- Who needs Digital Data Breach Forensics?
Anyone, whether a small business, large business, city/state government, or even an individual, might fall victim to a cyber attack and require the assistance of a Computer Forensics, or digital forensics specialist . Did you know that over 90% of new data produced is stored electronically and most of it is never printed out as a hard copy?
With people becoming more reliant on computers, computers being involved in both cyber and regular crimes have also increased. In fact, it is estimated that digital footprints can be found in over 85% of all crimes today. Digital Forensics can be used as evidence or defense, whether a computer was directly used to commit a crime or not, and these trends to not appear to be slowing down any time soon. Which means Computer Forensics will only become more important over time.
- Why Digital Forensics?
To understand why Digital Forensics is important, you must first understand what it is.
Similar to the forensics used by police departments and federal agencies, Computer Forensics is essentially collecting digital evidence. To do this, Computer Forensics experts will utilize special techniques to recover, authenticate, analyze and/or preserve any data they collect within computer services, which helps cyber security experts to piece together the who/what/when/why/how of an electronic crime.
There are generally three types of data cyber experts are looking for:
- Active Data - This tends to be the easiest evidence to find because it can be seen and found by typical users, such as when software has been installed or deleted.
- Archival Data - As the name suggests, this type of data has been backed up/stored and can be found on hard drives, CDs, USBs, and storage devices of that nature. It may not be quite as easy to find as Active Data, but it's generally just a matter of knowing where to look.
- Latent (or Ambient ) Data - This is generally the type of data we are discussing in Computer Forensics . It is the information that can only be accessed with specialized tools and expert knowledge, such as files that have already been removed or erased from a computer.
Computer Forensics experts' objective is to piece together what happened by following the following steps:
- STEP ONE: Determine the objective of the investigation
- STEP TWO: Recover all relevant data and files
- STEP THREE: Preserve and protect all the data discovered
- STEP FOUR: Provide a detailed report of their analysis
- What are eDiscovery and ESI?
- Digital Forensics costs
Sometimes, advances in technology can be a real headache and serve to make situations more complicated, even as the goal is to make things easier.
In Digital Forensics , however, technology has helped in a lot of ways, including being able to lower the price of an eDiscovery. Where it used to cost a person or business needing Computer Forensics tens of thousands of dollars to get ahold of their ESI, the cost has lowered considerably.
That being said, Computer Forensics examinations will vary in cost, depending on multiple variables, such as the size of your device, or what kind of media you are using. For example, did you know that examining just one hard drive can take almost 40 hours to examine? However, an experienced Forensic examiner will ask you relevant questions during a fact-finding consultation, and will be able to give you an initial quote so you aren't surprised at the end of the investigation with an outlandish bill.
Just to get an idea of what you're looking at, a Digital Forensics investigator will generally charge around $250-$300/hour and will generally follow these steps:
- ESI Collection - Usually the least complicated of the steps, this is where the Computer Forensics investigators gathers any relevant ESI that is needed. This typically costs around $500 + expenses.
- ESI Examination - After the Digital Forensics investigator gathers the necessary ESI, they will then examine it for you, the hours of which, as you can imagine, will vary.
- Report of the Results - In this step, the Computer Forensics investigator types up the analysis of on the findings.
In a normal investigation, examining the ESI and reporting on the findings will take less than 15 hours; as such, the total in any standard investigation, will only be around $5,000.
Additionally, some business owners also worry about an investigation impeding normal business operations, and we respect that concern. As such, we are able to image your devices during non-traditional working hours (meaning evenings and/or weekends), generally in less than six hours.
- When do I need a Digital Forensics investigation?
- Are you involved in a lawsuit criminal or civil, either as the defendant or the victim, in which a computer or electronic device was involved?
- Are you the victim of a hacker (ransomware, malware, etc...)?
- Is data on your device being held for ransom?
- Are you an attorney defending a client in a lawsuit in which a computer or electronic device was involved?
If so, there is a good chance you will need the services of a Computer Forensics investigator.
As with any lawsuit or crime, it is essential for all relevant facts and data to be brought to light in order to be best prepared for your day in court. Beyond just utilizing eDiscovery methods to gather ESI off of a computer or a device, the ultimate goal of a Computer Forensic specialist is to examine and analyze the data they find by:
- Obtaining all relevant information available
- Preserving the evidence that is found
- Determining the facts from the data that is gathered
- Analyzing the facts to determine if the computers/devices were used illegally
After the ESI is analyzed, your lawyer will use the information uncovered by the Digital Forensic specialist in your case. He or she might also use a "Request for Production of Documents" to make sure the other party hands over any computer or devices to search for files that could be used to help your case. For example, if you believe one of your business competitors sent you ransomware or a virus to try to hurt your business, your lawyer could request to have them turn over their devices for examination. Hiring a Computer Forensic specialist to search for for any data in emails or files that may or may not be deleted could save you and your defense team a lot of time and money as it could produce evidence that the competitor tried to hide and/or delete.
Having a Digital Forensic specialist find and analyze hard-to-find files and emails could be a total game changer. They are there to extract, preserve and analyze any trace evidence left behind; conversely, using someone who is not an expert in this field could cause irreversible damage to precious evidence and could cause a case that would have been easily won to be dragged out or even lost, all together.
- Why not use staff in my IT Department instead of a Digital Forensics professional?
Technically, you could. We understand the appeal of using someone you work with because not only are you already paying them, but (hopefully!) you trust them, as well.
However, it is important to keep in mind that often, you only have one shot at eDiscovery, due to the delicate nature of electronic evidence. While your IT staff might be great at setting up networks and re-starting computers, it's not very likely that they have much experience in Computer Forensics and eDiscovery . Through inexperience, they may inadvertently lose or destroy your precious ESI.
On top of that, the tools that are needed for eDiscovery are pretty pricey themselves, and it's unlikely you will need them often enough to justify the cost of purchasing them.
Remember, you get what you pay for and eDiscovery should be performed by Digital Forensics experts .
Additionally, most court systems mandate that eDiscover be conducted by OUTSIDE Computer Forensics specialists . Just like you see in crime dramas, when you have someone "too close" to the case, it can make it difficult to be objective, which can really foul up a case. Internal IT staff can inadvertently raise questions about not only the authenticity of evidence, but its validity, as well.
RULE OF THUMB: If there is even a smidgen of a chance that your case will eventually go to court? Make sure you call in a Digital Forensics expert to analyze your data.
You don't want to run the risk of having important ESI being deemed inadmissible. Keep in mind that while your staff is trained to RECOVER data, that is completely different from harvesting and preserving traces of data that have been all but deleted:
- The ESI that Computer Forensics investigators uncover during their eDiscovery process is exceedingly fragile and can be damaged or destroyed if your computer's operating system fails to recognize it; highly specialized tools need to be used.
- Looking through your computer or device, or sometimes simply turning it on, can irrevocably damage and/or destroy the data you're seeking.
- Evidence tainting is not uncommon when in-house IT staff is involved, as dates and data can be altered and overwritten.
Put simply, you want to avoid issues like this from the get-go, and the best way to do that is to hire a professional outside Digital Forensics specialist, like Petronella Technology Group (PTG). Due to the fact that we are a neutral third party, the evidence you submit from us will be much more credible and authentic when presented in court. We also have the equipment and expertise necessary to produce reliable and trustworthy ESI necessary to win your case.
- Is a Digital Forensic expert worth the cost?
In a nutshell? Yes.
Using someone who is untrained in eDiscovery and Computer Forensics , or trying to do it yourself, can be a bigger headache, and put more of a dent in your pocketbook, than doing it right the first time.
As opposed to looking at the bottom dollar of a Digital Forensic specialist , you must also consider potential opportunity costs, such as lost or damaged ESI that is irretrievable. In fact, evidence that is lost, not preserved correctly and/or tainted can cost you your entire case!
But even putting the evidence aside, let's look at the cost of having an employee untrained in Computer Forensics do the work.
- When is your IT employee going to perform the work?
- During regular business hours? So then who is performing the tasks that they normally perform?
- After hours or on the weekends? Then you might want to consider how much overtime is going to cost you. Also, is your employee available to do the work then?
- How much time is your IT employee going to spend not just gathering all the data (without the tools that make recovery efficient and safe) but also analyzing it and writing up the reports?
- Is this person going to be able to accurately apply laws to the analysis?
- Will s/he be able to present the evidence in court, if necessary?
If your case is important, you want to leave it in the hands of a professional. Trying to cut corners will most likely end up costing you much more in the end.
- Does a Digital Forensics specialist REALLY reduce our costs and risks?
It may come as little surprise to you to learn that billions of dollars are lost from businesses due to fraud, theft and even sabotage... by employees!
Did you consider the impact of negative publicity, lost credibility and decreased employee morale associated with theft?
And let's not even get started talking about the billions more are wasted in litigation costs, such as investigations, productivity and intellectual property loss!
Your company can potentially go through all of that, be the victim in the situation, and STILL be highly scrutinized by industry watch dogs, who could even potentially slap you with fines and penalties, just adding insult to injury!
When you really stop to consider all the opportunity and peripheral costs you can incur, doesn't it make sense to hire a professional, who is adept at navigating through those kinds of waters? The costs associated with hiring a Computer Forensics specialist pales in comparison to the costs you can incur if you don't get everything right.
- Who pays for the Digital Forensics services?
Generally speaking, the party seeking eDiscovery is responsible for the costs. However, depending on court costs and legal responsibilities, the guilty party may be required to recover any costs that have fallen to the victim. But even if that doesn't happen, there is a good chance that the costs you incur by seeking the services of a Computer Forensics expert will be less than trying to do it on your own.
- Can evidence be extracted from smartphones or other devices by a Digital Forensics expert?
- Can I send my equipment to a Digital Forensics expert to analyze?
It may be possible, but we need to speak with you at length before we can make that decision.
When you contact us, we will get as much information from you as possible, and then provide you with detailed instructions. However, if it is decided that sending us your hard drive is a viable option for you, we recommend that you follow these steps:
- DO NOT SHIP ANYTHING TO US UNTIL WE HAVE SPOKEN WITH YOU AND COME UP WITH A GAME PLAN. We will provide you with a tracking code to place on the shipping label, so that none of your hardware is lost.
- Do not remove the drive yourself . Hire an experienced technical professional to perform the extraction for you.
- The disk drives contained in your computer are very sensitive to static.
- Seal your drive inside an anti-static bag and wrap it completely with thick bubble wrap and/or foam. Otherwise, you will risk damaging the contents.
- Avoid static-producing Styrofoam peanuts and/or materials. The less potential for static electricity, the safer your equipment.
Shipping us your equipment may be the best option for you, but it comes with risks. Be sure to take all necessary precautions to avoid evidence loss and/or damage.
- When should I contact a Digital Forensics expert?
- When do we start the eDiscovery process with a Digital Forensics professional?
If you found you have been victimized electronically, by an employee or an unknown hacker, or anyone in between, what you need to do is...
STOP! TURN OFF YOUR COMPUTER AND DO NOT USE IT!!
Be sure to secure it tightly so nobody else is able to use it either.
Using a computer that was used in the crime can cause irreversible to damage to any precious digital evidence you may have.
Whew! Now that we have that out of the way in BIG BOLD LETTERING, here are the steps to take:
- Just to reiterate, the first thing to do is NOT use your computer.
- If the computer is off, leave it off!
- If the computer is on, don't touch it. Turning it off can harm the evidence!
- Call PTG right away, and we will instruct you on how to proceed in the eDiscovery process.
- Keep the compromised computer/device out of the hands of your staff, including your IT staff. It's unlikely they are certified in Computer Forensics , and they may (either accidentally or purposefully) destroy or damage ESI.
- If you do allow anyone besides a Computer Forensics expert look at or touch your computer, be sure you keep an extremely detailed log of who/what/when/where/why/how. It is very important and we will need to review the logs after we receive your computer.
Now, it's possible you did not read this section, and your IT staff decided to take a stab at it... It's not ideal, but not all hope is lost. It may make retrieving relevant data more difficult and expensive, but an experienced Computer Forensics specialist should still be able to help. Give us a call and we can perform a mini-Analysis to see if recovery is possible.
Here at PTG, we understand that being the victim of a crime, electronically or not, isn't easy, and you don't always know what to do. If you aren't sure whether you need a Computer Forensics expert or not, feel free to schedule a free consultation with Craig by CLICKING HERE or calling us directly at 919-276-4446.