The Future of Work: Catching criminal hackers, probing malware attacks all in a day’s work for digital forensics investigators

Late last year, a study by consulting firm McKinsey estimated that almost a quarter of work activities in Singapore could be displaced by 2030. At the same time, however, a vast amount of jobs will be created, with new technologies spawning many more jobs than they destroyed, the study pointed out. The introduction of the personal computer, for example, has enabled the creation of 15.8 million net new jobs in the United States in the last few decades, even after accounting for jobs displaced.

In a new weekly series, TODAY looks at The Future of Work — the emerging jobs fuelled by technological advancements which may not even have existed a few years back, but are set to proliferate within the next decade or so. In this fourth instalment, we feature the growing pool of digital forensics specialists who hunt down the perpetrators behind cyber-attacks and breaches.

SINGAPORE — The million-dollar deal had been sealed, funds wired to its supplier, and the goods were about to follow. Or so the company thought.

After it channelled 650,000 euros (S$1.02 million) into its supplier's bank account, it waited, but the goods did not arrive.

Alarmed, the company rang its supplier and learned that the latter had been told to "stop the deal". Only then did it dawn on the company that it had fallen victim to a highly choreographed scam.

Thus began a drawn-out investigation that eventually traced the misdeed to an inside job.

This is the world that digital forensics specialist Ali Fazeli, 37, operates in. Like crime scene investigation (CSI) workers scouring a crime scene for clues, these professionals sift through computer files and systems with a fine-tooth comb to pick out anomalies or suspicious activity.

Recounting the incident that happened to his client — a small- and medium-sized enterprise — a year ago, Mr Fazeli, director of security consultancy and advisory at cyber-security firm Infinity Risk Control, said the scam began innocuously over email.

A Hong Kong-based hacker group, working in cahoots with a staff member who fed it information on the deal, had launched an email phishing attack on the company.

Using his access to the client's financial documents and invoices, the staff member generated a PDF (portable document format) file bearing the firm's letterhead, which the hackers attached to an email message.

The hackers set up email domain names that were nearly identical to those belonging to the client and its supplier, said Mr Fazeli.

Masquerading as the supplier, the cyber gang began communicating with his client by email, telling the company that the deal had gone through and to transfer funds to a bank account.

At the same time, the hackers, passing off as his client, told the supplier a different story: The deal had been put on hold.

The hackers vanished as soon as the money was transferred.

CATCHING THE CULPRIT

Entrusted with the case, Mr Fazeli's team was initially confronted with a black hole. "There was nothing. He used a Virtual Private Network and all the IP (Internet Protocol) addresses were wrong. Everything was basically destroyed."

However, his team was not about to be outdone. After analysing a PDF file attached to an email message, they discovered that the file was created at exactly the same date and time of the hacking.

The file's metadata — data that gives information about other data — such as its dates of modification and last access also pointed to it being created in Singapore.

The software used to create the file was also the same one used by Mr Fazeli's client, furthering suspicions an insider could be behind it.

With his client's co-operation, Mr Fazeli and his team went through the firm's nearly 70 computers. He said: "The guess was right. One of their guys was involved and that PDF file was created on his computer. Even though it was deleted, we managed to retrieve it."

The staff member was eventually taken to court, and the company recovered a partial sum of its lost money.

Stressing the importance of training employees to heed the telltale signs, Mr Fazeli said some companies do not give this adequate attention.

For example, the email address, language and formatting used by hackers could be different and should raise red flags. Most importantly, a company "doesn't change its bank account in one day", he said.

"It's very weird if they, (for example), change from DBS Bank suddenly to HSBC Hong Kong. Unfortunately, nowadays people don't check and just trust the email."

It was a special interest in digital forensics that led Mr Fazeli into this field about 14 years ago, when the Iranian was pursuing a master's degree in internet security and management from Australia's Curtin University via distance learning.

Calling computer forensics a "very niche" area, Mr Fazeli said picking up knowledge in the field is not something "you can attend class for".

"You have to practise, learn by yourself, always update yourself, and you have to be very creative. It's not always straightforward and you can't treat every case the same way."

A module on the topic during his studies had piqued his interest, and he began reading up on the field. Owing to the lack of forensics tools to practise on at the time, he even created his own cases on his computer by deleting and concealing pieces of information, and "worked on an imaginary 'real' case".

Helping clients resolve problems and incidents is what drives Mr Fazeli. "When you can solve a problem, when you can solve a case, to me it's the biggest satisfaction."

SOLVING CRIME THE 'END GAME'

Mr Kenneth Lee, 29, a security consultant with homegrown IT security firm Quann, is driven by the same motivation.

Mr Lee, who read cyber forensics and information security at Murdoch University via private education provider Kaplan, cut his teeth for almost three years at cyber-security firm ST Electronics (Info-Security) before moving to Quann in January. He conducts forensics work for incidents, such as malware attacks.

Investigations typically last between three and five days, the two specialists said. Depending on the nature of the cases, reports are sometimes submitted to court, and forensics experts could be called as expert witnesses.

Investigations usually begin with a trip to their clients' premises to collect evidence, which could be equipment such as hard drives. Back at their offices or on site, they "clone" the data with image-capturing tools via write-blockers — devices that allow the transfer of information to a drive without damaging its contents.

To get to the root of an incident, they use diagnostic tools that reveal, among other things, time stamps, the activities undertaken by users on the system, and the users' Internet browsing activity.

Digital forensics work allows specialists to sniff out indicators that systems have been compromised, such as temporary files that have been infected by malware, said Mr Lee. Some tools can even help trace which USB (universal serial bus) devices have been plugged into a system, including their serial numbers and product names.

It was with the aid of these tools that Mr Lee managed to pinpoint an infected USB device as the cause behind a malware found on the server of one of his clients. This was after nailing down traces of the malware among the more than 100,000 raw activity logs.

Still, Mr Lee said software can only do so much, and it still boils down to analysing the data for anomalies. "Solving the crime and the case is the most important end-game in this," he said.

GROWING DEMAND

Industry players expect the demand for digital forensics specialists to rise, particularly with cyber breaches increasing year-on-year, and with the bulk of information worldwide now in a digital format.

At Infinity Risk Control, the spike in demand is reflected in the widening pool of cases it is receiving.

The company currently works on up to 120 new cases a year. This is about twice the number from 2014, when it received 60 to 65 cases, said Mr Fazeli.

Mr Foo Siang-tse, Quann's managing director, added: "As the number of threats and breaches increases each year, the demand for cyber forensics specialists can only grow.

He added that learning how attacks occurred, even if they were not successful, was instrumental in identifying previously unknown vulnerabilities.

Digital forensics also identifies and preserves digital evidence of a cyber attack and pieces together how a breach happened.

The role calls for very specific skills, including understanding an attacker's perspective, deep technical skills especially in how systems work with one another, and a sharp and analytical mind, said Mr Foo.

But beyond an IT background, Mr Fazeli said honesty and trustworthiness are key because of the nature of client information, which can be sensitive and "extremely private".

He added: "Technical knowledge is great, but you can find many people with good technical knowledge. But loyal, honest and trusted people are hard to find."