.
– The ADEPTS project is based on a knowledge engine that gathers remote data about system performance and attacks, then makes predictive decisions for reconfiguration and containment
– Work in the VIPER lab is being conducted on traceback of digital images and imaging to the devices that created them (think of tracing ransom notes back to typewriters).
– I’m involved in a project using process “coloring” to detect intrusions into systems, and help to narrow the focus onto those files and processes that were actually affected by the intrusion in some way.
– We have a group working on devising special forensic tools for small devices, such as PDAs and cell phones.
– We have a project involving profiling of computer criminals to help investigators decide where to look. This might also prove useful in screening against potential insider attacks.
– We are doing some “live” assistance to state police and the FBI on cases, during which we are identifying characteristics worthy of new projects.
There have been other projects before these, and more to come. The above is not even a complete list, but gives a sense of scope – OS to devices to tool building to psychology to “live” operations.
What do you think are the greatest challenges in store for the computer forensics community? How should these challenges be met?
The big challenges are volume (of data and cases), timeliness (getting actionable results quickly), and crossing jurisdictional boundaries. The latter is related to the attribution problem.
I’m not sure yet how we meet all these challenges. One thing I have been advocating (and working on) are methods we build into systems – OS and applications – that provide great fidelity forensics without requiring substantial postprocessing. “Baked in” if you need a phrase for it. There are things we can do that will thus quickly narrow focus and produce timely results. We are going to need similar mechanisms to examine live systems, too – computing in the “cloud” with SaaS means we aren’t going to be able to shut systems down and examine them at our leisure. Not all the issues will be solved with technology, obviously. Some will require political and human solutions. We need to understand what those are, and work towards those too.
What aspect of computer forensics as it is currently practiced would you most like to see changed or improved?
Almost everything we do is ad hoc and post hoc. We need a more formal framework (I started down this path with Brian Carrier, who did his PhD under my direction) to describe what we do and make it more of a science than a technology application area. We need a greater set of foundational tools and concepts so we aren’t relying on products whose inner workings we don’t understand and which may not be generalizable. And as part of that framework, we need to have structures and logs that support what we are trying to do better than inferring behavior from artifacts designed 20 years ago.
I guess I can summarize that as saying we need more focus on the underlying science and principles of cyber forensics, not simply more case studies and tool development.
Do you have a sense that computer criminals are becoming more sophisticated at covering their tracks?
Oh yes, this is clearly happening, and has been for some time. Most of the people we notice and catch are the ones who are either brazen (they are operating from a location with no fear of retribution), careless, or uninformed. The slow, stealthy ones who are after very high value targets are seldom caught. This includes some of the well-financed “for hire” types who target corporate information, and government-backed agents. Instead, we catch the bot-herders and phishers, and even then we don’t seem to catch many of them. One result is that those lower-end criminals read the mailing lists and news to see when and how they are spotted, and they learn from that.
In many ways, it is like antibiotic resistant bacteria. If you hit the bacteria with a drug, but don’t actually wipe it out, what is left develops resistance so the same drug won’t work the next time. If we don’t actually start getting some action to go with successful forensics, we almost might be better off not doing some of the forensics! Luckily, the supersophisticated attackers are few in numbers compared to the more mundane criminals. Unfortunately, the super criminals can cause much more damage if we don’t find them.
What advice would you give to anyone considering a career in forensic computing?
It’s a field with tremendous promise. It is multi-disciplinary, so study in several fields other than IT will help – criminology, psychology, law, for instance. Also, creating a reputation by breaking into systems or finding and publicizing flaws is not the best path to a fulfilling career: many employers, and especially many in law enforcement, see such behavior as demonstrating that the individual is not trustworthy. Given the number of times “hackers” have reverted to old ways or done questionable things, this is probably a reasonable assessment.
What do you do to relax and unwind?
Listen to music. Watch bad movies. Some reading. Gardening. I’m usually too busy with family & work to relax, however!
Gene Spafford can be contacted as follows:
Email: spaf AT purdue.edu -OR- spaf AT acm.org
Phone: (+1) 765.494.7825
Further contact details: spaf.cerias.purdue.edu