06 June 2016
Digital forensics is as fundamental to corporate interests as cyber security
In matters affecting corporate finances and reputation, the role of cyber security in the prevention, detection and investigation of malfeasance is generally well understood. However, the ability of determined hackers and criminals to subvert the systems of a business is continually evolving and therefore the hand-in-glove capabilities of digital forensics demand greater attention.
Digital forensics is a branch of forensic science, which involves recovering and investigating material found on devices such as computers, tablets and mobile phones. The object is to preserve the evidence in its most original form, while collecting, identifying and validating all relevant information that has been stored or transmitted in binary form.
Cyber offences can be divided into four basic motives – money, kudos, facilitation and vengeance. Although it has become something of a media cliché, it is true that in darkened rooms across the globe, there are people who are driven by the ability to outwit IT defences – and generally the bigger the target, the better they like it.
Then there are the self-appointed crusaders with the corporate world in their sights, seeking to change the way the world works. Finally, there are the out-and-out criminals, intent on cheating, defrauding and stealing from commercial operations of all types and sizes.
Hackers and criminals are smart. Once they have got something as simple as a URL they will investigate the digital boundaries and weaknesses of an organisation. When they have identified the mail server, the web server, perhaps even the FTP server, they are ready to begin probing the defences.
Although cyber security offers protection, detection and, to a certain extent, investigation of these, digital forensics should be called upon at the earliest possible stage after the event to pick apart the attack and identify what has been done.
It can help to create new protocols to shore up the weaknesses and pinpoint the source and identity of the attacker. Digital forensics will enable you to rapidly see the extent of the damage and whether attacks are continuing.
Let’s examine a typical ‘route’ of attack. Someone in the organisation may receive an email, purporting to be from the chairman, with a PDF attached. When it is opened the PDF has malicious content. It might open up what is called a ‘back door’ or a ‘listener’ and broadcast the IP address to the attacker.
At that point the attacker can start to look at that PC and, using the information they find on it, can ‘swivel’ the attack sideways to other devices and resources within the network. Potentially all sales, marketing, finance, technical, procurement, logistics and other data are now vulnerable.
As soon as an alarm is raised, probably at the router or server, digital forensics takes over to pinpoint the source of the attack and what data has been divulged. Evidence on the device or devices in question will be preserved, further spread of the problem prevented and a fix can be made, perhaps by applying patches to vulnerabilities in the operating system the organisation uses.
Whatever the motivation of an attack, the effect on corporate wellbeing can be devastating. Once breached, cyber defences will not repair themselves. Then it becomes necessary to detect, recover and, wherever possible, act to prevent reoccurrence. The crime must be subject to investigation and prosecution wherever possible.
Rapid identification of activity source is the quickest route to remedial action and potential recovery of funds and reputation. Smart forensic techniques will do this and allow you to analyse, report on and apply the evidence that has been found.
The tools, training and techniques now exist to support governance and compliance officers in many aspects of this work, including payment stream analysis, travel and entertainment expenses, payroll, financial mis-management, bribery and corruption and capital projects.
Digital triage systems now allow non-technical investigators to produce results to evidential standards based on the recovery of live and deleted files, volatile memory and comprehensive file information from Windows, Apple or Linux-based machines, as well as mobile phones and tablets.
There are training courses which, in a couple of days, will give non-technical staff a sound working knowledge of digital forensics and the power of digital triage. This is an important, low-cost first step for professionals because when a cyber attack happens, the best intentioned responses can actually cause massive damage to evidence at source, impede your ability to stop the problem and make it impossible to deal with those responsible.
Smart use of digital forensics will make corporate response more efficient, less damaging to evidence data and more likely to achieve satisfactory redress.
Digital forensics enables organisations to fight back. In India, a business was bemused by the fraudulent loss of a million dollars worth of sales to a competitor. Spotting the mobile number of one of their own junior employees on the rival’s website, they used digital triage tools to examine his manager’s computer, finding and dealing with the source of the problem. The fraud was stopped in its tracks.
To give some context to the size of the problem, a recent report published by the Center for Strategic and International Studies calculated the cost of cyber crime to the global economy of around $445 billion every year, with damage to business from theft of intellectual property exceeding $160 billion due to hacking.
An Ernst & Young report in 2014 said that 80% of an enterprise’s digitised information resides in individual hard drives and personal files, which consequently increases risk.
There are, however, simple protocols that can be adopted to minimise the danger. One such is to always retrieve the company’s laptops and mobile devices used by key staff who leave rather than merely handing them over to their replacements.
Prior to reissuing the computer, simply remove and store the hard drive in a secure place ‘just in case’ it is needed as evidence of wrongdoing at a later date.
A report by Overill, Silomon and Roscoe, published by Elsevier in 2013, pointed out that the London Metropolitan Police Digital and Electronics Forensics Service was receiving more than 38,000 digital devices to be examined per annum. ‘Not untypically’ the report said ‘these devices will have a storage capacity of gigabytes or terabytes’. The sheer volume and power of digital capability available to fraudsters is immense, and companies must be in a position to fight back.
In the UK, many police forces and government organisations, such as the DWP, are turning to digital forensics as a first line of response. For private organisations this is both a signpost and a reassurance – digital forensics evidence is endorsed by law enforcement and accepted as the evidence standard for criminal prosecutions.
A further step forward in the ability of organisations to deal with unwanted cyber activity has been taken with the recent emergence of highly portable forensic triage tools. They enable staff, even with low technical skills, to carry out sophisticated investigation and analytical work.
Such devices temporarily turn a standard PC or Apple Mac into a powerful forensic intelligence appliance and, being portable, enable investigation work in the office or at any remote site. Crucially this avoids the need to out-source specialist forensic services, which can be expensive.
A recent Home Office report published in March 2016 called for a national approach to forensic science delivery in the criminal justice system. The report says ‘the rapid growth and development of digital technology creates unique challenges; from the sheer quantity of digital data, to new forms of encryption and the increasing use of cloud storage.’ It also points out that ‘the average British household now owns 7.4 digitally enabled devices.’
Faced with this burgeoning volume of digital activity, it is not surprising that the criminal and the disaffected have become relentless in their practice. The good news, however, is that a suitably trained and equipped corporate team using digital triage techniques has the power to investigate, identify, analyse and respond to breaches of the security wall and protect the long-term interests of the business.