Digital Forensics
Welcome
In the Welcome column, I write about jobs, careers, trends, and sometimes random but relevant topics. For this issue, I'm discussing a new direction in system administration that you might know as computer forensics, cyberforensics, or digital forensics.
Digital forensics is the discovery, recovery, investigation, and examination of data found in computer systems. Computer systems is a broad category that includes databases, network devices, and mobile devices. It may also include other devices (e.g., supervisory control and data acquisition (SCADA) instruments) that store, process, or use data. Although digital forensics isn't new, it can be a new direction for those who have traditionally held system administration jobs.
You might wonder why I'm discussing a security topic for a column focusing on system administration. I've mentioned before that security is everyone's job, and it's certainly true for system administrators, and digital forensics is an extension of that role. The reality of the system administrator's role is that our job description is "Other duties as assigned" and little else. We do everything, and security is often the least offensive task that we have the pleasure to perform.
To illustrate how the roles overlap, assume that you suspect a system has been compromised. You begin collecting and comparing logs to find out when the breach occurred. Next, you search for compromised or new accounts. You search for open ports and check network data to see if information is being exfiltrated. You isolate systems and run various vulnerability and rootkit scans. You might even enlist the assistance of other digital forensic specialists to help locate backdoors, trojans, scripts, and changed files. You probably changed all your root and administrator passwords. Performing these and similar tasks is digital forensics.
Some sys admins have a special talent for digital forensics, while others will have no interest at all. I was shocked when one of my former colleagues told me to "have fun" doing my investigative work on a suspected breach and let him know when I've "had enough." To his surprise, I solved the issue. I uncovered an internal breach and traced it to the offending person.
In this instance, a set of maintenance scripts used a non-secure protocol to update code from a development system to multiple other staging and production systems. He couldn't be bothered to tunnel or otherwise secure passwords and data traversing the network. It looked like an outside attack from a compromised system because it traversed a firewall, a bastion host, and the DMZ. My colleague had to explain himself to our manager and the security team. He also had to provide extensive documentation and a plan to secure the data and its transfer.
Not all suspected breaches are quite this easy to unravel and resolve. Fortunately, the incident didn't require public disclosure because it only included data and information for our intranet, and no client data or information was involved. The problem required mitigation because the process was a prototype for client production data and information. It would have been much worse in six months when the process was moved to production.
This is what digital forensics is all about. If performing those tasks interests you, several online classes and university options can take your interests to the next level. All system administrators should be required to have digital forensics training. Even if you have not performed any forensics-related tasks, the training will help you protect your systems and assist investigators during the reconnaissance and recovery phases of an incident. If you love to solve puzzles, have an aptitude for detailed work, and enjoy devising strategies against an opponent, digital forensics might be what you're looking for in moving your sys admin career forward.
The job of system administration is fun, but expanding your horizons and exploring something new and different doesn't hurt. You might find yourself on a new path to a great and rewarding career as a full-time digital forensics professional.
Ken Hess * ADMIN Senior Editor
Buy this article as PDF
(incl. VAT)