To understand what makes a successful digital forensics investigation, imagine assembling a jigsaw puzzle—without the box to show you the image you’re trying to create. Pratum Founder and CEO Dave Nelson compares an investigator’s first steps to dumping all the pieces of a mystery puzzle onto a table.
“Sometimes you don’t know what picture you’re trying to assemble,” Dave says. “Sometimes you get a few pieces together and realize that the pieces aren’t even from the same puzzle. The more we know about what the puzzle should look like, the easier it gets to know we have the right pieces.”
To a top-notch investigator, the pieces on the table start revealing a picture based largely on what isn’t in a data log. And they can quickly zero in on what’s missing if a company followed digital forensics best practices before the breach. In a typical case, our clients call us with an idea of what happened and ask us to confirm whether it really occurred. But a good digital forensics investigator knows to look in the gaps.
“It would be great if we could do an investigation and see when it started, who was involved and what was impacted,” Dave says. “But that never happens. There’s always something missing. We have to ask why. Was the data never created in the first place? Or did someone delete it?”
Reading missing tea leaves becomes especially critical in legal proceedings stemming from a data breach. In a civil court case, you could be held liable for something that probably happened, even if no one can prove that it definitely happened.* As you write your company’s security policy, consider the following tips from digital forensics investigators to get your data house in order before your next breach happens.
“There’s a reason why digital forensics in a poorly prepared organization can get so expensive,” Dave says. “It’s like pulling a string on a sweater.” If your data policies leave an investigator blindly searching for clues, the hours quickly pile up. But, Dave warns, “You don’t want to look like you stopped too soon. That’s worse than going deep and finding something worse.”
Why Missing Data Worries Digital Forensics Investigators
Good investigators see red flags when steps go missing in an expected chain of actions. “Sometimes we never see the user log in, but we see them log out,” Dave says. “That makes us question what happened. Was there a malfunction? Has the user been logged in for a very long time, meaning the attack may have happened outside of the short window we’re looking at?”
Clues like missing logins/logouts lead to more questions: Did the hacker wipe out other critical information? Are normal day-to-day activities missing? To an alert investigator, that feels like a jungle where the birds have gone silent, meaning a panther could be skulking around somewhere down there.
The lack of data can be more concerning than when you see a specific act.Dave Nelson CEO- Pratum
Potential Legal Problems
Along with costing you operational time, breaches can trigger potential fines and lawsuits. In breach situations, the key legal concept is “burden of proof.” Most people know the phrase “beyond a reasonable doubt” from courtroom dramas, but that’s a criminal case standard. Data breaches are typically civil cases, where the burden of proof is much lower: a “preponderance of evidence.”
“All someone has to prove is that there’s more than a 50/50 chance that something happened,” Dave says. “If you have no logs to prove it didn’t happen, there can be problems.”
Let’s say you’re certain that a hacker got into your system, but there’s no sign that they exfiltrated data. Time to relax, right? Not quite. Can you prove that they didn’t steal information? If your data logs have big gaps, a plaintiff may convince a jury that something could have happened in that fog.
Your defense could get even more difficult if a regulatory agency gets involved. “In those situations,” Dave says, “you could face the very subjective opinion of the regulator deciding whether they think you did what you should to protect the data.”
Even without a smoking gun, you need enough evidence to show that it’s more likely that nothing was stolen than that something was stolen.
Due Diligence Matters
Your actions before and after the breach also can help your civil case involving a breach. Your defense gets stronger if you can demonstrate that you showed due diligence both in preparing for breaches and in dealing with those that actually happen.
Before a breach occurs, you need written information security policies and proof that you actually enforce them throughout your organization. Make sure you’re following your industry’s best practices for information security.
Once a breach occurs, make every reasonable effort to fully investigate what happened. Acting quickly when a breach happens is a great way to show that you’re taking it seriously. So is following up on suspicious activity. Maybe your forensics investigator looks at a compromised server and finds no evidence that data was tampered with. Don’t stop there. Did the hacker jump to another server? Did they exfiltrate data to other files, workstations, etc.?
How to Prepare in Advance
Talk with a digital forensics team like Pratum’s in advance about the kind of data and audit logs they would want to see in an investigation. Windows and Linux enable many useful tracking settings by default, but that still won’t capture the whole story. On the flip side, tracking everything on your network would create an unusable flood of data (and a big data storage bill). So it’s critical to make smart choices about what to track.
By building a profile in advance, you know what should show up in an audit log. If elements are missing, you know that either your system failed or that someone intentionally tampered with the log to hide their actions.
For help with creating your overall information security policy and deciding how to create accurate data logs, contact Pratum.* Pratum’s consultants are not attorneys, and the information in this article should not be construed as legal advice. Consult your attorney for specific legal guidance.