Digital Forensics in the COVID-19 Era

Posted · Add Comment

According to LogikCull’s “2021 Corporate In-Housing Survey”, encompassing feedback from 60+ organizations on COVID-19’s impact on the legal industry, only 11% of respondents expect work to return to normal shortly after a vaccine is widely available, while 89% see changes extending for the near future (39%) or becoming permanent (50%).

As a result of the pandemic, the past year has been presented unique challenges across most industries worldwide. With directives to quickly — and in many cases permanently — relocate the on-premises laptop workstations, or remotely access desktop workstations from employees’ homes, IT security personnel have found themselves having to safeguard these systems across different networks.

Like traditional Road Warrior employees, the Work from Home (WFH) model means users are not in the presence of co-workers nor are they where surveillance systems are traditionally in place, which further exposes companies to theft of intellectual property/trade secrets. As if the threat from inside was not enough,  the US coronavirus relief and SBA programs are being spoofed by organized crime networks with phishing scam campaigns targeting small business owners. These incidents and additional risk from working remotely can be best responded to with Digital Forensics.

WFH Devices Security Best Practices

Before jumping into a brief definition of digital forensics, and the role it plays in investigating cybercrimes and the theft or destruction of information assets by employees, I would like to point out some of the common security policies enforced on WFH employees and their computers through operating systems security settings. In Windows operating systems,  these settings are typically applied using Windows Group and done so whenever a user logs into the computer or the company network directory services.

The goal is not only to prevent the WFH employees from accidentally introducing malicious programs, but among other controls, to:

a) Encrypt sensitive data;

b) Block ability to copy content to removable media;

c)  Restrict use to authorized applications, and disable installation of new programs;

d) Restrict elevated permissions; and

e) Track account logins

About Digital Forensics

In a nutshell, digital forensics is both a science and art-based discipline designed to identify, preserve, authenticate, analyze, and report on incidents involving electronic stored information (ESI) evidence mainly from computing systems.

An example of the analysis workflow where an employee is suspected of uploading company intellectual property to a personal cloud storage account would focus on a review of web visits. Activities performed by WFH employees on computer workstations, smartphones and even cloud environments leave digital breadcrumbs or artifacts which are the target of forensics tools during the analysis phase of a forensic investigation. Once the tools have parsed out the artifacts, the examiner reviews the relevant ones, and a best practice is to validate the results by examining the artifact source.  In the stated example, the forensic tool may report on a user’s Chrome browser web visits in a nicely formatted view, however it should be verified by examining the underlying SQLite database containing the raw data.

Role of Digital Forensics

Company stakeholders and department managers should be aware of the role of Digital Forensics: how it can affirm or refute allegations of employee misconduct and simultaneously following strict protocols and even regulatory guidelines, such as  proper chain of custody documentation. The objective is to prepare a final report with accurate supporting evidence and to protect the firm against legal challenges such as the admissibility of evidence due to improper collection and/or handling.  

Forensic Readiness Plan

Many companies tend to not to be proactive and  suffer the consequences  of having to gather evidence after an incident, which leads to business disruptions and exposure to costly litigation and reputational damage.

The success of any forensics investigation is contingent on the examiner’s access to quality and timely data sources, which can be in the form of e-mails, event logs, laptops, firewall logs, backup sources, etc.. Thus, as part of the information security program, there should be a forensic readiness plan to ensure digital forensics investigations can be effectively conducted when an incident occurs. The two main objectives of any forensic readiness plan are a) ability to acquire digital evidence legally, and b) cost effectively respond to incidents. Once the plan is in place, assessing it on a recurring schedule is important.