For many, the thought of being a part of a digital forensics examination can be stressful and intimidating. But determining if you or your organization needs to initiate a digital forensics exam can be equally difficult. While some situations will naturally lend themselves towards a digital forensics exam, there are some instances where the answer may not be so clear. For the purposes of this article, a digital forensics exam includes any examination of digital devices that could be involved with a legal matter at some point in time. Let’s walk through a few examples...
An employee is suspected of creating false vendor accounts and paying those vendors for services that were not performed.
In this scenario, the employee is actively committing fraud against the organization. Depending on when the actions of the employee are identified and the laws in your jurisdiction, your organization may decide not to immediately involve law enforcement. However, this does not mean that digital forensics actions should not be taken. The employee’s actions would impact multiple of the organization’s systems that could possibly be in a cloud environment. In this case, it would be highly important to preserve any evidence that would be used to identify the fraudulent activity through digital forensics acquisition techniques. This would make it possible for a full investigation to be done later, if necessary. For this scenario, it would also be recommended that a digital forensics exam be done on the systems the employee had access to. This exam could determine if any additional fraudulent activities were conducted against the organization.
A long-time employee is leaving your organization on good terms to pursue another opportunity.
In this scenario, there is no known malicious activity by the employee against the organization, however, it is possible that a digital forensics exam is warranted. With the growth in number of organizations that allow employees to bring their own device(s), it is becoming more and more common for people to use personal accounts for business activities. Unfortunately, this can lead to unintentional ex-filtration of sensitive data, such as personal email communication with clients including sensitive files and data being stored in unauthorized cloud storage services. Even though these acts are likely not intentional, the negative impact against the organization can be the same as a malicious attack. A digital forensics exam allows the organization to know if any of these activities have occurred, intentional or not, and request that any sensitive information be removed from the device(s) in question.
A possible data breach or attack has been detected.
Any possible data breach or attack against an organization can be frightening. In many cases, the primary response objective is to identify the attack, remove the threat, remediate the vulnerability, and recover the system(s) to a normal state. From an operations stand point, it makes sense to focus on business continuity. Having an incident response team that can get through the process efficiently and effectively is extremely important, however, having a more in-depth digital forensics exam can provide more intelligence around the attack/attacker and help determine additional impact on the organization. In this scenario, a digital forensics exam could either occur during incident response or after the incident response efforts are completed.
Overall, the need for a digital forensics exam often comes down to the possible impact of the scenario on the organization and the potential for escalation to a legal matter. For any digital forensics exam, one of the initial, and critical, steps is data preservation. Even if you aren’t sure if a full digital forensics exam is necessary, it is important to think about the preservation of the data surrounding the events.
It is better to have preserved the data in preparation for a full digital forensics exam and not need it, than to determine that an exam is needed but the data is no longer available.