Data forensics: time is of the essence

 - 
Wednesday, July 3, 2019

AUSTIN, Texas—Huge volumes — think terabytes, petabytes, exabytes, zettabytes, yottabytes and up into the quintillion bytes — of complex, digital data is constantly being generated and scattered into different physical and virtual locations such as online social networks, the cloud and personal network-attached storage units. Data never sleeps; it’s a real vampire that can negatively affect all physical and virtual environments. All of this combined causes challenges for forensic engineers to archive in a timely manner, preserving evidence needed for investigation, as well as prevents quick feedback to clients. 

The security industry is responding to these challenges by creating tools to assist digital forensic professionals, making the niche more commoditized. However, as Cyber Criminologist Dr. Peter Stephenson told SSN, “The need is growing exponentially and for organizations with their own in-house forensics shops, costs are becoming prohibitive, especially personnel costs,” reasoning that an automated tool is the answer.  

Near the turn of the year, Infocyte, a company helping security teams proactively hunt, detect and respond to unknown cyber threats, announced they enhanced their threat detection and incident response platform, Infocyte HUNT, with “Activity Trace,” a feature to assist with root cause analysis, triage and threat remediation. Stephenson, who was doing computer security forensics manually, which often took weeks, implemented Activity Trace, reducing the time to minutes. 

“Before, it would take weeks just to analyze one single disk,” Stephenson said. “With one client in particular, manually, it took three months to solve their security problem,” explaining that Activity Trace allowed him to carry the bare-bones automated analysis a step further with some human intervention. 

When performing computer forensics manually, Stephenson uses the following three-step method: 

  1. Perform an image of the disk under test, which takes one to eight hours depending on size. 
  2. Consume the image into the computer forensics tool, which takes three to 12 hours, depending on image size.
  3. Analyze the image, which can take hours to days.

The time frames represented in Stephenson’s three-step manual method can take at the very least approximately six hours, spanning into days that quickly turn into weeks and months. Using Infocyte’s Activity Trace, as opposed to the manual process, Stephenson said that he can analyze hundreds, and in some cases, thousands or devices in minutes. “For the client mentioned above, I could have completely solved their problem in less than an hour, instead of the three months it ended up taking manually,” he said. 

Monetizing of digital forensics is unique in that it has less to do with dollars and more to do with improving efficiency through saving time while at the same time getting better results. Stephenson said that the tendency is to save time by cutting corners when costs get high, but that doesn’t help anyone. “Sloppy work is sloppy work,” he said, “whether caused by lack of skills or cost-cutting. However, in the case of a digital forensic incident response (DFIR), cutting corners to save money may actually cost money if the analyst misses something that results in significant losses to an organization.” 

While machine automation can, in fact, help save money, and add efficiency and accuracy of an analysis, while also allowing actionable findings, “machines will never, in my view, replace humans completely, but they can perform tedious tasks and leverage human skills, observation and intelligence,” Stephenson concluded.