Digital Detectives Track Hacks

 
 
By Anne Chen  |  Posted 2001-04-23
 
 
 

If e-business had a modern-day Sherlock Holmes, his name would be David Dittrich. Dittrich, a security manager at the University of Washington, in Seattle, is one of a rare breed of security pros—the computer forensics expert—whose skills are getting ever more precious as the number of computer crimes spirals. These are the data detectives who search for digital clues remaining on computers after malicious—or black-hat—hackers have done their dirty deeds. Sleuths like Dittrich analyze e-mail, Web site records and hard drive data, looking for clues to the identity of criminals and crackers, much like gumshoes examine crime scenes for fingerprints and stray hairs.

Its not just the number of crimes thats fueling the need for these skills; its also the increasing sophistication of criminals. "The black-hat community is moving forward at a pace that outstrips the ability of the average system administrator or law enforcement agency," Dittrich said.

That means that both e-businesses and law enforcement agencies are paying plenty to find experts such as Dittrich to sift through evidence left behind at digital crime scenes, experts say. "The need for computer forensics is growing exponentially," said John Gunn, lab director of the San Diego Regional Computer Forensics Laboratory, the first multiagency, regional computer forensics lab in the United States.

The need is particularly acute at local, state, federal and military law enforcement agencies that host computer forensics divisions, which are looking for individuals adept at solving hacking and intellectual property cases. And an increasing number of corporations are using computer forensics to resolve internal matters such as fraud, violations of trade secrets and inappropriate use of company computers, according to Lee Kushner, CEO of information security recruiting company L.J. Kushner and Associates LLC, in Freehold, N.J.

Gunn said the job is intense and tedious and requires nerves of steel. Most specialists at the San Diego RCFL have years of programming or computer- related experience, strong analytical skills, and the patience to invest days taking apart a computer in search of evidence. And if things keep going the way they are, it probably wont hurt if these experts didnt mind overtime. Last year, the San Diego RCFL closed 400 computer-related cases. This year, Gunn expects the number of cases to double.

Other professional attributes needed to catch a thief, experts say, are strong computer science fundamentals, a broad understanding of security vulnerabilities and strong system administration skills. Dittrich, who has been analyzing compromised systems and reconstructing the events since the early 1990s, uses these skills to seek information to reconstruct how a system was hacked. "The number and complexity of intrusions has increased at an alarming rate. Ive been forced to find ways ... to try to keep up with intruder tools as they have progressed in sophistication," Dittrich said.

Experts gather this data and create an audit trail for criminal prosecutions. They search for information that may be encrypted or hidden, along with unallocated disk space. Most cunningly of all, they set traps using vulnerable computers to lure malicious hackers into giving away themselves and their techniques.

Dittrich stressed that computer forensics specialists must have strong analytic skills and excellent verbal and written communication skills. Thats because theyre required to document their findings in detail, and they often testify at criminal trials.

The demand is being answered by several educational facilities, including the University of Central Florida, in Orlando, which offers a graduate certificate degree in computer forensics. The International Association of Computer Investigative Specialists, based in Donahue, Iowa, offers certification for computer forensics examiners. Demand for such courses is so high that the associations fall classes are already full.

Such courses are helpful for those IT managers or individuals who lack computer programming experience but who want to make the leap into computer forensics. Gunn, who conducted general investigations for the FBI before joining the RCFL, got up to speed with training courses offered by the FBI.

Computer forensics specialists like Gunn caution that IT managers interested in pursuing computer forensics as a career shouldnt expect that just by taking a few courses in the subject, theyll be able to track some of the worlds slyest hackers. The specialty is a tough discipline in a fast-moving industry that requires highly trained professionals dedicated to continued learning, he said.

Thats because, as experts like Dittrich say, theres no way to stay ahead of the crooks. White-hat hackers at this point can only try to narrow the gap between themselves and the bad guys—and hope that the black-hat hackers dont get too fastidious when it comes to leaving behind digital footprints.

Rocket Fuel