‘Forensics Without Blood’

On a night with an ominous feel, a forensics team arrived at the scene of a crime to investigate and help develop suspects to bring to justice.  

But there was no murder. The crime scene was not a dark and dingy back alley.  

Rather, it was the server room of one of the country’s largest casino groups, and the forensics team was dealing with computers and phones, not gory biological material.   

That’s the life of a digital forensics expert, and a new course in Northwestern Engineering's Master of Science in Information Technology (MSIT) program aims to train students to battle cyber criminals. 

“Digital forensics is basically forensics without blood,” said Jibran Ilyas (MSIT ‘09), managing director at Mandiant (now part of Google Cloud) and adjunct professor for the new course called Cyber Forensics for Data Breaches. “It's similar to the forensic investigations that you see in the crime shows for murder investigations, except it's done on digital devices.”  

It’s also a high-stakes battle. Just ask the executives at casino operator Caesars.  

The company recently paid out a ransom of $15 million to a cybercrime group that infiltrated and disrupted its systems. That same group – known as UNC3944 or Scattered Spider – is suspected in a similar attack on fellow casino operator MGM.  

Ilyas said one of the main goals of the course — which is part of the program's new cybersecurity leadership minor — is to help students understand the geopolitical and criminal landscape in which digital forensic experts work. Some of the bad actors are criminal groups such as Scattered Spider; others are individuals funded by nations looking to digitally attack their enemies.  

All are a threat to businesses and national security.  

“There used to be a ‘what,’ as in a virus that was a threat,” Ilyas said. “Now it’s a ‘who,’ as in attackers with hands on a keyboard behind the attacks who adjust their tactics based on the defense posture and response of victim organizations.”  

Understanding the “who,” and having good understanding and visibility of a network is a big part of the digital forensics game. Staying current on the bad guys’ latest tactics is another piece of the puzzle. That’s why the MSIT program turned to someone whose day-to-day work life with Google is all about battling cyber criminals in the trenches to teach the new course.  

Ilyas is a regular speaker at the world's biggest cyber security conferences. His session at the RSA Conference this year was awarded "Top Rated Session,” a recognition only given to 20 speakers out of roughly 500 at the conference.  

Ilyas said students will receive insights about common deficiencies in most organizations’ networks to teach them how attackers gain access to environments and stay under the radar. The forensics process taught in the class will educate the current and future IT leaders on potential outcomes and timelines of forensic investigations.  

“I believe it's important to share the failures and pitfalls rather than the success stories. The stories that students hear via case studies will be enlightening both from the context of organizations’ security posture and to understand the mind of relentless cyber criminals,” he said. “The technical demos will also help, as most people are visual learners, and seeing the attacks being simulated will help with greater understanding of the threat landscape.”  

That landscape is staggering. The average data breach in the United States cost $9.48 million in 2022, according to IBM's Cost of a Data Breach Report 2023. But sometimes the damage is more than just financial.   

The government of Costa Rica had to declare a state of emergency in November 2022 because of ongoing ransomware attacks on its critical systems. That attack left the government unable to pay its workers, disrupted tax and customs systems, and caused the country’s import/export logistics infrastructure to collapse.  

Ilyas said there is no magic bullet to eliminate cyber criminals and stressed the importance for businesses to prepare to be attacked. It’s not a matter of if but rather when a cyber attack will happen, he said.   

“First and foremost is getting the right stakeholders in a room so that all departments are represented and the organization's collective business priorities and limits are addressed,” he said. “Response preparation and planning is critical so that no one is inventing a plane in the air at the eleventh hour.”   

Ilyas credited Northwestern and the MSIT program with creating a class to address what is projected to be a growing issue in the technology landscape. Indeed, cyber crime cost the global economy around $7 trillion in 2022, a number expected to rise to $10.5 trillion by 2025, according to a report from AAG.

“For MSIT to have this course in its curriculum shows how the program leadership is constantly innovating and looking out for the students,” he said. “I am hoping that students find it the best class they have ever taken.”