The first computer crimes were recognized in the 1978 Florida Computer Crimes Act, which included legislation against the unauthorized modification or deletion of data on a computer system. A few years later, Canada was the first nation to pass the legislation in 1983.
Digital forensics science has roots in the personal computing revolution of the late 1970s and early 1980s. It has evolved, with increasingly advanced technologies and tools coming into the picture. Now, digital forensics services have become a highly specialized field, following industry-accepted practices.
In this series of blogs around digital forensics, we want to shine a spotlight on digital forensics as a procedure in investigating data theft or loss. The information gained during this investigation can be used against the culprit in a court of law. Therefore, a highly skilled team needs to deliver digital forensics services with knowledge about digital forensics, cybercrime, computers, networks, and the legal aspects.
Common mistakes by organizations during a computer forensics analysis
- Speculation: Sometimes, the models and methods used by the digital forensics services team don’t make the evidence look convincing, due to overuse of standardization. The failure to identify the culprit in the court of law could be speculation, precisely forming a theory or conjecture without firm evidence.
- Forensics imaging of the breach scene: Forensics imaging is the method of analysing the root of the problem. Capturing, isolating and preserving the exact image is of the utmost importance in this procedure as it helps preserve the state of the system at the time of the crime. This way, changes can be made to the data and systems for its protection later on. The initial scenario and related data are already captured and stored to be analysed in detail.
- Inadequate prevention: Cyber investigators must assess the damage caused by the attack, find the compromised data, and analyse what is non-volatile for investigation. The investigation can be jeopardized if any of the metadata, caches and temporary files are altered. No evidence of data is trivial when finding bread crumbs that can lead to evidence in an investigation.
- Inadequate communication: During a standard criminal investigation, the police, detective, forensics experts and coroner must cooperate to achieve their common goal of finding the root cause, on how the crime was executed and who the culprit was. The same principle can be applied to cybersecurity and digital forensics services. Communication includes immediately informing about the breach to those affected by it; this includes stakeholders and customers. In many cases, customer or business data may have been exposed or leaked, causing reputational damage. Any substantial progress made in the investigation or further damage done, should be conveyed to authorities without fail and as-is when it happens.
- Rudimentary policies and rules: An incident can be managed a lot better if the organization has a well-defined set of rules and a strong cybersecurity policy. With the absence of these rules, a delay within the digital forensics process will occur. An incident response plan is a set of policies and procedures that need to be followed if an event occurs. This plan can serve as a guideline for digital forensics services.
- Limiting the scope of forensics: Limiting the scope is a common mistake made by the digital forensics services team. It is challenging to be sure about something, such as which file system was affected the most or which node is infected with a particular virus. Usually, in these circumstances, time is limited so that the culprit’s footprint is not lost. A limited scope can also happen if the forensics services team does not fully understand the computer system.
- Not choosing a well-qualified digital forensics services team: Hiring a qualified team or a service provider is important to avoid making mistakes like those mentioned above. The team needs to be well versed in networking, operating systems, law, cybersecurity, and communication with prior experience of some situations. An in-house team can be chosen to do the investigation, but can it be ensured that they are trustworthy? Insiders can very well tamper with the information in the inquiry.
- Not prepping the client to preserve evidence: Failure to preserve the evidence can be very problematic. This can cause a huge financial crisis. For example, a company was fined $1,000,000 and faced courtroom sanctions because while they had instructed employees not to delete files, they neglected to stop the automatic overwriting of backup tapes. As a result, the employees were fired, and a new team was hired to mitigate further damage done to the evidence. It is also important to prepare your employees for the worst-case scenarios through regular communications, training and awareness programs.
Although digital forensics services has greatly advanced in recent years, it is still shrouded in mystery to those outside the field. Hiring an external digital forensics services team is not always considered, thinking an internal IT staff with some knowledge of computer forensics can successfully undertake the investigation, but leveraging on limited knowledge can be dangerous and costly.