A company’s most important assets aren’t always physical. Trade secrets can be worth millions of dollars and represent a significant part of a company’s value.
So when it looks like that information has been stolen, smart companies hire experts in digital forensics to investigate the theft and, if possible, help hold the responsible parties accountable.
The same way that a crime scene investigator might look for physical clues, a digital forensics team will examine a client’s network and devices for proof of what happened. If necessary, that work can be used to support eventual litigation.
Decades ago, attorneys and private investigators used paper documents to delve into the loss of trade secrets, said Dan Nelson, Co-Founder and General Counsel of Digital Silence, a boutique cybersecurity firm.
“As we moved into storing and using all that information on computers, people came along and developed the skills to say, OK, now that the medium is digital, what investigative techniques do we need to deploy to investigate that?” said Nelson, a retired trial lawyer.
Digital forensics in action
What if one of your current employees quietly sent sensitive information back to their previous employer, who just happens to be a major competitor?
This is the kind of case that Digital Silence often handles for clients, said Devin Hill, the firm’s Director of Digital Forensics and Incident Response.
When a client becomes concerned with the possible unauthorized access to, or movement of, sensitive company data, the client or their counsel calls Digital Silence. Digital Silence deploys advanced forensic tools and techniques to determine the what, when, who, and how of misappropriation of a client’s digital assets.
If the client decides to pursue legal action against those responsible, Digital Silence can also offer technical advisory assistance during the discovery phase as well as pre-trial and trial expert witness services.
Investigating multiple devices
As part of the investigation, the client will ideally provide investigators with the employee’s devices, such as their company-issued laptop and smartphone, which might show what files have been accessed, browser history and relevant passwords.
Even then, there’s always the risk that communication was conducted over a secure chat application. Or the person under investigation may have wiped the devices completely.
Experts in data forensics will also look at the logs generated by a client’s computer networks and applications, which will keep a history of who accessed which files and when. Those “breadcrumbs” can often be used to build a narrative of how a cybercrime occurred and who was responsible.
That kind of attribution is easier to do when the threat actor works internally, as opposed to an unknown third party living in another country.
Email breaches and digital forensics
Hill and his colleagues also frequently investigate email breaches for clients. Typically, an intruder has broken into a company’s email system and retrieved information that allows the intruder to defraud the victim’s business partners.
Imagine a real estate transaction where multiple parties are part of an email thread. If a threat actor gets access to just one party’s system, they could acquire enough information to send a spoofed email that tells a buyer to wire their payment to the wrong bank account.
Hundreds of thousands of dollars would suddenly disappear into the ether. “And they’re probably never going to see it again,” Hill said.
As a result, the wronged party will send a demand letter seeking action from the others who might have been involved — the other people who were part of the email exchange.
In those cases, digital forensics can examine a client’s system and put together a report detailing their security and activity, so the client can deny responsibility for the financial loss.
Preparing your defenses
Digital forensics experts can help build a case, but only if they have access to the necessary data. Smart companies will make sure their systems are set up to monitor and record important activity before a breach occurs.
Activate logging features for your computer system
Logging forms the basis for many digital forensic investigations, allowing investigators to see what was done, when and by whom. Unfortunately, if the logging function isn’t turned on, that entire avenue of investigation is closed off.
You probably don’t need to log every action, Hill said, but it’s wise to log all traffic coming into and leaving your network.
“With Office 365 and cloud environments, I would say log as much as possible in those environments,” Hill said. “Because they’re often targets, and they’re scammed constantly by bad guys.”
Make sure your logs are stored for a sufficient amount of time
It’s one thing to turn on logging. But if you’re only storing those logs for a limited amount of time, you probably won’t have enough information to complete an investigation.
Some companies have experienced a breach, only to discover their computer logs only go back 90 days or — in some cases — just seven days. A security breach might not be discovered until months after it happened.
The solution could be as simple as upgrading your software subscription to the next tier of service. For a few more dollars per month, you may be able to increase your storage time significantly.
It’s also important to institute security systems and policies to prevent cybercrime in the first place, though nothing is 100 percent foolproof. Taking the time to prepare for a potential investigation could give your digital forensics team the intel they need to respond effectively when it matters most.