What is ‘DFIR’? And how do ‘Digital Forensics’ roles vary?

I had a discussion today with a particular charming infosec pop star about what differentiates ‘DFIR‘ from other infosec job roles and how it relates to them. This is a question I get asked a lot by ladies and gents interested in making a jump into information security careers, so let’s have a brief discussion on what these forensicator jobs tend to do in your average working environment.

Now, you may be generally familiar with digital forensics – the exciting science of taking all manner of digital ^stuff^, and finding out what it’s done, when it was done, and who did it. Seen weekly on your average episode of CSI or NCIS… it is nothing like CSI or NCIS.

It’s usually not too much like what’s taught in ye olde average Forensics degree program. Not judging.

So first, what is this ‘digital stuff’ that we can do forensics on? Well, the obvious use case is a hard drive. Take it out of a computer. and find out everything that’s happened on that computer. When was the computer turned on, and who logged in? What programs did they start, and what did they do in those programs? Did they do any internet browsing? In the 1990’s and early 2000’s, proving those things in court were a large portion of the field. Modern digital forensics goes way beyond that. We’re not just concerned with PC hard drives. We’re concerned with anything that runs on 1’s and 0’s, from cars, to hospital equipment, to USB drives, to cameras. That’s the ‘internet of things’, friends. It can all contain digital evidence. A car GPS can tell us where it’s navigated to for weeks. A camera can tell us where every photo was taken. A hospital lab machine can tell us which USB drive connected contained malware, and from where.

“But Lesley, who wants that evidence? Abby from NCIS, and her beautiful beautiful pigtails, no?” Yes, and no. As appreciative as I am of Ms. Sciuto’s fashion sense, law enforcement is only one small measure of modern forensics professions. We can generally break down forensics on all these devices into two fields – e-discovery, and Digital Forensics and Incident Response (DFIR). E-Discovery is the legal side of forensics – in a broad sense the person being investigated is the case, and digital forensics tools and procedures are being used to support a case involving them. DFIR is more the infosec side of forensics- the digital system is the case, meaning instead of our main objective being investigating a external case, the digital device is being investigated. Examples of this are all types of security incidents, from data breaches to malware. Some forensics professionals do both types of cases, and others just do one or the other.

E-Discovery professionals tend to interface the most with legal and law enforcement agencies. Many e-discovery professionals have a legal background, but that is certainly not all inclusive. These are the guys and girls who are reading the emails you deleted. DFIR professionals tend to work as part of the blue team, working as parts of SOCs or CSIRTs or with malware analysts. They often have security operations center backgrounds – again, not all inclusive by any means.

Both of these jobs involve similar tools. Both types of investigators need tools to sift through deleted files on hard drives, browser caches, memory, and Windows registries (for similar and different reasons). The commercial products used by both overlap, although memory forensics is still often a DFIR specific field, and preserving a court admissible chain of custody oft remains the realm of e-discovery.. We see a lot of Guidance, FTK, and Oxygen tools heavy in the market. Obviously, both require quite specialized tools as well. Malware hides differently than human beings do.

“So, Lesley, what is the biggest myth about digital forensics?” Well, first of all, it is not Abby’s pigtails, because I rock fishnet. I would have to say that the biggest exaggeration is steganography. Its become a running gag that every time I find a person who wants to study or is studying forensics, their first case study will be some sort of steganography. If you don’t know what that is, you should read an article or two, as it is quite intellectually interesting. Unfortunately, it is a rare case that actually involves the hiding of data in this manner. The truth is, networks tend to be so insecure that such drastic methods are not usually necessary outside of certain uncouth communities. I spend a great deal more time recovering wholly undeleted data from memory and slack space on hard drives. I do wish that forensics degree programs spent a lot more time on memory forensics with products such as Volatility and Mandiant Redline, as it is frequently critical.

The second biggest myth is that ‘porn mode’ has any impact at all on me being able to see what you’ve browsed in the last several weeks. It rarely does. Not judging, again.

So there we have it. Foreniscs, and it’s variations in a nutshell. If you would like to know more, please feel free to tweet or message me. I am as always, happy to respond.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s