Digital Forensics: Technological Challenges Need Technological Solutions

 Ching Liu

Ching Liu,
Director, Control Risks.

The TERRIFYING news that robot dogs can moonwalk to the latest tunes and robot skeletons can Parkour, coupled with the trendy word-salad that is machine-learning and artificial intelligence, has left me thinking that we are all going to be slaves to Skynet and Terminators in the very near future. It’s a good job then that the core digital forensics world still needs human experts.

At Control Risks, the investigations we undertake require technical expertise of all kinds; sure, we have data scientists, eDiscovery consultants and forensic accountants to name but a few subject matter experts, but it is often the digital forensic team that brings these skills and expertise together. We act as a hub for everything from cyber incident response and defensible data collections to in-depth forensic user analysis supplementing fraud and corruption investigations. If deletion analysis needs to be performed or if you need to determine what data has been stolen from your systems, then you have come to the right place – well, usually, but more on that in a separate article next week where the forensics team talks about the top considerations for determining “where is your data??”.

Defensible data collections

Our clients call us when they have a critical issue, such as identifying a black hole in their balance sheet or have had a whistle-blower alleging that management in an overseas subsidiary has been paying bribes to win business. It follows that any one of our investigations could end up in court, whether civil or criminal or in the hands of one of the plethora of regulators that takes an interest in corruption, fraud or any other form of misconduct.

It is therefore vital that every step of the investigation is undertaken with that in mind. This means that, regardless of the type of investigation, data involved, or the timescales, we are preserving and collecting data defensibly. Sure, collections are assessed on a case-by-case basis, but regardless of a minor misdemeanour or a massive FCPA investigation, a forensically sound data collection will ensure the start to any investigation, litigious or otherwise, has rigor.

Anyone can copy a file, but to perform that action in a way that maintains integrity and precludes it from being challenged at a later stage is crucial. It is still often the case that the most effective way to collect data is therefore to have boots-on-the-ground with an experienced digital forensics practitioner directing proceedings by deploying to the client site, whether in the UK or the numerous other countries which forensics professionals become accustomed to operating in.

There are many questions to answer in the lead up to deployment and immediately thereafter. Some of these seem to be blindingly obvious: Are the people whose data you want actually based in the location you are travelling to? Will they be there? Do they work away and are they on holiday? How many devices do they have? Do they “bring their own” (leading to further challenges)? Will the devices contain personal data? Does company policy allow you to access the devices? What time frame is the relevant data for? Where are the backups? Can you legally obtain and move that data across borders post-collection? And so it goes on (as Jon Brown also touched upon when he emerged from the proverbial haystack clutching the prized needle in this article).

The human input in scenario planning is central to this effort. The proliferation of data sources, from a wide array of devices, including laptops, smart phones and tablets, and the multitude of internet-based data and messaging data, requires someone with experience in mapping data within an organisation. You need a human to physically image devices and ensure that a robust chain of evidence is maintained - then to fly home with a big bag of hard drives.

Although we are steadily seeing the use of machine-learning in many industries, the process for performing in-the-field forensics has been relatively static; as the volumes, the types, and security of data has increased, the pace of development in forensic collection tools has tried its best to keep up. It is a good thing that there are many compliance and security functions bought into organisations such as email journaling, legal hold, DLP and EDR systems that can complement forensic collections and investigations and reduce the impact of end user file deletion.

Can collections be more discreet?

Although performing a full forensic image of a hard disk is still a gold standard with regards to defensibility, when it comes to looking at cloud, on-premises server data and even structured data such as accounting extracts or other databases, proportionality and risk assessments will influence how that data is collected, verified and preserved in a forensically-sound manner.

Self-collection by the client has its place, but only if the integrity of that collection can be verified as forensically sound and this requires consultation, not least to ensure the right haystacks are being harvested and that the methodology used stands up to scrutiny. We have performed numerous remote-collections using network-enabling sharing technologies and popular remote access programs, coupled with sophisticated data collection tools; which allow us to work with our clients and securely access the relevant company data.

It is possible (though not always straightforward) to take an image of a laptop or endpoint device remotely, if it is plugged in to a corporate network. However, when devices or data sit in some of the challenging and hostile environments we operate in, remote access technology does have its limitations whether it is lack of bandwidth or traversing network security. On occasions the most viable solution has been a phone call to the best placed person onsite ensuring we have remote hands running through a forensic crib-sheet.

In other circumstances, a pre-deployment triage of material that has been acquired through collecting server or cloud-based material has meant that some intelligence gathering has been performed without notice to the subject of an investigation. This is of huge value to our investigators, as it enables high level reviews of email and other electronic documents before deploying to site. This can enable allegations to be sense checked and tested, the population of suspects to be narrowed and when the potential nuclear option of boots-on-the-ground is executed, will make the data collection exercise far more targeted. I can hear GDPR calling at this point

What about data privacy and GDPR?

We can’t just suck up everyone’s data without having gained the requisite permission to do so. Often, employment contracts provide the company with the right to access data held on company devices, but this is an increasingly complicated area and requires legal advice prior to capturing data. In countries such as Russia, France, Switzerland and Germany for example, mistakes at the data collection stage can leave the client (and the individuals collecting the data) in conflict with local legislation and render the data unusable.

Data privacy and trust, although consistently an issue has been amplified due to GDPR and its ramifications in investigations, but it must be tempered with what GDPR is all about: it is giving back control of personal data belonging to EU citizens. It is a compliance consideration and previous best practice in cross-border data collection needs a little adjustment in ensuring we don’t fall foul of regulation. Preparation before a data collection or processing must be performed such as providing fair processing notices to employees and being satisfied as to the legitimate interest.

From a technology viewpoint, it is still commonplace for the individual whose device and data are being targeted to assist in the picking and choosing of what is relevant to the matter and to avoid collecting personal information. Whilst this is still a method that works, it can be time consuming and potentially flawed. Technology can streamline this targeted collection and with the help of corporate compliance and governance tools working in conjunction with a defensible and repeatable forensic collection methodology. If the matter allows for planning in advance, we can work with the client to help deploy data-finder agents across company systems to isolate and locate specific and potentially relevant data. In addition, the organisations own systems may have compartmentalised and classified the necessary data easing the collection process.

Forensic analysis

Gone are the days when the IT Forensic expert had carte blanche responsibility in examining and reviewing collected data. Today, it is all chopped-up and ingested into different systems for different purposes and audiences for different types of analysis. ESI (electronically stored information) is reviewed by investigators or clients on eDiscovery platforms, and structured data such as accounting information is processed into data analytics platforms, to look for trends and anomalies.

To corroborate (or otherwise) the findings that ESI reveals or to interrogate accounting anomalies, digital forensics is used to look at behavioural attributes found within the data. Essentially this means finding the answer to pertinent questions: Why is there evidence of a USB flash drive being plugged in when his diary says he is on annual leave? Why does the file system journal show a huge number of files accessed at a particular time? Why has she accessed this cloud-storage web site? Why are these expense receipt scans exhibiting the same metadata dates? These questions are becoming of greater importance as the rise of ‘conduct’ related investigations continues to soar and threat of social engineering is now a boardroom concern, thanks mainly to cyber-related crime.

These questions reflect a desire to see the full picture, not just in finding an isolated answer. People are so exposed to and familiar with tech these days it is easy to obtain sophisticated data deletion software, access data sharing mechanisms, not to mention taking advantage of encryption technology found in most messaging systems; therefore a technology-led investigation solution is required on nearly every case. We are grateful for the tools and technology available to us to help focus on the huge amount of data that needs to be investigated, however it still needs the expert to support, substantiate, and provide the detailed insight from the results.

When will the machines take over?

So machine-learning and artificial intelligence aren’t ready to replace the digital forensic expert just yet but are there to be an integral part of our armoury in providing effective and defensible results in forensic investigations. Unlike many areas of investigations where AI (and technology in general) is helping actively shape outcomes, practices and to some extent the involvement of a human element, outright replacement by machines (even with regards to the rest of the EDRM model) is not something to add alongside Brexit and GDPR on the list of things to worry about, not utilising machine learning or AI perhaps, should be.

Our head of Forensic Technology for Europe and Africa, Neil Meikle, will be looking at the rise of AI and why it should be the default in a growing number of investigations and review projects, in our next article.

Subscribe to Industry Era