As a senior security specialist and forensic examiner with Vancouver’s Totally Connected Security, Ryan Purtia has worked closely for a number of years with corporate and law enforcement clients in the field of computer forensics. He talked with ComputerWorld Canada Senior Writer Jeff Jedras about the field of computer forensics and how it can help the enterprise.
How did you get into the field of computer forensics?
I did a lot of computer security work in the past and a lot of my work involved breaking into computer systems, telling companies how I did it and how to fix it. One of the biggest things I had to do was hide things so the administrators wouldn’t know the particular piece of software allowing me access was still there until I was able to compile my report and show it all to them. It was a natural progression to go from hiding stuff and doing ethical hacking to finding it.
How would you define the concept of computer forensics, and how does it differ from other fields of computer security?
Computer forensics is very different from IT security in the sense that computer forensics is usually a reactive step. Either someone has broken into [a firm’s] systems or it could be the receptionist accessing files they shouldn’t. Computer forensics plays its role when they think something has occurred, whether it is insider theft or a hacker. It’s brought in to determine how the event happened, how far they got, and what they had access to.
Is this a responsibility that you could assign to your Information Techno-logy manager?
If you were a CIO, you would never want your internal staff have a go at the computer. Usually, if an employee leaves and they suspect he’s taken something, they go to their IT administrator and say, ‘Pull up all his e-mails, look for these files on his computer, check to see if he accessed this.’ But unless they’re trained as a forensic investigator, they’re actually destroying evidence as they go along. When you click on a file in Windows, for example, it will change the date and time stamp of that file, which may be crucial to a forensic investigator when they’re trying to construct a timeline. If you have an incident, don’t do anything until you mirror the hard drive. Once you’ve done that you can go at that original machine all you want, it doesn’t matter.
Is there awareness among companies that these options and skills are out there and available to them?
No, not a lot. When we go out and explain to people we can pull up deleted e-mails and files that have been deleted, or that most of the time when a hard drive has been reformatted, we can usually get 100 per cent of the data back, all we get is dropped jaws. People still don’t know these things are possible. It’s surprising that after forensics has been around now for 10 years at least, there’s still that lack of knowledge, whereas everyone knows what a firewall is.
Should companies have people with some of these forensics skills on their IT staff?
I recommend companies at least send off their administrators for a five-day course on the very basics of forensics. From what we’ve seen, even the most basic security training on computer forensics would have put 80 per cent of our clients on a much better foot then when we first met them. (We) always (have to) clean up before we can start pulling out evidence…we’re always playing catch-up.
Could you give us an example of a case where you’ve worked on computer forensics in an enterprise environment?
We had one case where an e-mail went out to every employee with management salaries. This was a big deal to them because they were in the middle of union negotiations. We were only presented with one e-mail. We imaged nine PCs and two servers, and we were able to determine who sent it, from what machine, and on top of that we were actually able to find correspondence between this person and senior board members in collusion to overthrow the board. It evolved from just an e-mail getting out to potential insider espionage and a pending lawsuit. In another case, an accounting firm noticed that at the end of the month their Internet usage charges were triple what it was last month. What we found, after doing some very basic forensics on the system and watching some traffic back and forth, was that one individual, in the middle of the night, was spitting out the entire database of this company to his home PC in a script. They were only triggered to it because their line charges went through the roof.”
QuickLink 053511