• How digital forensics can help your business

    So you think your business is secure? You’ve got a high-tech alarm system connected to a reputable armed response company. Your access control is in line with global best practices. You routinely monitor your security camera footage using a nifty smartphone app. Time to relax, right?

    Not so fast. Your biggest security threat may already be inside your security cordon, sitting anonymously in plain sight waiting to leak sensitive data like banking information and customer contact details to your competitors or crime syndicates.

    If you haven’t guessed by now, I’m talking about your humble office PC, although it could also be a laptop, tablet computer or smartphone. As businesses come to rely more and more on data, they become more vulnerable to cybersecurity lapses and attacks. The ability to have a detailed analysis of the contents of your office PCs carried out via computer forensic investigator can be extremely useful.

    One such expert is Durban-based Rick Crouch who works to help business owners identify internal issues such as who is accessing data or using systems for personal tasks. He identifies where leaks have taken place and advises on how to improve the security of sensitive data.

    “Data is a valuable commodity for most businesses today and its loss may have serious consequences, causing financial and other problems,” says Crouch.

    “Many people think of hacking as being a problem from outside the organisation, but it’s far more likely that the threat will come from within. This might involve misuse of data such as passing information on to a competitor or breaching company policy by copying files to an insecure personal device. ”

    Data leakage in the worst cases can involve the personal and financial details of staff or clients but it can also concern intellectual property. No type of business is immune from the possible consequences of data loss. But even apparently innocuous activities can have dire consequences,” warns Crouch.

    “On a different level, threats may involve abuse of email, such as forwarding inappropriate jokes to other staff. This is an activity which may seem harmless but it can open the way to issues of harassment. Use of work email for sending personal messages can also cause problems.”

    A computer forensic investigator can use specialist tools and detection methods to uncover these activities, even if the original emails or files have been deleted from the system.

    Even if you haven’t experienced a problem, forensics can be used to target the areas where there’s potential for data to leak. For example the use of default security settings can allow some employees more access than they really need. Identifying and closing these security gaps early can prevent problems from occurring in future.

    Crouch says the weakest link in any security system is usually the person sitting in front of the keyboard. “In the event of a problem it can be useful to know exactly what the staff involved have been up to. Although companies usually have a policy in place to govern employees’ use of computers and the Internet, it can be difficult to ensure that this is effective.

    “Fortunately it’s hard to do anything on a computer without some trace being left behind. So the use of a computer forensic investigator can be a handy tool for the HR department when it comes to ensuring compliance with policy or providing evidence of misconduct.”

    The existence of unauthorised applications can be detected too. This can show if software has been used to communicate with external systems, transmit files or crack passwords. On a slightly simpler level computer forensic investigators can perform keyword searches to uncover information contained in documents, spreadsheets and so on.

    “Analysing systems in this way can be useful even if no security breach has occurred. As part of an audit process, for example, it can help reveal potential weaknesses in procedures or systems, allowing them to be addressed before a serious problem occurs.”

    It isn’t always necessary to take special measures to record computer information. In many cases a good deal of the data needed for investigation is logged anyway. Many organisations will, for example, have centralised printing systems that log all of the print jobs performed for billing purposes.

    Increasing use of the cloud to run software as a service (SaaS) applications means that often the time spent working in a particular application is recorded too. All of this can be useful to a computer forensic investigator. Emails sent and received are often logged on the mail server even if their actual content isn’t retained.

    “Some employers choose to go further, especially if sensitive information is being handled. This may involve installing monitoring software that logs website activity, instant messenger conversations, social network usage and more. In many ways this is similar to the parental control software often used on family computers.”

    Crouch advises that any logging process needs to be balanced against the company’s usage policy and staff culture. “Employers may permit some usage of work computers for personal functions – checking personal emails or online shopping for example – at certain times of day. Whilst this can be enforced by software, it’s often taken on trust.

    “There needs to be a balance between monitoring and permitted activity, logging all activity at all times may not be conducive to a good working environment. It may be, therefore, that monitoring is used only in circumstances where concerns about employee activity already exist,” says Crouch.

    If it seems that information from a computer may be needed as part of some sort of investigation, then it’s important that it’s properly handled, he advises.

    “For example, if an employee has been dismissed or is leaving the company it’s useful to keep an image of the hard disk before the computer is given to someone else.”

    This can be done using backup software or by removing the disk and replacing it with a new one, this prevents any potentially useful information being lost. Since disk storage is relatively cheap it can be good practice to retain the disks of departing employees for a period as a matter of course, even if there’s no suspicion of wrongdoing.

    Preserving the information is one thing, however, extracting it is something else. “It’s all too easy for someone without the correct experience to cause changes to data in the process of accessing it. This is where the specialist skills of a computer forensic investigator come into play.

    “An investigator will be able to ensure that time stamps on files aren’t altered and that deleted information isn’t overwritten and lost.”

    Part of the expertise required is in presenting the extracted data. A computer forensic investigator will be able to report the information in a way that’s accessible to non-technical people, whether this is in court, at an employment tribunal or just to an internal committee or management team.

    Computer forensics is often associated with presenting data in legal cases. But there are many other areas where it can be of use. It’s a valuable tool for HR departments in monitoring usage policies.

    Crucially it isn’t just valuable after the event, computer forensic investigators can reveal potential areas of concern or gaps in security that can then be plugged before serious loss occurs.

    This article first appeared in the Sunday Tribune’s Business KZN supplement on 22 March 2015
    Written By: Allen Cooper