Your inbox notification dings. It’s an email from your department head. The wording is a little odd, but they’re asking you to review a document as soon as possible, so you open the attachment to check it out, and are immediately filled with a chilling regret. The attachment is clearly not from your department head. Have you been hacked?
When cybersecurity incidents such as the one in this scenario occur at Virginia Tech, the IT Security Office (ITSO) is ready to help. The ITSO, a unit of the Division of Information Technology, is home to several computer forensics specialists who are trained to investigate cybersecurity incidents at the university.
“Security is a back and forth between bad actors and defenders,” said Jeff Lang, director of cyber defense operations for the ITSO. “Attackers constantly change their tactics and techniques to bypass the protections we have in place. During our forensic investigations, our goal is not only to figure out how they performed the attack, but also how to identify and protect against it in the future.”
What is computer forensics?
Forensics is the scientific process used to collect and analyze evidence during a criminal investigation and provide evidence that can be used in prosecuting a case. Computer forensics involves extracting electronically stored data to determine if sensitive data has been accessed or stolen and, if so, by whom.
The methodology is similar to traditional forensics work, only the tools are different. Beth Lancaster, an IT security analyst for the ITSO, elaborated, “computer forensics can be host-based or network-based. Host-based forensics looks at specific machines or files to find suspicious information, malware, or other digital artifacts.” She likens this to performing an autopsy to determine the exact cause of death (i.e., the “when and what” of the incident).
“Network forensics allows us to analyze traffic surrounding an incident,” said Lancaster. “We can collect evidence, such as websites that were visited, if and when remote access was granted, and whether any data was taken out of the network.” This part of the job is similar to taking pictures of a crime scene to establish a timeline and piece together the actions surrounding the incident.
Both types of forensics work require highly specialized skills — and plenty of patience, added Lang.
“It’s a common misconception that computer forensics work can be done very quickly — that we bang out a few keystrokes and we’ve solved the case, like what’s portrayed on TV. In reality, it’s a very time-consuming process. It can take many days to complete an investigative analysis, even with the most capable analysts on the case,” said Lang.
How does the computer forensics process work at Virginia Tech?
In most cases, the ITSO will begin forensics work at the request of a university official, a department, or the Virginia Tech Police Department following a confirmed or suspected incident. The ITSO cooperates with the involved parties to perform forensic analysis that can help identify where, when, and how a breach occurred, as well as what data was compromised.
“When dealing with a possible threat, our goal is to prevent further intrusions; limit the possible damage of an intrusion; and facilitate recovery of data, functionality, and security after an intrusion with minimal downtime,” explained Lang. “Along the way, we collect and analyze information into evidence that shows what happened, how it happened, and why it happened.”
Lang pointed out that many of the same skills used in forensics work are used to proactively analyze network traffic to determine if suspicious activity is taking place. “This process is called cyberthreat hunting and accounts for a significant amount of the work we do in the ITSO.”