Properly investigating incidents takes training, so don't be fooled by the snake oil salesmen touting themselves as "experts" in this field. Many people attend courses without actually having taken part in significant investigations. Being a network detective boils down to one thing only: your level of expertise.
Essentially the era of computers ushered in a new type of criminal that pervades exclusive office echelons as easily as mid-western internet cafes. As technology progresses, so shall digital crime and the unwavering devotion of its miscreants to find newer and more complex routes to follow. The danger for the world's corporations is that e-predators reside within the walls of their own organizations. These internal criminals are busy perpetrating crimes that range from identity theft to the disbursement of illegal internet images. Moving away from illegal activity on the standard operating system, more savvy criminals have utilized UNIX and Linux as their tools of choice. Seemingly more difficult to investigate, these alternative operating systems are a less explored area in the science of computer forensics.
The Evolution of Computer Forensics
Recently I had the opportunity to discuss alternative OS forensics with "Dave", an agent with years of expertise who has asked that I do not identify his last name or office due to the secretive nature of his job.
In discussing the rise of computer forensics, I asked how technology has changed the face of corporate investigations for Dave and his colleagues.
"Like everything else, when people started to use computers on a daily basis, people soon figured out methods for doing illegal things. Fraud, threats, insider trading, and pornography just to name a few things. All of this was present before the dawn of computers, but the internet just makes it easier and faster to perpetrate crime. "
I was interested in some case examples of things that would have been impossible without t today's available computer investigative tools. Dave answers, "Some of the tools that stand out are Firewire, faster machines and Gig E. In 1999, the common practice to image a single drive machine was to turn off the computer, boot from a controlled floppy disk and send the image to a 2GB Jaz drive. In practice, an 8 GB HDD would have taken about 8-10 hours. Using Firewire, I can image the same drive in 15-20 minutes. The major choke point of imaging single drive machines is the speed of the hard drive being imaged.
The problem still remains that you need to examine what you imaged. This is where high-end machines come into play. I can run numerous grep statements and finish within a few hours. Five years ago that would have taken all night."
The Alternative OS
Security threats are prevalent in every computer network, but what about those networks employing a less standard OS such as Linux or UNIX? How much crime is occurring and how can the IT administrator investigate successfully?
Dave answers, "People are people. If they want to steal or do something illegal, then they will find a way. The security threats are present in any OS/network. The problem becomes worse the more people know about the network. Generally, everyone knows Windows and how to make things happen with it. If a particular criminal isn't fluent in *nix then they'll most likely move on to a different target."
What are the major differences in investigating UNIX OS as opposed to MS OS?