Cybersecurity and Forensics Update From iDiscovery Solutions

CCBJ recently co-hosted a webinar with iDiscovery Solutions (iDS), which included insights from team members Jonathan Karchmer and Bobby Williams. The discussion was one that touched on developments in cybersecurity and forensics as well as best practices.

In today’s world of high-profile cybercrime, it’s more important than ever that companies understand and maintain system and network security. Doing so will help minimize data breaches, fraud and other kinds of illicit activity, as well as help ensure that crimes and corporate malfeasance can be properly investigated if they do occur. With that in mind, Corporate Counsel Business Journal recently co-hosted a webinar with iDiscovery Solutions (iDS), “2019 Forensics Update and System Tuning for Investigations,” that tapped the expertise of Jonathan Karchmer, senior managing consultant with iDS, and Bobby Williams, managing consultant with iDS.

The wide-ranging discussion touched on recent developments in the cybersecurity and forensics industry, as well as best practices, tips and tricks that companies can follow to ensure that their systems and networks are generating (and retaining) the kind of information that’s critical to investigative work. As Karchmer points out: “Nothing stops an investigation dead in its tracks like not having any data to work with.”

Fortunately for investigators – and the companies that use their services – the world of forensics is brimming with exciting new technology. One such product that iDS uses in its investigative work is the Kroll Artifact Parser and Extractor (KAPE), a completely scriptable tool, created by a former FBI special agent, that can do both “live response” or “dead box” forensics. Another powerful tool, which Williams says he recommends to companies that need to do email collections and searches, is Forensic Email Collector (FEC).

“We have to remember, we’re in the internet of things environment now,” Williams says. “So the metadata of email messages in the context of all of that other data is highly, highly important and can help you dig out the narrative of your case.”

And in situations where the client wants to remediate specific sensitive emails from mailboxes, FEC’s companion tool, Obliterator, can create a “hit list,” as Karchmer puts it, of emails to be isolated and removed.

Beyond being aware of the cutting-edge technology that the investigative side of their job entails, Karchmer and Williams stress that the most important thing companies can do right now is optimize their own systems and networks – which essentially amounts to proper planning.

“Workplace investigations are a fact of life,” Karchmer says. “Intrusions happen. Data breaches happen. Employees are going to misuse their computer, maybe take or copy some confidential information. Your ability to respond to these events and recover really depends on your level of preparedness and planning.”

To get a data-security baseline, Karchmer and Williams suggest bringing up several basic points with your IT and cybersecurity teams. First: Group Policy. This feature is part of the Microsoft Windows NT family of operating systems, and it is used to allow or deny certain permissions in the company’s network environment, as well as to force certain behaviors on all of the devices in that environment. It can help generate data that’s relevant to investigations, as well maintain that data. For example, it can be used to do things like restrict the ability of users to delete their internet history.

Taking a comprehensive inventory of the company’s various computers, mobile devices and other pieces of technology (like USB flash drives) is critical, Karchmer says. He also recommends that companies take a thorough look at their user accounts. Are there rogue accounts in the environment, or accounts that should have been shut down a long time ago? Good conversation starters to have with your IT and cybersecurity teams are questions like: How often are user accounts reviewed? How current is the company’s device inventory? How do we update our device inventory?

Knowing what data you have is important, but so is knowing how long you’re going to retain access to it. According to Karchmer, it is common for companies to redeploy devices without preserving the data on them, only to wish they had access to it later on down the road, perhaps for an unforeseen investigation. “It’s a good idea to have those conversations now about how you’re going to deal with things like employee exits,” Karchmer says. “Set devices aside. Get them forensically preserved right away, even if it’s just for a rainy day.”

Along those same lines, Karchmer also recommends a tool called Volume Shadows, which will take periodic snapshots of all of your files, including system files and other configuration files, and save them in the event that you need to “go back in time,” as he puts it. This allows you to do things like use previous versions of specific files, or even reset your entire system to an earlier point in time.

So now you know what data you have, how long it will be retained, and how to access previous versions of it – but it’s also vital that all of that information is protected by encryption. Williams recommends a product called BitLocker. And while he says that companies should always keep their data encrypted, he also stresses the importance of knowing how to swiftly decrypt that data as well. “Encryption means being able to line the right keys up with the right locks,” he says, “so that you don’t put a burden on your organization when the time comes to do an investigation.”

Along with encryption, Williams points to mobile device management (MDM) as a key aspect of data security. MDM is usually implemented via a third-party product that has management features for particular vendors of mobile devices. It can help companies monitor their network and the devices accessing the network without manual oversight from the IT and cybersecurity teams. Williams points out that there are various corporate policies around employee usage of mobile devices – including BYOD (bring your own device), COPE (corporate owned, personally enabled) and CYOD (choose your own device) – so it’s important to choose an MDM tool that’s versatile enough to include as many devices as possible.

Making sure that your rights and permissions are configured correctly is also a crucial aspect of data security, as it will help prevent outside intrusions and breaches to the network, including ransomware attacks. And making sure that local firewalls are turned on is essential for limiting the spread of nefarious activity if a breach does occur.

The entire hour-long webinar, “2019 Forensics Update and System Tuning for Investigations,” can be viewed bit.ly/347rhGi.

Published .