New Zealand Law Society

Navigation menu

Digital forensics: The truth of the matter

02 August 2019 - By Adrian Hayes

Digital forensics is the process of interrogating computer systems to see what they know. A good digital forensics investigation can tell you who did what, and when they did it, with good accuracy. We at Pulse Security specialise in gathering computer and device-based evidence to help paint an accurate picture of events, normally related to employment issues or cyber-attacks. Digital forensics can play a critical role in getting closer to the truth of the matter and making sure good decisions can be made.

Two figures silhouetted against a blue screen

One recent case we investigated involved an employee who felt their employer was not acting fairly, which had resulted in a history of employment issues. The employer contracted Pulse Security to investigate the employee’s corporate laptop, looking for evidence of misconduct, as suspicions had been raised that the employee was stealing sensitive company data.

The typical process for a digital forensic investigator involves three major phases: acquisition, analysis, and reporting. The main goal of the acquisition phase is to quickly and quietly make a forensically sound copy of the data on the computer system or device. Key tenets of digital forensics are: the process can be repeated, there’s no question where the data came from, and that the data hasn’t been tampered with. We utilise industry standard acquisition techniques for everything from a laptop, to corporate servers, to iPhone and cloud email accounts.

Acquired data

The second stage is analysis of the acquired data. This generally involves using various tools and techniques to build a timeline of events based on the data captured. You can think of this as a giant list of everything that the computer knows happened, including when files were created and deleted, websites accessed, images viewed, and emails sent.

Because of the huge amount of data available, a good investigator can pick out the events which are relevant while discarding those that aren’t. This takes a good level of skill, practice and time to achieve. The whole exercise becomes easier with clear direction on what questions we’re trying to answer, along with detailed background information. Investigators are trained to organise large data sets and discover key information and having a strong starting and ending point helps.

The third stage is the reporting stage. This is where the investigator compiles the relevant evidence, gives guidance on what it means, and provides a copy of the data so the findings can be replicated by a third party if needed. Things can get very technical very fast when it comes to digital forensics, and a good investigator will be able to explain what the evidence means without falling into the trap of drawing concrete conclusions from incomplete evidence.

To return to our earlier case of the employee suspected of stealing sensitive company data, the employer had suspicions and asked us to see if we could prove or disprove them. The acquisition of the company laptop needed to be performed with the highest level of discretion. We decided to send our investigator into the premises at night after everyone had gone home. The laptop was left at the employee’s desk and the investigator was able to move it to a secure room, dismantle the laptop and make a low-level and verifiable copy of the laptop’s hard drive. This took a few hours, but the laptop was replaced safely on the employee’s desk ready for work the following day.

Strict protocols of how everything is managed from the time of acquisition, right through the analysis phase is critical. In many cases this includes documenting a solid chain of custody for any assets related to the investigation to help ensure the analysis is accurate and repeatable.

Analysis

Moving on from the acquisition phase to the analysis phase, we were quickly able to determine that the employee was accidentally allowed access to some internal file shares and had been quietly downloading files with very sensitive internal information in them. The employer confirmed they should not have had access to this information. The laptop showed evidence of these files being downloaded, opened, and then new files being created by the employee summarising their contents. This strongly indicated the employee was more than casually accessing information they shouldn’t be, so we moved on to following the trail of where that information went.

Further analysis showed the employee had been sending the information and their summaries to a personal file transfer service. Interestingly, the organisation’s network security system was attempting to block these outgoing transfers. Unfortunately, the security system was configured to allow the employee to manually allow the transfers without meaningful oversight, which they proceeded to take advantage of.

At this stage we had proven comprehensively that the employee had accessed information they were not authorised to, and then transferred it outside the organisation, which concluded our investigation. One of the limitations of digital forensics is that we can only follow the trail of evidence as far as systems for which we have full permission to access. The file transfer service was not included in the scope of this investigation, and we could not determine what happened to the information from there.

The results of the investigation were critical in helping the organisation make clear and well-reasoned decisions regarding the employee’s conduct. We were able to turn a suspicion of misconduct into a clear-cut scenario. Digital forensics can be applied in many cases, if there’s a laptop, server, or mobile phone we can often gain answers from it to help people and organisations get closer to the truth and make better, well-informed decisions.


Adrian Hayes info@pulsesecurity.co.nz is one of the founding principal consultants at Pulse Security, which specialises in offensive cyber security and incident response.

We publish information in LawTalk which will be of interest to members of the legal profession in the provision of legal services. We have a strict policy against advertorial and only publish articles which provide useful and practical information. The Law Society does not endorse any of the products or services which may be mentioned.

Email:

Last updated on the 2nd August 2019