Last Updated on May 26, 2020
The word forensics usually makes us think of homicide… but it applies to computers, too.
Understanding the need for computer forensics and occasions where it supports you during litigation is a must for anyone who wants to stay in business.
I recently got to sit down with Brian Dykstra, President and CEO of Atlantic Data Forensics, to talk about what it’s like to do forensics on 400 inboxes all at once.
Brian does computer forensics discovery for civil and criminal litigation for law firms. Discovery, in legal terms, is like a large-scale search for information. “We also testify on a regular basis in state and federal court,” he said.
What, exactly, does “computer forensics” mean?
Brian explains it this way: “A lot of the forensic stuff is about what happened, when did it happen, how did it happen? Tell me the story of what went on on this computer.”
The need for computer forensics
Not only does computer forensics tell the tale of who took the files on the device, it can also encompass a few systems or even a network. Network-size forensics tends to focus on security, as in malware or firewall and ID logs.
“Oftentimes we’re identifying the machines that we’d like to look at. We’re going out and acquiring those machines, whether they’re physical or VMs or cloud instances, and making good decisions about what to collect,” Brian said. “There’s a real tendency in the industry to over collect, especially in data breach situations.”
Why would a company want to collect this forensic data at all? Usually you have some search parameters and target goals in mind for discovery. Plus, if you have widespread malware, you don’t have to collect a hundred copies to run successful analysis on it.
“It could be a very nuanced situation. They’re very fluid,” Brian said. “You have to make good smart decisions as you’re going along. What’s going to give me the biggest bang for the buck?”
Atlantic Data Forensics does a lot of intellectual property theft cases and employment law cases.
IP Theft: Two engineers and a sales guy decided they could compete with their current employer… and took some files with them before they left.
Employment: This could include wrongful termination, sexual harassment, hostile workplace environment, and specious claims.
“In any state in the US, you have about three years after you’re terminated or left your employer, where you can go back and sue them,” Brian said. Employment attorneys usually wait about a year (long enough for a company to get rid of the computer and accounts of a former employee).
Takeaway #1: When somebody leaves a high value proposition position, especially if it ends in an unusual way, it’s not a bad idea to freeze those drives.
Data protection for future litigation
Brian has a process called Safe Departure(SM), inspired by a multinational with 300 employment law cases going on at once.
“We put together a program that we now use with HR directors all over the place where as soon as you know somebody’s going to be terminated, ideally before they’re terminated, we make a forensic image of their laptop,” Brian explained. This also includes mailbox, network shares, social media accounts—everything. “We have the entirety of the data that person works with, and we store it.”
One out of 20 times, the data of a director level or above role is needed again.
A large company should probably practice this preventative computer forensic program all the time… but when is it ideal for a small to midsize business (SMB) to do so?
Also all the time.
“Nowadays, 50% of the time it’s going to be litigation type stuff, but the other 50% it’s a data breach or a third party data breach that ends up affecting you,” Brian said. “It is good to know a computer forensics answer response provider ahead of time.”
Takeaway #2: Seek cyber liability insurance through your insurance carrier and put a trusted computer forensic company on speed dial.
CISO failings & pain points
It isn’t just doctors—50% of CISOs also graduate in the bottom half of their class.
“We just handled a large, large, large breach during the holidays,” Brian said. “It was a multibillion-dollar company, hundreds of thousands of employees, every product under the sun, none of them properly installed, none of them properly managed, and inadequate training on each of them. The IT staff was a fraction of what it should have been for a company that size, managed by frankly a CISO that thought he knew a lot more than what he actually did.”
What a nightmare—and it’s all too common.
Brian’s Top 3 Pet Peeves
- More companies talking about multi-factor authentication than actually implementing it
- Actually collect some logs, because having them is way better than not
- Block numerous intrusions by enabling rules in your firewall that refuse to accept unneeded data packets from other countries
“That just prevents a whole lot of things from being successful,” Brian said. “It’s just reducing the attack surface by so much, and it’s just the freest, easiest thing you can possibly do.”
Contact Brian at his website or at the ADF office number: (410) 540-9000.
This post is based on a Virtual CISO podcast with Brian Dykstra. To hear this episode, and many more like it, you can subscribe to Virtual CISO here.
If you don’t use Apple Podcasts, you can find all our episodes here.