Say hello to Jason Eaddy of Elysium Digital. Elysium conducts digital forensic and security investigations, typically working with organisations in technology-related legal matters.
Image by RaxPixel (Shutterstock)
Jason leads Elysium’s digital forensics division and his work includes analysis of data formats to assess potentially forged or stolen evidence. Elysium also conducts post-data breach security investigations, and helps companies evaluate their security, privacy and data retention policies. Here he addresses some common questions around forensics and security.
First of all, can you tell us a little bit about what “digital forensics” means in this context?
Digital forensics is the science of analysing evidence found in digital devices with the goal of determining what acts were performed by people that led to the creation of that evidence. Digital forensics is often referred to as computer forensics, but the field is broader than that, especially given the rise of smart phones, tablets, etc. The Wikipedia page on the topic is actually pretty good.
The most common type of case we handle is a departed employee matter. In those cases, we’re looking for what the employee took, how long they’ve been planning it, and who they’re taking with them.
We’ll look at what USB devices were connected to a computer, Cloud activity (Google Drive, Dropbox, etc.), chat logs, webmail logs, what programs were run, and what files were opened. If the employee opened files they had no reason to open before leaving, it’s often indicative of them trying to take materials to their new job.
The largest case we’ve handled covered years and 300+ devices across and had 100+ Terabytes of material to review.
The big advice I give people is never even type something on your computer that you don’t want someone else to see it. Memory is written out to disk as part of the normal operation and if something’s been present on your computer, it could be on your disk.
Over the course of your work, have you ever attempted to recover the contents of a hard-drive that had been “securely” wiped (that is, had the entire drive written with 1’s or 0’s once or more)? If so, were you successful?
Simple answers to this one: Yes, we’ve attempted recovery (in as much as we’ve looked at the plenty of wiped drives). And, no, we were not successful. Generally speaking, a single pass overwrite destroys things beyond recognition.
That said, wiping tools that target individual files on a computer often leave evidence of their usage. Moreover, usage of those tools can be problematic for people depending on the context of their usage — destroying evidence relevant to a litigation is more than frowned upon by courts.
How did you get into the field? What training did you receive?
I started at Elysium Digital in 2000 after hearing about some of the work being done by the company for the government on the USDOJ v. Microsoft antitrust trial. Our founders, Christian Hicks & Peter Creath, removed Internet Explorer from Windows back when Microsoft said it couldn’t be done. That sounded like a lot more fun than working at a Dot-com company.
We’ve got a team of forensic analysts, most of whom have received training through various courses (most recently, we’ve been partial to the SANS courses). Basically, it comes down to properly handling evidence (that is, don’t change it during your review) and understanding the artefacts that Windows, MacOS, Linux, Android, iOS, etc. leave as part of their normal operation.
Of course, many cases wind up hinging on the operation of software for which there is no training available. Then it’s a matter of thinking like a computer scientist to understand the how the program likely works and conducting empirical tests to verify that the program’s operation leaves the artefacts you’re observing.
Has the rise of SSDs given rise to any new tools or thwarted any older techniques? For example, due to limited write cycles, my understanding is that an SSD drive can never truly be trusted to be wiped clean, since any sectors that have run out of write cycles would essentially just go read-only permanently. Do things like that ever come up?
With SSDs, you need to use the built-in tools to securely wipe them because wear-leveling means that the data is written differently than on a standard hard drive. We have yet to see a matter where data is permanently frozen as you describe. Getting access to memory that’s non-accessible to the end user would require customized firmware or chip-off analysis (removing the chip from the actual board and reading the raw bytes using specialised hardware).
How do you deal with encrypted data? I would think most of what you’d be looking at would be encrypted.
Encryption is definitely an increasing complication. For simple passwords, we use standalone tolls to extract potential passwords from non-encrypted data. Strong encryption is basically a deal-breaker, even for us, absent cooperation from the parties being investigated.
Anyone interested in some exciting encryption code-breaking should check out our expert Alex Halderman’s paper on cold-boot attacks extracting encryption codes from RAM after a reboot.
Are you ever called in when a security breach happens at a big organization to analyse what happened? How do you go about doing that?
Security breach investigations are certainly something we do on regular basis these days. The first step is for a forensic firm to interview people at the company, along with their counsel, and quickly preserve as much evidence as possible for analysis to determine the source and extent of the breach. The next most important task is to stop an attack that may still be in progress while ensuring continuity of business for the breached company.