By: Issam Zaghloul

Edited by: James Tebbs


DigitalForensics

In today’s business world the use of information technology has enabled new opportunities and efficiencies. However, this same technology has also opened new doors to crime and abuse. Whether it’s violating company policy or breaking the law, individuals from both inside and outside an organization may use digital means as tools to perpetrate crimes and create serious business disruption.

Digital forensics is the practice of scientifically derived and proven technical methods and tools towards the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of after-the-fact digital information derived from digital sources for the purpose of facilitating or furthering the reconstruction of the events as forensic evidence [2]. The use of digital forensic methods ensures the ability to review greater volumes of information, to bring greater structure and wider access to an investigation and to produce evidence in a legally admissible form where needed. Without digital forensics, organizations may be unable to prove misconduct, determine the full degree of damage, or identify the root cause of incidents in order to prevent their reoccurrence.

Digital forensic investigations have typically been conducted by law enforcement agencies, the military, or specialized companies. While it is still the case that digital forensics readiness is a rarity in today’s corporate world [1], reliance on information technology and its pervasiveness in business is creating a need and supporting the case for building digital forensics capabilities in the corporate world. Indeed, it is becoming increasingly common for any organization which operates a specialist corporate investigations team to consider boosting their capabilities with specialist digital forensic tools.

Drivers for Digital forensics Capability

The drivers for establishing digital forensics readiness in organizations are typically internal and include the needs of various stakeholders within the organization for digital forensics such as:

  • Legal departments which may require digital forensic support for litigious cases;
  • Human resources departments which may require digital forensic support to provide evidence of misconduct and support the initiation of disciplinary actions;
  • Information technology departments which may require digital forensics to deal with cases of cyber attacks as part of their information security incident management;
  • Any corporate investigations team within the organization which may require digital forensics support when dealing with cases of fraud or misconduct.

Practical Approaches for Digital Forensics Capability Building

A practical approach should be sought for building digital forensic capability depending on the drivers in each specific organization along with the potential frequency and impact of incidents, balanced with the cost of acquiring the required tools. A three-level digital forensics readiness framework may be adopted as follows:

Level 1: Basic

Train relevant teams on the basic principles of digital forensics to prevent loss or contamination of digital evidence (e.g. the need to forensically image data from laptops or desktops, to avoid data loss or alteration). Provide basic tools for digital forensic acquisition. Many of these acquisition tools are freely available from providers of digital forensics solutions like EnCase Forensic Imager or FTK Imager. If the organization considers this basic level to be appropriate, it is advisable to consider establishing relationships with specialized digital forensics service providers so that they can be called upon at short notice when required.

Level 2: Advanced

Implement a set of specialized tools which enable the acquisition and analysis of forensic evidence. The responsibility to conduct digital forensic investigations will be assigned to an established and experienced function as an additional task (normally the IT team or a corporate investigations specialist like internal audit). At this level careful training is needed, and those responsible should build strong relationships with the providers of the forensic tools who should provide ongoing support.

Level 3: Specialized

Establish a full time specialized digital forensic team and implement all the necessary tools in a sophisticated lab. This function would typically be under a corporate investigations body within the organization. The team should be fully responsible for conducting specialized digital forensic investigations of variable complexities, and be highly trained.

Regardless of the digital forensics readiness level suitable for the organization depending on its needs the following preliminary requirements should be in place for all levels:

  • A digital forensic investigations policy should be established which defines the roles, responsibilities, authority, and principles for conducting the digital investigative work;
  • Digital forensics readiness should be incorporated in the design of the IT infrastructure and applications as a standard component. This can be achieved through developing, configuring, retaining, and protecting logs and audit trails within any system introduced to the IT environment;
  • Continuous training and awareness should be provided to the team responsible for digital forensic investigations.

It is important to realize that even after building an in-house digital forensics capability, there may be some complex cases where the digital forensic investigation needs to be done by specialized external providers such as law enforcement or specialist investigations and digital forensics firms, particularly where issues around chain of custody or legal admissibility in future litigation are of paramount importance. Such cases should be covered and supported in the digital forensic investigations policy. In any case it is essential to ensure that digital forensic tools are used properly by trained staff, as their misuse can equally hamper the progress of an investigation, or the integrity of evidence when subject to legal scrutiny.

Digital Forensic Tools

Having the right tool for the acquisition and analysis of digital evidence is a key enabler for establishing digital forensics readiness in a corporate setup. While there are multiple digital forensics tools in the market which provide many features and capabilities such as EnCase, FTK, Oxygen Forensics Suite, and Belkasoft Evidence Center the following set of features are of key relevance to the corporate world when choosing the right tool:

  • Evidence acquired through the tool must be tamper proof, verifiable, and admissible in the relevant jurisdictions;
  • The tools should be able to support acquisition from a wide spectrum of operating environments including servers, laptops, mobile phones and external storage devices;
  • Remote acquisition features should be supported which allow the forensic acquisition of evidence over a network without the need for physical access to machines. This is of special importance in a corporate setup as it enables conducting the digital forensic investigations without disruption to the business or affecting employees morale;
  • Logs or audit trails of the actions conducted by the investigators should be recorded and retained for review and verification;
  • The forensic tool should be able to analyze huge amounts of data if required, given the vast data volumes prevalent in today’s businesses. These tools would typically need to run on high performance machines.
  • Round the clock support should be available from the vendor to provide the necessary assistance when needed to the digital forensics team.

The total cost of ownership of digital forensic tools must be carefully considered and weighed against the frequency with which they are likely to be used, and against the cost of hiring external parties to conduct this work. However, the basic cost need not be prohibitive and is usually within the reach of most organizations. For example a decent digital forensics tool can be implemented for under 25,000$ including both the required hardware and software.

It should be noted that digital forensic tools are naturally powerful and invasive and therefore need to be carefully deployed and controlled. Access to these tools should be restricted to authorized investigators. The responsibility for authorizing forensic investigation (e.g. for a specific machine) should be segregated from the role of the investigator in order to limit opportunities for misuse. In addition, the digital evidence acquired through the forensic tools should be adequately protected and access should be restricted, including by keeping evidence in a secure environment such as a safe.

Conclusion

There is an ever increasing need for establishing digital forensics readiness in the corporate world. Organizational needs for digital forensic capabilities differ and therefore each organization should consider a practical readiness level that caters for their needs. The implementation of a digital forensics tool is a key enabler for supporting digital forensic capabilities and therefore should be chosen following an appropriate needs assessment. Nonetheless, the use of digital forensics is a powerful and efficient methodology for improving corporate investigations capabilities.

References

[1] Sommer, P. (2012). Digital Evidence, Digital Investigation and E-Disclosure: A Guide to Forensic Readiness, The Information Assurance Advisory Council (IAAC).

[2] Willassen, S. Y. and S. F. Mjølsnes (2005). “Digital forensics research.” Telektronikk 1: 92-97.

 

ISSAM ZAGHLOUL, MSc, CISA, CISSP, CGEIT is a senior IT audit manager at a private holding company in Abu Dhabi.