Image © armmypicca, 123RF Free Images

Image © armmypicca, 123RF Free Images

Digital Forensics


Article from ADMIN 78/2023
Consider a new direction in system administration.

In the Welcome column, I write about jobs, careers, trends, and sometimes random but relevant topics. For this issue, I'm discussing a new direction in system administration that you might know as computer forensics, cyberforensics, or digital forensics.

Digital forensics is the discovery, recovery, investigation, and examination of data found in computer systems. Computer systems is a broad category that includes databases, network devices, and mobile devices. It may also include other devices (e.g., supervisory control and data acquisition (SCADA) instruments) that store, process, or use data. Although digital forensics isn't new, it can be a new direction for those who have traditionally held system administration jobs.

You might wonder why I'm discussing a security topic for a column focusing on system administration. I've mentioned before that security is everyone's job, and it's certainly true for system administrators, and digital forensics is an extension of that role. The reality of the system administrator's role is that our job description is "Other duties as assigned" and little else. We do everything, and security is often the least offensive task that we have the pleasure to perform.

To illustrate how the roles overlap, assume that you suspect a system has been compromised. You begin collecting and comparing logs to find out when the breach occurred. Next, you search for compromised or new accounts. You search for open ports and check network data to see if information is being exfiltrated. You isolate systems and run various vulnerability and rootkit scans. You might even enlist the assistance of other digital forensic specialists to help locate backdoors, trojans, scripts, and changed files. You probably changed all your root and administrator passwords. Performing these and similar tasks is digital forensics.

Some sys admins have a special talent for digital forensics, while others will have no interest at all. I was shocked when one of my former colleagues told me to "have fun" doing my investigative work on a suspected breach and let him know when I've "had enough." To his surprise, I solved the issue. I uncovered an internal breach and traced it to the offending person.

In this instance, a set of maintenance scripts used a non-secure protocol to update code from a development system to multiple other staging and production systems. He couldn't be bothered to tunnel or otherwise secure passwords and data traversing the network. It looked like an outside attack from a compromised system because it traversed a firewall, a bastion host, and the DMZ. My colleague had to explain himself to our manager and the security team. He also had to provide extensive documentation and a plan to secure the data and its transfer.

Not all suspected breaches are quite this easy to unravel and resolve. Fortunately, the incident didn't require public disclosure because it only included data and information for our intranet, and no client data or information was involved. The problem required mitigation because the process was a prototype for client production data and information. It would have been much worse in six months when the process was moved to production.

This is what digital forensics is all about. If performing those tasks interests you, several online classes and university options can take your interests to the next level. All system administrators should be required to have digital forensics training. Even if you have not performed any forensics-related tasks, the training will help you protect your systems and assist investigators during the reconnaissance and recovery phases of an incident. If you love to solve puzzles, have an aptitude for detailed work, and enjoy devising strategies against an opponent, digital forensics might be what you're looking for in moving your sys admin career forward.

The job of system administration is fun, but expanding your horizons and exploring something new and different doesn't hurt. You might find yourself on a new path to a great and rewarding career as a full-time digital forensics professional.

Ken Hess * ADMIN Senior Editor

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Cloud Forensics

    Is your data really secure in the cloud? If a compromise occurs, current forensic approaches will not work and new techniques and standards will be needed.

  • Forensic analysis with Autopsy and Sleuth Kit
    Forensic admins can use the Autopsy digital forensics platform to perform an initial analysis of a failed system, looking for traces of a potential attack.
  • Forensic Tools

    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

  • Where Is Your Big Data?
    You'd think that massive amounts of data wouldn't have the opportunity to be elusive, but we know this isn't true from the sheer number of data breaches in the past couple of years.
  • Comparison of forensic toolkits for reconstructing browser sessions
    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=