November 4, 2020

Last Updated on March 16, 2023

Data forensics is one of those topics where hype can be easier to encounter than clarity.

When might an SMB need a data forensics partner? What do data forensics engagements typically look like—and what do they cost? 

For nontechnical conversation on key aspects of data forensics for SMBswe invited Brian Dykstra CISSP, CCFP and CEO of Atlantic Data Forensics to join a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the episode as always.  
Many of Brian’s customers are the clients of law firms that are involved in civil and (less commonly) criminal litigation. His company also frequently helps organizations of all sizes with incident response, data breach investigations and so on. His senior staff may routinely testify in state and federal court, in scenarios ranging from depositions to jury trials to military court-martial boards.
Regarding litigation, Brian explains: “We do eDiscovery, which is basically imagine doing forensics on 400 mailboxes at once; it’s large-scale [keyword] search and that sort of thing.”

In data breach scenarios: “We’re typically getting the logs from firewalls and SIEMs and whatever other devices they’ve got on their network… And quite often we’re also identifying the machines that we’d like to look at.” 

“We’re going out and acquiring those machines, whether they’re physical machines or VMs or cloud instance or whatever. And making good decisions about what to collect versus what we don’t need to collect,” notes Brian.
“There’s a real tendency in the industry to over collect—especially in data breach situations,” Brian cautions. “Companies that come in and [collect] all the instances or get into all the computers. We could do that, and you can do that pretty rapidly. And you can run up a large bill.”
It’s better to collect less noise and more signal. 
Brian clarifies: “But quite honestly, you can’t analyze all that in any kind of meaningful timeframe. Let’s say you had some form of malware and it was widespread through your network. And your endpoint logs or something told you about this. I don’t need 100 copies of that malware, right? I need one or two samples of it so I can… generate some biopsies and stuff like that.”
“So it could be a very nuanced sort of situation. You’ve got to make good, smart decisions as you’re going along,” stresses Brian. “What’s going to get me the biggest bang for the buck? Because there’s always a concern. How much does it cost?
John amplifies this critical point: “Most people don’t understand that you can spend an awful lot of money and not get the information that you’re hoping to have be there, just based on the nature of the beast. I do like your approach—start small and focus on where you’re going to get the most value.”
Sooner or later almost every business needs data forensics expertise. If you don’t currently have a data forensics provider, listen to this podcast to find out what to expect. 
To hear the podcast episode with Brian Dykstra, plus a wide range of other information security subjects, you can subscribe to The Virtual CISO Podcast here. 
If you don’t use Apple Podcasts, you’ll find all our episodes here.