Digital Forensics as Part of a Risk Management Policy

A proactive risk management policy incorporating digital forensics could assist companies in dealing with internal and external threats.

Bad Leavers

It is well-publicised that companies are now having to tackle threats to their confidential information. Not only externally, but also internally. Departing employees with malicious intent (also known as ‘bad leavers’) and those considering starting up their own rival businesses, at all levels of seniority, are costing organisations large sums of money. In recent news, electric vehicle maker Canoo claimed data theft when former executives joined the business just so they could steal intellectual property with the intent of starting a rival company. Often there is no proactive legislation in place to combat or deter these actions. A proactive risk management policy that incorporates digital forensic expertise could assist a business in dealing with these threats.

Digital Forensic Investigations

Instructing a digital forensic provider is often seen as a reactive measure, following suspected or observed unauthorised activity within an organisation. It is often seen as a covert action, and for the uninitiated, can come across as intrusive and speculative. In reality, the skillset of a digital forensic investigator can uncover a hidden audit trail of actions on a digital device, whether it be a mobile phone or computer. Skilled investigators can piece information together to understand what digital evidence may be available.

• Internet search history – Internet browser history can assist in determining activity prior to an employee leaving the company. Internet history analysis has the capacity to list websites that were visited and when.
• File-sharing websites – Employees may use online file-sharing applications and websites such as WeTransfer, Dropbox, and Google Drive to steal company data. A review of the web browser history, including deleted records, may show access to these file-sharing websites as well as possible file uploads.
• USB device activity – This analysis can determine what USB devices (removable storage devices) were plugged into the system by the user. Reviewing the USB device activity in addition to file access records, may determine whether file transfers to external devices occurred.
• Sent and received emails – Reviewing work email accounts can assist in locating file transfers via email to personal accounts, messages that have been deleted and who they were communicating with prior to their departure.
• Device activity – The analysis of the devices used by the employee prior to their departure can help determine their activity on the said device prior to leaving the company. This can include file deletion, uninstalled software, and other similar activities.
• Deleted file recovery – If a former employee has deleted files prior to their departure, a digital forensic analysis has the potential to restore this data.

Forensic Imaging

The critical step to any forensically-sound investigation is the ‘forensic image’. This is essentially the creation of a digital copy of all the information held by a digital device, such as a computer or mobile phone. Devices are powered-off to preserve all metadata (such as time and file creation date) and the forensic image is then created. This ‘image’ is then uploaded onto a dedicated computer and booted up through specialist forensic software for all analysis and investigation to be undertaken.

Why a proactive not reactive risk management policy?

Often, companies will seek to pursue a digital forensic investigation, months after the unauthorised access has occurred whether it’s an employee announcing their new position at a rival company, or clients calling to voice their confusion over being approached by an ex-Director, who has started his own company in the same line of business. Companies are predominantly reactive in their nature. During this time span, computers are likely to be reallocated and used daily by other employees, and any deleted evidence that was once retrievable is no longer retained by the device.

What if, as part of a risk management policy, there was a proactive mandate in employment contracts or data protection/preservation policies? This could specify that upon being made aware of an employee exiting the company, any work-designated digital device is to be collected by a digital forensics expert and a digital forensic image created. The device is then returned to the office and can be re-purposed for a new user – all in under 48 hours.

This essentially creates a holistic overview of the device at the earliest possible opportunity, and allows a greater level of control, while minimising business disruption. The forensic image can then be stored in a secure evidence room on a physical storage device, freely available for continued investigation, at any point in the future, at immediate notice.

Conclusive points

• Digital forensics is a key aspect of internal investigations and can piece together a ‘hidden’ audit trail that can provide crucial evidence.
  
• A forensic image preserves all data (including retained history and deleted files) within a computer at the time it is taken.
  
• The quicker you forensically image a digital device, the more chance you have of capturing the data required for an investigator to piece together the evidence for you.
• Digital forensics can be implemented into a proactive risk management policy. Stating this in legislation that is visible company-wide, can act as a large deterrent to those considering unauthorised activity.
• Having these provisions in place can satisfy a number of compliance requirements contained within standards and accreditations – ‘compliance by design’.
• There is huge scope for digital forensics to form the cornerstone of any prudent employment contract, data protection policy or risk management policy.

Protect your company data from internal and external threats

CYFOR’s Corporate Forensic Retainers are designed to identify business threats with intelligent cyber security solutions and apply remediation with court-approved digital forensic expertise.