Someone had drained $40,000 from the company bank account, and the IT team had traced the thief’s path to a compromised e-mail thread. But where was the breach? Nothing in the thread looked suspicious. Every participant appeared to have a legitimate company address—until a digital forensics expert took a look.
The consultant dove into the metadata behind the visible e-mails and revealed that someone had inserted themselves into the thread, then gone back into the thread to alter their e-mail address to look legitimate. To anyone but a digital forensics expert, the thief had successfully erased their digital footprints.
The right data makes a difference, and a digital forensics expert can often provide the insights that identify unknown breaches, keep cases out of court and more. These experts frequently discover information that resolves challenges such as:
- Potential theft of trade secrets.
- Suspicion of embezzlement.
- Accusations of improper contact.
- Security gaps that leave data vulnerable.
Digital forensics experts specialize in the recovery and investigation of artifacts found on digital devices including e-mails, text messages, and even documents stored on flash drives. If something happened on an electronic device, a forensics expert can probably identify what happened, when it happened and who did it.
These services typically apply to two overall categories of issues:
1. Security Breaches - Digital forensics most commonly focus on hacker attacks.
2. Employee Issues - Digital forensics also frequently address matters such as data loss or theft, policy violations, and litigation that includes e-mail communication and document sharing. A digital forensics expert can retrieve information to discover who last used a file, what was saved, what was deleted, and more.
First Steps: Securing Devices
To make the most of an investigation, it’s important to understand the process and prepare your company for potential assistance. When you find yourself in a legal situation, the top priority is bringing in a digital forensics expert right away. It's critical to preserve volatile digital evidence immediately. Segregate the device quickly by removing it from the network while keeping the device’s power on. If the device cannot be removed from the network for a business reason, work with a digital forensics expert to preserve the data as soon as possible.
As the investigation begins, a digital forensics expert casts a wide net for relevant pieces of evidence. For example, a case may first appear to revolve around a cell phone. But a forensics expert knows they also need to investigate the phone owner’s computer. It may contain backups of the phone, or documents created on the computer may be on the phone. Looking at all possible angles could produce new evidence.
Remember that even if a device appears broken or destroyed, there’s still hope. Digital forensics can retrieve a surprising amount of information from seemingly destroyed media.
Be very careful about how you store the physical device. At trial, you must be able to show and explain everything that happened to evidence while it was in your care. A weak chain of custody could mean evidence gets thrown out.
Use activity logs to track everything, including serial numbers, make and model, who has had access to the digital evidence, and where it has been. When the device is not being examined, keep it locked up to make sure only authorized individuals have access. Improper handling could destroy key evidence, or trigger “spoliation of evidence,” which refers to the loss or alteration of evidence. Your attorney can advise you on each of these areas.
Diving Into the Data
Once key devices are in your possession, a forensics investigator can make an “image” of the information, which is much more than a simple copy. Preserving as much data as possible in its exact state, including metadata, enables forensics teams to perform thorough investigations at any time after the imaging process. For example, along with reading an e-mail's text, it’s critical to know when it was sent and how many times it was modified—all information contained in metadata.
A digital forensics expert may find other clues that show what the user did, even if it’s not stated in any text. For example, devices such as external hard drives can leave evidence about a user’s activity. A digital investigator can often create a list of every device plugged into a computer, including the make, model and serial number of each device attached over time.
Building the Best Case
To get the most out of your forensics investigator, share as much information as possible with them. Important dates, names, documents and filing systems are all critical in helping an expert understand exactly what they’re working with and how it is being used in the proceedings. Creating an effective partnership with your digital forensics expert will make your case even stronger.
If you find yourself facing a legal issue or security breach and need a digital forensics expert to assist you in the investigation, Pratum has a team of experts with years of experience in this area. Feel free to reach out to our representatives today for more information on how we can help keep your business’ security strong!