FRED is here

By Cathy McVey, information technology services

FRED has taken up residence in Joe Bazeley’s office on the third floor of Hoyt Hall. So is FRED a new information security staff member? Has Bazeley, IT’s mild-mannered assistant vp for for security, compliance, and risk management, joined Miami’s 4 Paws For Ability organization? No to both. FRED is a Forensic Recovery of Evidence Device.

FRED looks like a normal desktop tower-style computer, but in reality it is a dedicated, specialized tool that enables the collection of data from any media: hard drive, thumb drive, etc. When “digital bad behavior” is suspected, FRED may be called in to scan the media that might contain evidence of that behavior.

In the past, scans have taken lots of time and processor speed. Typical scans would often take hours or days to complete. Also, the simple logging in and accessing the files located on the suspect media resets their modified and accessed dates. Those dates and times are key to identifying a timeline of activity. Without them the data does not tell the real story. FRED uses a “write blocker” to open the files without making any changes in the files, thus preserving the chain of evidence.

When would FRED be called into service?

Someone reports that someone has logged in and done something bad – planted a virus or malware, deleted or made unauthorized changes to a file, or copied confidential data. By scanning the hard drive of the suspected computer, FRED can tell what files have been opened, when they were opened, and what was done. Depending how the files were accessed, FRED may be able to tell who had accessed the files.

In another example, an Ethics Point complaint claims that an employee is spending too much time online doing personal business or just wasting time. FRED can scan the hard drive of the computer used by that employee to determine if there is any basis for the complaint.

Many people think that simply clearing their browser history will erase the evidence of “extra curricular” browsing. But Bazeley likes to use an analogy to describe what really happens. Your computer keeps an MFT (Master File Table) that is the equivalent of a table of contents. Each file is a chapter in the book. Current technology clears the MFT, but all of the other information or chapters are still on your computer’s hard drive until it is eventually overwritten. Until it is overwritten, FRED can recover that data.

How often is FRED active?

“Right now we are not asked to make use of FRED very often, but like so many things in the world of cybersecurity being prepared is key,” explains Bazeley. “Things are not important...until they are,” he quips.

The other, more common, job for FRED is supporting basic information gathering as part of managing litigation holds. Whenever there is a possibility that a person or situation will be part of a lawsuit, the office of the general counsel will place that person’s digital assets under hold. If a person under a litigation hold leaves Miami, Bazeley will use FRED to make a copy of that person’s files to store until the hold expires. “At any given time there are about 150 people under active holds,” according to Bazeley, “FRED gives us solid, legally acceptable copy before the hard drive is wiped and passed on to another employee.”

Bringing FRED to Miami is part of Bazeley’s 3-year plan to improve cyber forensic abilities and knowledge. Concerns about intrusions and attacks are topping many of the “What Keeps CIOs Awake at Night” lists in many current publications, in higher education and across nearly all industries. Forensic Readiness is Bazeley’s goal – that and a good night of sleep for his boss!