From podcasts to tv shows to Netflix documentaries, everyone loves to see a mystery solved. SaskTel has its own product dedicated to true crime—and its own Gil Grissom. Rick Lee talks about his personal experience in the real world of cybercrime and how businesses benefit from digital forensics.

What is digital forensics?

Digital forensics refers to evidence found in computers and digital media. The goal is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital evidence. That means it’s something that’s designed to be used in the judicial system and at arbitration hearings.

How do people use digital forensics services?

At SaskTel, we offer a variety of services. We do human resource investigations: if you have terminated someone, you want to have all the evidence available to you in the event of a wrongful dismissal suit. We do personally identifiable disclosure investigations, phishing attacks and ransomware, malware investigations, data theft or loss, system compromises. We can investigate pretty much anything with zeros and ones.

Among our most common engagements are system breach investigations, where we're asked to respond instantly. Typically, what happens is somebody finds something that's unusual in their environment. They may have found some malware running and they'll call us in.

What kind of cybercrime should people be aware of?

A cybercriminal is looking for personally identifiable information that can be used for identity theft; things they can turn into cash or cash equivalents. Or maybe they’re looking to sell your files back to you by using ransomware where you can't access your files until you pay them and they give you the password that will let you unlock the files.

The initial compromise is usually a spear phishing attack—a carefully crafted email or message that attempts to gain information from a specific, well-researched person. The criminals pose as a trusted contact, establish a foothold and bring in custom malware. They do some internal exploration and start moving laterally around the network. They maintain their presence and use some kind of persistence mechanism so that when you turn off the computer and turn it back on again, they still have control of it.

What is the investigation process like?

One the first things we do is meet with the customer, discuss the issue and determine a path for the investigation. One of the tools we use is called Cyber Triage, which is a live response on the system. Before you even unplug your computer or take it offline, we run this tool on it and it tells us who's connected to it, what files have been run, if there's any malware on the system, all the different things that are linked to give us a good picture of what the attacker may have done.

One of the main things our customers typically want to know is if anything was stolen from their environment. After running Cyber Triage, we’re able to determine which systems in the environment require further examination. We then do what’s referred to as a forensically sound image of that device. Every zero and one that's on the hard drive of the compromised system goes into an image that we can later examine using other tools.

We also take an image of the system's memory because there's a lot of valuable information in memory that’s gone as soon as you pull the plug. That includes who's connected to the computer at the time, what users are on it, and what software is running in memory. You can get things like partial chat messages, email, Internet history—things that might not be actively kept on a computer.

Do you use specialty software in your investigation?

We have a bunch of different tools that we use. Primarily, we use a tool called EnCase. It lets us take a look at the media even if it’s password protected. If you’re using Windows Explorer, for example, you can see the folder and you can see all the files that are in the folder. The way ours works is we have the folder view on one side, but we can actually look at everything in a spreadsheet format on the other side. We can see every file at the same time.

For a breach investigation, we're going to have a date and time when we believe the breach happened or at least when it was first found. We can sort by the file creation date and see all the files that were created around that time and then we start going back by hours or days to see what activity happened and try to find the origin of the breach that way. And then we’ll go the other way and see what activity was done after the breach was found.

There are a lot of different places you can look for information that the average user can't see. There are things called shellbags, for example, that will allow us to see every folder that's been opened by a user on the computer. We can even see if it was a USB key that was put into the computer. Our goal is to find the origin of the breach and the activity of the user—basically the who, what, where, how, when, and why, just like any criminal investigation.

Once we’ve found malware, we take the next step. We have another system we use called Joe Sandbox Desktop that we can put the piece of malware into. It will do a complete analysis on that malware including running it and watching for it to go to command and control servers, and watching for any lateral movement to other systems. It will give us an 80-page report on everything that piece of malware does. With that much information, we’re well equipped to help identify the cybercriminals, testify for the prosecution, and prevent further attacks.

For more information on how to protect your business with SaskTel Digital Forensics, contact a consultant by confidential email DFIR@sasktel.com or voice mail (1.844.691.1646).