3. The Adversary of Cybersecurity: Hackers 49 post-exploit activities? This involves the analysis of evidence left behind on computer systems, including operating system and other types of log files. Forensics experts examine log files and other data artifacts to find evidence and to reconstruct events. Sometimes this is done after a person has deliberately tried to destroy evidence by deleting data, modifying logs, or damaging physical hardware. Some cyber forensics experts work in specialized labs to reconstruct damaged hardware to recover data (see Figure 3.4). Individual hackers or hacker teams may develop a signature of a certain sequence of steps and types of tools. These are called techniques, tactics, and procedures (TTPs). They can function almost like a fingerprint—if a group uses the same TTPs in different attacks, investigators may be able to attribute the attacks to the same group. Hackers may do some of the same things as a habit, or because they trust the TTPs because they have been effective in the past. In general, as we saw in Chapter 1, because of the fundamental features of cyberspace, it is difficult to determine who did what when. To make things even more difficult, a hacking group may deliberately plant subtle clues to try and pin the crime on somebody else. The difficulty of determining who is responsible for a cyber attack is called the attribution problem. Cyber forensics specialists, like detectives, study past attacks, look at all the evidence of a crime scene, and try to solve the crime by tracking cyber attacks to their source. Figure 3.4 A cyber forensics lab. Cyber forensics also includes hacking into computer systems to assist in criminal investigations. Unlike cyber warriors, this type of hacking can be performed against United States citizens, but, again, only with the proper authorization. For example, if an encrypted smartphone is discovered in the course of a criminal investigation that might contain evidence, and a judge issues a warrant, then law enforcement officials may hack the device to obtain access to its data. Chapter 10 provides more details on the rights of citizens. Law enforcement officials are motivated by the pursuit of justice.
RkJQdWJsaXNoZXIy MTM4ODY=