In IT, forensic experts are among the most sought-after specialists, both by investigative authorities and companies. They are responsible for securing evidence in the event of a cyberattack. We asked our forensic expert Julian Krautwald about his work. In the first part of our interview, we find out what an IT forensic expert actually does.

Julian, you are an IT forensic expert.

How does your work differ from that of an IT expert?

The IT expert is your first point of contact for all technical matters. They ensure that your IT equipment is working properly and that you have all the tools you need to do your daily work on your work computer. They should also be the first point of contact for technical problems and malfunctions at your workplace.

More specifically, they take care of the installation, configuration, operation and maintenance of infrastructure/network components, systems and services, both hardware and software. They are responsible for technical fault diagnosis and take care of system and data recovery. They also maintain documentation of technical processes, instructions and configurations.

Then there is the IT security expert. What exactly do they do – and how do they differ from you?

You won’t notice much of the IT security expert’s work in your day-to-day activities. This is mainly because IT security experts work very closely with IT experts to implement IT security measures, but they are not the first point of contact for employees. You are more likely to notice the measures implemented by the IT security expert subconsciously. For example, when your work computer’s operating system suddenly asks you (again) to change your login password. Many of these measures initially appear to most employees as a restriction on the user-friendliness of the systems they use. Only when an IT security expert gives employees an insight into why certain measures are extremely important and what can happen if they are not implemented does this usually lead to greater acceptance of their work within the company.

And where does your work as an IT forensic expert come in?

Only when your company has already fallen victim to a cyber attack – or you at least suspect that this is the case – and the colleagues described above are unable to clearly determine how the incident occurred and/or what the best strategy is to contain the damage and return operations to ‘normal’. An IT forensic expert supports and advises these colleagues in the diagnosis, analysis and investigation of causes, but also in prioritising immediate measures in response to information security incidents.

This involves analysing large amounts of data, technical logs and entire system images. The aim of the analysis is to identify signs and causes of an information security incident, evaluate the level of compromise and, if necessary, prepare the evidence found in a form that can be used in court. In addition, they are responsible for developing defence strategies and initiating the necessary measures to mitigate damage. They also define the countermeasures. And last but not least, they document the facts and the activities carried out.

What questions should victims ideally be able to answer so that you can quickly clarify and deal with the cyber emergency?

To clarify what happened, it should at least be possible to answer the classic W questions:

Questionnaire in an emergency

• What exactly happened?
• How was the incident discovered (e.g. was there a warning message from the system? Did you notice increased system utilisation or longer response times?)
• How does the incident manifest itself (e.g. anomalies on clients)?
• What activities were carried out beforehand (e.g. surfing the web, reading emails, inserting a USB stick)?
• Were immediate measures taken after the incident was discovered (e.g. virus scans, deletion of data, changes to system files)?
• Has there been a similar problem in the past? How was this problem dealt with?
• Which systems (OS) and/or applications are affected?
• How many systems are affected?
• Are these client or server systems, or both?
• Who has access to the affected systems?
• Which users/user groups are affected?
• How many users are affected?
• What rights do the affected users have on the affected systems?
• How are the affected systems secured (firewalls, antivirus, IDS, IPS, etc.)?

In general, however, the more detailed the incident can be described, the better it is for diagnosing and solving the problem. If a smartphone with a camera function is available, it can also be helpful to document the incident with photos.

(End of Part 1)