Security Staff Acquisition & Development, Leadership, Threat Management

Are You Kidding Me? Digital Forensics Tips for Real-World Enterprises

By Bill Dean, Director of Computer Forensics and Security Assessments, Sword & Shield Enterprise Security

Most everyone has some familiarity with digital forensics. After all, we've seen CSI Cyber, right? For the record, that isn't really how it works. For starters, we do not complete investigations in less than sixty minutes. In addition, we aren't that attractive and we prefer to work in well-lit rooms. Regardless, what is true is the significant part digital forensics can play in myriad situations. For today's enterprises, digital forensics is extremely valuable, if not essential, in situations involving intellectual property and trade secret theft, insider threat activities, employee "misbehavior," intrusions, and system compromises. Without an extensive forensic analysis, you are likely blind to these essential details. The technologies analyzed in these investigations can involve laptops, desktops, servers, network equipment, and GPS devices, and we can no longer discard the value of mobile devices, even when they are employee- (perpetrator-) owned.

With the continued increase in the value of intellectual property and business secrets, which now regularly surpasses the value of physical corporate assets, information is the most prized asset to many companies. Confidential processes, financial information, customer lists, business plans, vendor lists, marketing strategies, research data, trade secrets, etc. are vital to the ongoing success of a business. An employee who steals this information to take to the competitor for which he will soon be working, or uses it to start his own competing business, could cause devastating effects on our future success. Yet stealing digitally stored, business-critical information has never been easier (and most of it is stored digitally these days).

Even though computers have made information theft easier, most people don't realize that the digital trail also provides the ability for forensic investigators to more easily determine and prove the theft.

There was a point in time when the amount of information that could be stolen was limited to how much could be carried out of a building without being caught. This is no longer the case. Portable media such as USB thumb drives and mobile devices have the capacity to store enormous amounts of information. Prior to these technologies, it would have looked a bit suspicious if an employee who was leaving the company to work for a competing company walked out the door holding boxes of company files. However, today we might not, on the surface, even know company files are leaving the premises if an employee is using a USB drive in their computer.

All of these convenient ways to steal digital information leave enormous amounts of traceable evidence from a computer forensics perspective, much to the forensic investigator's delight. For example, each time a portable hard drive of any type is plugged into a computer, information such as drive manufacturer, model, and a serial number of the device used remains. What's more, a time and date stamp for usage of the portable storage is recorded. When a forensic analyst combines this information with system file access times, creation dates, and file deletion dates, it is possible to correlation information that was moved to the media. If the storage media in question can be obtained, with the files more than likely "deleted," computer forensic tools can be used to recover the information to prove both the theft and intent of concealment.

In other instances of data theft, some prefer to steal trade secrets slowly rather than all at once. Many times the individual will take the desired information and email him or herself at a personal account. Plans to steal intellectual property in this manner are premeditated and the perpetrator uses webmail (Gmail, Hotmail, Yahoo mail, etc.) to avoid traces left on the company email server. Unfortunately for them, the chronicling of this activity is available in the computer's Internet history and cached Web pages. Even when this information is deleted, and the individual likely will try to delete the history, the information may still be recovered using sophisticated forensics software. Other methods of intellectual property theft using computers that can be proven are remote access to company systems from home, "burning" the information to CDs, and the growing popularity of personal cloud storage technologies.

The truth is, it's very hard to determine an insider's intentions just by looking at him or even after spending time in a business setting with that person. All kinds of employees survive reference, drug, and background checks despite nefarious past behavior. Fortunately for the organization, illicit activities can be detected and proven thanks to digital forensics (unfortunately, though, it's usually after the fact). Unwelcome text messages and inappropriate Internet activity and behaviors not conducive to the culture of the organization can be confirmed. The valuable secret is that the delete key is merely entertainment; a skilled forensics analyst can recover this deleted activity to demonstrate the inappropriate behaviors for a dismissal that can sustain recourse litigation.

Last but not least, the same forensics capabilities and tools that demonstrate the theft of trade secrets and inappropriate employee behavior can be leveraged to investigate intrusions and a potential data breach. While the source of behavior may differ (insider vs. external attacker), the activities do not. The who, what, when, and how are still important aspects of an investigation when unsanctioned activities are being conducted on a system for which you are responsible. What actions did they perform? What data did they access? Were they successful in exfiltrating this data outside of your perimeter? Digital forensics is your only opportunity to answer these questions.

Many organizations feel they do not need and cannot afford to have skilled digital forensics personnel and tools available. This is understandable. However, please understand the value and how necessary these resources will become in situations involving employee data theft, internal misbehavior, and intrusions. In these instances, forensic capability will be essential, whether staffed internally or sourced to a third party. Not knowing what or how data theft occurred can prove significantly more devastating than the time and resources it takes to build a competent digital forensics capability.

The lesson here is this: Much more can be lost if the digital information stolen can't be recovered and the guilty party not apprehended. Be sure your organization can accommodate the need for forensic analysis when needed (and it will be needed).

About the author: Bill Dean is the Director of Computer Forensics and Security Assessments for Sword & Shield Enterprise Security. Bill has more than 17 years of experience in the technical field in roles such as programmer, systems support, enterprise systems design and engineering, virtualization, digital forensics, and information security. His talk, "Darwinism via Forensics" was presented at InfoSec World 2016.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.