I stood watching birds dive into the ocean surf for fish recently. A safe Central American beach where my only risk feels like a beer that warms too quickly from the formidable heat. As the sun crested behind the wave, I could see the teeming schools of fish racing along the white capped surf. The pipeline of fish attempting to avoid natures threats and safely navigate their endless saltwater ecology. It reminded me of how data packets move thanks to our TCP/IP standards, or in other words…the internet. The internet is a seemingly immeasurable space like the ocean combining fluid motion with an almost endless volume of traffic. Now if we consider the simple action of the fish moving, the threat actor in this situation is the bird diving in to create havoc to the natural movement of the fish. I don’t think it takes too much imagination to recognize and acknowledge that there are other threats to the school of ‘data’ fish; larger fish, nets, hooks, or environmental changes, but as I stand on the shore, it’s the waves that fascinate me. Sure, the internet feels silent, but like the waves it’s constant and unyielding. If you’ve ever investigated a malicious cyber event, you’ve waded into the digital forensic surf. Recognizing that certain user impacts that affect operations may not always be from malicious activity, well, that’s included in building experience! You may even begin to notice that many issues are corrected with basic app and OS updates.
Almost too simple, but spending anytime with a client will teach you that cyberthreats are real and constant. Your awareness of essential basic principles of system management are the lifejacket most people forget to wear. I can’t count how often I hear from clients that my knowledge of recommending ‘patchpatchpatch, updateupdateupdate’ has kept their boat afloat in the harbour. I may have paraphrased that last statement for this blog article in keeping with my new nautical theme lifestyle. The ‘DF’ and the ‘IR’ (Digital Forensics & Incident Response) are often intertwined, but I’m here to express with a resounding container ship horn blast, that they are very different, and with challenging responsibilities.
[embedded content]
More information about FOR308:Digital Forensics Essentials course here
If your actions lead to steps such as mitigating damage, protecting data loss, or re-establishing operations…. welcome to incident response. I can pass along several courses that will fill that knowledge gap. The digital forensic sleuth in you may lead down a path where when you kick off the investigation role, you are able to find the one bird that disrupted the wave. A little tip, remember there can be more than one bird….and more than one wave. Also, as the waves roll towards you, consider that an ocean wave may have travelled halfway around the world. Hard to imagine what impacts it’s made along the way to end up right at your feet. I can’t remember when, but I think there was a time that even I put a note in a bottle and tossed it out to sea. Not a malicious action, but that bottle likely pops up every now and then on a radar somewhere. A priority in digital forensics is to know each wave’s activity, and understand the impacts to and from that wave. The deliveries may appear the same, phishing attacks, spear-phishing, or brute force attacks, but the impacts can be varied and punishing. In the end, the more you know after investigation, the more you can control to come up with best solutions and mitigations.
In the case of digital forensics, it is certainly about getting your feet wet. In today’s day and age, everything about computers is about getting started. It’s easy to become overwhelmed. That’s why no one suggests you must jump into the ocean off a ship in the middle of the Atlantic. Perhaps wading in is the best approach, but don’t stop until it scares you a little. Stay vigilant and aware that when one wave has passed, there’s another one coming. ‘Dive’ into the experience. Keep thinking DFIRently.
