Pratum Blog

Digital Forensics

Someone had drained $40,000 from the company bank account, and the IT team had traced the thief’s path to a compromised e-mail thread. But where was the breach? Nothing in the thread looked suspicious. Every participant appeared to have a legitimate company address—until a digital forensics expert took a look.

The consultant dove into the metadata behind the visible e-mails and revealed that someone had inserted themselves into the thread, then gone back into the thread to alter their e-mail address to look legitimate. To anyone but a digital forensics expert, the thief had successfully erased their digital footprints.

The right data makes a difference, and a digital forensics expert can often provide the insights that identify unknown breaches, keep cases out of court and more. These experts frequently discover information that resolves challenges such as:

  • Potential theft of trade secrets.
  • Suspicion of embezzlement.
  • Accusations of improper contact.
  • Security gaps that leave data vulnerable.

Digital forensics experts specialize in the recovery and investigation of artifacts found on digital devices including e-mails, text messages, and even documents stored on flash drives. If something happened on an electronic device, a forensics expert can probably identify what happened, when it happened and who did it.

Common Cases

These services typically apply to two overall categories of issues:

1. Security Breaches - Digital forensics most commonly focus on hacker attacks.

2. Employee Issues - Digital forensics also frequently address matters such as data loss or theft, policy violations, and litigation that includes e-mail communication and document sharing. A digital forensics expert can retrieve information to discover who last used a file, what was saved, what was deleted, and more.

First Steps: Securing Devices

To make the most of an investigation, it’s important to understand the process and prepare your company for potential assistance. When you find yourself in a legal situation, the top priority is bringing in a digital forensics expert right away. It's critical to preserve volatile digital evidence immediately. Segregate the device quickly by removing it from the network while keeping the device’s power on. If the device cannot be removed from the network for a business reason, work with a digital forensics expert to preserve the data as soon as possible.

As the investigation begins, a digital forensics expert casts a wide net for relevant pieces of evidence. For example, a case may first appear to revolve around a cell phone. But a forensics expert knows they also need to investigate the phone owner’s computer. It may contain backups of the phone, or documents created on the computer may be on the phone. Looking at all possible angles could produce new evidence.

Remember that even if a device appears broken or destroyed, there’s still hope. Digital forensics can retrieve a surprising amount of information from seemingly destroyed media.

Be very careful about how you store the physical device. At trial, you must be able to show and explain everything that happened to evidence while it was in your care. A weak chain of custody could mean evidence gets thrown out.

Use activity logs to track everything, including serial numbers, make and model, who has had access to the digital evidence, and where it has been. When the device is not being examined, keep it locked up to make sure only authorized individuals have access. Improper handling could destroy key evidence, or trigger “spoliation of evidence,” which refers to the loss or alteration of evidence. Your attorney can advise you on each of these areas.

Diving Into the Data

Once key devices are in your possession, a forensics investigator can make an “image” of the information, which is much more than a simple copy. Preserving as much data as possible in its exact state, including metadata, enables forensics teams to perform thorough investigations at any time after the imaging process. For example, along with reading an e-mail's text, it’s critical to know when it was sent and how many times it was modified—all information contained in metadata.

A digital forensics expert may find other clues that show what the user did, even if it’s not stated in any text. For example, devices such as external hard drives can leave evidence about a user’s activity. A digital investigator can often create a list of every device plugged into a computer, including the make, model and serial number of each device attached over time.

Building the Best Case

To get the most out of your forensics investigator, share as much information as possible with them. Important dates, names, documents and filing systems are all critical in helping an expert understand exactly what they’re working with and how it is being used in the proceedings. Creating an effective partnership with your digital forensics expert will make your case even stronger.

If you find yourself facing a legal issue or security breach and need a digital forensics expert to assist you in the investigation, Pratum has a team of experts with years of experience in this area. Feel free to reach out to our representatives today for more information on how we can help keep your business’ security strong!

Digital Forensics Acquisition

When I first began dabbling in digital forensics, the year was 1999. At the time it was little more than tepid curiosity for me. It wasn’t but a couple of months before I was thrust into my first “investigation”. The matter turned out to be a non-issue but it sure had us worried. Looking back on my procedure, I still had a lot to learn about digital investigations.

Here we are in 2020 and the practice of digital forensics continues to change with the advances in technology. For example, we used to think that live analysis of a system was taboo. First rule of thumb was turn it off and write block everything before you attempt to do any discovery. Changes in technology have necessitated a shift in thinking of live acquisitions during a forensic examination. Let’s look at a couple of the scenarios which offer highly compelling arguments for live acquisition.

Standardization of Localized Encryption

Years ago it would have been rare to find a desktop with any sort of local drive or file encryption. Today however, full drive or volume encryption is commonplace on nearly any laptop or mobile device. The device to be analyzed may be unencrypted while booted and logged in but will revert to an encrypted state once the system is rebooted or locked. Encryption is the bane of every digital investigator’s existence. Sure, you can get around some of it, but the time and frustration added to your investigation is a reality. Governments and law enforcement continue to lobby for restricted backdoor access to defeat encryption. While it would certainly make digital forensics simpler, it’s a bad idea for many reasons.

Use of Volatile Memory for Malware Applications

We used to tweak and tune our machines to scrape together an additional 2 or 3 megabytes in RAM to get an application to run. Attackers typically had to rely on placing some part of their payload on a physical disk to ensure a high rate of success. Today a PC comes with 8, 12 or even 16 gigabytes of RAM, and we have plenty to spare. Attackers have become adept at building small but powerful apps, which are completely memory resident. Shutting down a system may eliminate any evidence that once existed only in memory.

Advent of Flash Storage as System’s Primary Storage

Devices often use “blade” type solid state drives (SSD) to replace hard drives. These blade drives use a myriad of connectors, some of which are proprietary. In many cases, you can’t just pull a drive out and stick it in a duplicator. Some of the drives require connectors with special firmware or controllers, which are on the motherboard. Booting to a forensic image on a USB stick may not allow the controller firmware to load correctly, and the drive will not be recognized. Mobile devices use flash storage directly on the motherboard making this process even more difficult. Sometimes a live acquisition is the only way to get data.

As you can see, shutting a system down prior to acquisition could cause significant loss of evidence. Our first goal in digital forensics is to preserve evidence. It is equally important to prove what is present as it is to prove what is not present.

Rob Lee of SANS once gave a presentation to the ISSA chapter in Des Moines. He explained it well by saying when an EMT shows up at a shooting and the victim is still alive, they don’t worry about contaminating the crime scene when trying to save a life. Their footprints and residual evidence left behind can be identified and explained in the bigger picture. The traces left by our “prodding and poking” of a live system can be tracked and explained once the full forensic detail is laid out.

So, the next time you prepare for an investigation, think about this. Would you have a better overall picture of that system’s current state by doing a live analysis and explaining away your tracks, or by shutting it down and doing a more conventional acquisition? And so, my dear Watson… what’s your answer?

For more information on our digital forensics services, reach out to a Pratum representative today!

As a business, you have access to a lot of customer and vendor information. While many companies take this responsibility very seriously, not everyone is doing all they can to ensure security. One way that some businesses fall short is by not encrypting emails on a regular basis, or at all. In this article we’ll explain the importance of encryption, and how you can start securing your emails now.

What is Email Encryption

Email encryption is sort of a disguise for your correspondence with clients and coworkers. Encryption software turns your text, documents, and other data into scrambled code in the eyes of anyone trying to gain unauthorized access. Some describe the encryption process as creating another language. When a third party tries to open the document, all they will see is a jumble of letters, numbers, and symbols.

Encrypting emails ensures the only person who can read your message legibly is the person you intended to receive it. To anyone else who tries to intercept your email it will look like nonsense. Hackers will often try to intercept emails from businesses because they know those can contain very sensitive and valuable information. Without encryption, even the smallest companies are targets for criminals looking to gain information through this method of communication.

Risks of Not Encrypting

The dangers of not encrypting emails are numerous. Not only do you put your clients’ information at a higher risk of being hacked, but you also put your own business at risk. If a criminal were to access private information on your client or your company, they may try to use that information for extortion. They could also utilize certain details found to try and access other areas of your company. With the right data, a threat actor can hack into systems you may believe are secured.

Business owners also need to implement encryption when it is required by an agreement with a customer or vendor. This is essential when the nature of the information requires a higher degree of security. Information such as personal information, bank data, and other private details about an individual can be used to attempt other scamming methods or hacks into private accounts. Even the smallest detail may be the information a criminal would need to figure out a username or password to a secured account.

It’s not just clients you should be considering. Encryption is also advised when handling private information of employees. Documents containing health insurance information or financial records need to be protected. It’s in the best interest of your entire firm to be cautious and secure when handling any private data.

Encrypting all email messages as a default, standard practice makes the task of finding sensitive information more daunting to hackers. Going through a long list of emails, one-by-one, will make the job of finding valuable information more time consuming. This tedious task could be enough to cause some hackers to give up more quickly.

Full Security

Creating a safe environment for your staff and customers means considering all aspects of security. Neglecting cybersecurity can be detrimental to your business. Taking the time to protect all data, especially that which is sent through emails, could be the layer of protection your organization is missing.

If you have any other questions about the cybersecurity of your company, feel free to reach out to the cybersecurity experts at Pratum.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.