Data Breach Forensics
Thanks to popular shows such as Law & Order: SVU, CSI, Bones and Criminal Minds, most of us have heard about "forensics." But did you know that law enforcement AND cyber security specialists use Computer Forensics, as well? Below you will find answers to questions about Computer Forensics, also known as, digital forensics, you never even know you had! And if you still need more answers (about Computer Forensics, digital forensics or any other cyber security concern), feel free to schedule a free consultation with Craig, who will be happy to answer any other questions you might have!
Who needs Digital Data Breach Forensics?
Anyone, whether a small business, large business, city/state government, or even an individual, might fall victim to a cyber attack and require the assistance of a Computer Forensics, or digital forensics specialist. Did you know that over 90% of new data produced is stored electronically and most of it is never printed out as a hard copy?
With people becoming more reliant on computers, computers being involved in both cyber and regular crimes have also increased. In fact, it is estimated that digital footprints can be found in over 85% of all crimes today. Digital Forensics can be used as evidence or defense, whether a computer was directly used to commit a crime or not, and these trends to not appear to be slowing down any time soon. Which means Computer Forensics will only become more important over time.
Why Digital Forensics?
To understand why Digital Forensics is important, you must first understand what it is.
Similar to the forensics used by police departments and federal agencies, Computer Forensics is essentially collecting digital evidence. To do this, Computer Forensics experts will utilize special techniques to recover, authenticate, analyze and/or preserve any data they collect within computer services, which helps cyber security experts to piece together the who/what/when/why/how of an electronic crime.
There are generally three types of data cyber experts are looking for:
- Active Data - This tends to be the easiest evidence to find because it can be seen and found by typical users, such as when software has been installed or deleted.
- Archival Data - As the name suggests, this type of data has been backed up/stored and can be found on hard drives, CDs, USBs, and storage devices of that nature. It may not be quite as easy to find as Active Data, but it's generally just a matter of knowing where to look.
- Latent (or Ambient) Data - This is generally the type of data we are discussing in Computer Forensics. It is the information that can only be accessed with specialized tools and expert knowledge, such as files that have already been removed or erased from a computer.
Computer Forensics experts' objective is to piece together what happened by following the following steps:
- STEP ONE: Determine the objective of the investigation
- STEP TWO: Recover all relevant data and files
- STEP THREE: Preserve and protect all the data discovered
- STEP FOUR: Provide a detailed report of their analysis
What are eDiscovery and ESI in Digital Forensics?
Electronic discovery (eDiscovery) is the process the Computer Forensics specialists goes through to identify, collect and/or produce electronically stored information (ESI). The most common kind of ESI includes:
- Texts and Voicemails
- Audio and Video Files
- Social Media
Digital Forensics costs
Sometimes, advances in technology can be a real headache and serve to make situations more complicated, even as the goal is to make things easier.
In Digital Forensics, however, technology has helped in a lot of ways, including being able to lower the price of an eDiscovery. Where it used to cost a person or business needing Computer Forensics tens of thousands of dollars to get ahold of their ESI, the cost has lowered considerably.
That being said, Computer Forensics examinations will vary in cost, depending on multiple variables, such as the size of your device, or what kind of media you are using. For example, did you know that examining just one hard drive can take almost 40 hours to examine? However, an experienced Forensic examiner will ask you relevant questions during a fact-finding consultation, and will be able to give you an initial quote so you aren't surprised at the end of the investigation with an outlandish bill.
Just to get an idea of what you're looking at, a Digital Forensics investigator will generally charge around $250-$300/hour and will generally follow these steps:
- ESI Collection - Usually the least complicated of the steps, this is where the Computer Forensics investigators gathers any relevant ESI that is needed. This typically costs around $500 + expenses.
- ESI Examination - After the Digital Forensics investigator gathers the necessary ESI, they will then examine it for you, the hours of which, as you can imagine, will vary.
- Report of the Results - In this step, the Computer Forensics investigator types up the analysis of on the findings.
In a normal investigation, examining the ESI and reporting on the findings will take less than 15 hours; as such, the total in any standard investigation, will only be around $5,000.
Additionally, some business owners also worry about an investigation impeding normal business operations, and we respect that concern. As such, we are able to image your devices during non-traditional working hours (meaning evenings and/or weekends), generally in less than six hours.
When do I need a Digital Forensics investigation?
- Are you involved in a lawsuit criminal or civil, either as the defendant or the victim, in which a computer or electronic device was involved?
- Are you the victim of a hacker (ransomware, malware, etc...)?
- Is data on your device being held for ransom?
- Are you an attorney defending a client in a lawsuit in which a computer or electronic device was involved?
If so, there is a good chance you will need the services of a Computer Forensics investigator.
As with any lawsuit or crime, it is essential for all relevant facts and data to be brought to light in order to be best prepared for your day in court. Beyond just utilizing eDiscovery methods to gather ESI off of a computer or a device, the ultimate goal of a Computer Forensic specialist is to examine and analyze the data they find by:
- Obtaining all relevant information available
- Preserving the evidence that is found
- Determining the facts from the data that is gathered
- Analyzing the facts to determine if the computers/devices were used illegally
After the ESI is analyzed, your lawyer will use the information uncovered by the Digital Forensic specialist in your case. He or she might also use a "Request for Production of Documents" to make sure the other party hands over any computer or devices to search for files that could be used to help your case. For example, if you believe one of your business competitors sent you ransomware or a virus to try to hurt your business, your lawyer could request to have them turn over their devices for examination. Hiring a Computer Forensic specialist to search for for any data in emails or files that may or may not be deleted could save you and your defense team a lot of time and money as it could produce evidence that the competitor tried to hide and/or delete.
Having a Digital Forensic specialist find and analyze hard-to-find files and emails could be a total game changer. They are there to extract, preserve and analyze any trace evidence left behind; conversely, using someone who is not an expert in this field could cause irreversible damage to precious evidence and could cause a case that would have been easily won to be dragged out or even lost, all together.
Why wouldn't I just use staff in my IT Department instead of a Digital Forensics professional?
Technically, you could. We understand the appeal of using someone you work with because not only are you already paying them, but (hopefully!) you trust them, as well.
However, it is important to keep in mind that often, you only have one shot at eDiscovery, due to the delicate nature of electronic evidence. While your IT staff might be great at setting up networks and re-starting computers, it's not very likely that they have much experience in Computer Forensics and eDiscovery. Through inexperience, they may inadvertently lose or destroy your precious ESI.
On top of that, the tools that are needed for eDiscovery are pretty pricey themselves, and it's unlikely you will need them often enough to justify the cost of purchasing them.
Remember, you get what you pay for and eDiscovery should be performed by Digital Forensics experts.
Additionally, most court systems mandate that eDiscover be conducted by OUTSIDE Computer Forensics specialists. Just like you see in crime dramas, when you have someone "too close" to the case, it can make it difficult to be objective, which can really foul up a case. Internal IT staff can inadvertently raise questions about not only the authenticity of evidence, but its validity, as well.
RULE OF THUMB: If there is even a smidgen of a chance that your case will eventually go to court? Make sure you call in a Digital Forensics expert to analyze your data.
You don't want to run the risk of having important ESI being deemed inadmissible. Keep in mind that while your staff is trained to RECOVER data, that is completely different from harvesting and preserving traces of data that have been all but deleted:
- The ESI that Computer Forensics investigators uncover during their eDiscovery process is exceedingly fragile and can be damaged or destroyed if your computer's operating system fails to recognize it; highly specialized tools need to be used.
- Looking through your computer or device, or sometimes simply turning it on, can irrevocably damage and/or destroy the data you're seeking.
- Evidence tainting is not uncommon when in-house IT staff is involved, as dates and data can be altered and overwritten.
Put simply, you want to avoid issues like this from the get-go, and the best way to do that is to hire a professional outside Digital Forensics specialist, like Petronella Technology Group (PTG). Due to the fact that we are a neutral third party, the evidence you submit from us will be much more credible and authentic when presented in court. We also have the equipment and expertise necessary to produce reliable and trustworthy ESI necessary to win your case.
Is a Digital Forensic expert worth the cost?
In a nutshell? Yes.
Using someone who is untrained in eDiscovery and Computer Forensics, or trying to do it yourself, can be a bigger headache, and put more of a dent in your pocketbook, than doing it right the first time.
As opposed to looking at the bottom dollar of a Digital Forensic specialist, you must also consider potential opportunity costs, such as lost or damaged ESI that is irretrievable. In fact, evidence that is lost, not preserved correctly and/or tainted can cost you your entire case!
But even putting the evidence aside, let's look at the cost of having an employee untrained in Computer Forensics do the work.
- When is your IT employee going to perform the work?
- During regular business hours? So then who is performing the tasks that they normally perform?
- After hours or on the weekends? Then you might want to consider how much overtime is going to cost you. Also, is your employee available to do the work then?
- How much time is your IT employee going to spend not just gathering all the data (without the tools that make recovery efficient and safe) but also analyzing it and writing up the reports?
- Is this person going to be able to accurately apply laws to the analysis?
- Will s/he be able to present the evidence in court, if necessary?
If your case is important, you want to leave it in the hands of a professional. Trying to cut corners will most likely end up costing you much more in the end.
Does a Digital Forensics specialist REALLY reduce our costs and risks?
It may come as little surprise to you to learn that billions of dollars are lost from businesses due to fraud, theft and even sabotage... by employees!
Did you consider the impact of negative publicity, lost credibility and decreased employee morale associated with theft?
And let's not even get started talking about the billions more are wasted in litigation costs, such as investigations, productivity and intellectual property loss!
Your company can potentially go through all of that, be the victim in the situation, and STILL be highly scrutinized by industry watch dogs, who could even potentially slap you with fines and penalties, just adding insult to injury!
When you really stop to consider all the opportunity and peripheral costs you can incur, doesn't it make sense to hire a professional, who is adept at navigating through those kinds of waters? The costs associated with hiring a Computer Forensics specialist pales in comparison to the costs you can incur if you don't get everything right.
Who pays for the Digital Forensics services?
Generally speaking, the party seeking eDiscovery is responsible for the costs. However, depending on court costs and legal responsibilities, the guilty party may be required to recover any costs that have fallen to the victim. But even if that doesn't happen, there is a good chance that the costs you incur by seeking the services of a Computer Forensics expert will be less than trying to do it on your own.
Can evidence be extracted from smartphones or other devices by a Digital Forensics expert?
Absolutely! An experienced Computer Forensics specialist can extract ESI during eDiscovery from many different types of devices, including (but not limited to):
- Cell phones
- Personal computers (desktops and laptops)
- Hard drives (external and internal)
- DVDs & CDs
- USB drives
- SD cards
- Digital cameras
Can I send my equipment to a Digital Forensics expert to analyze?
It may be possible, but we need to speak with you at length before we can make that decision.
When you contact us, we will get as much information from you as possible, and then provide you with detailed instructions. However, if it is decided that sending us your hard drive is a viable option for you, we recommend that you follow these steps:
- DO NOT SHIP ANYTHING TO US UNTIL WE HAVE SPOKEN WITH YOU AND COME UP WITH A GAME PLAN. We will provide you with a tracking code to place on the shipping label, so that none of your hardware is lost.
- Do not remove the drive yourself. Hire an experienced technical professional to perform the extraction for you.
- The disk drives contained in your computer are very sensitive to static.
- Seal your drive inside an anti-static bag and wrap it completely with thick bubble wrap and/or foam. Otherwise, you will risk damaging the contents.
- Avoid static-producing Styrofoam peanuts and/or materials. The less potential for static electricity, the safer your equipment.
Shipping us your equipment may be the best option for you, but it comes with risks. Be sure to take all necessary precautions to avoid evidence loss and/or damage.
When should I call a Digital Forensics expert?
Let me help answer a question with another question... When do most people call the police after a crime? Immediately.
And there are many reasons for this, one of the most important being that it is important to not lose or contaminate any potential evidence. When police get to a crime scene, if they are worth their weight in salt, they will immediately secure the crime scene and start sifting through the evidence.
The same is true for a Computer Forensics expert.
As a Digital Forensics specialist, it is so difficult when we see potential evidence lost. As we mentioned above, sometimes data can be irrevocably lost just by turning on the computer. Did you also know that sometimes data on the hard drive is randomly overwritten by the operating system? There are so many ways to inadvertently destroy or damage data, that we strongly advice victims to contact a Computer Forensics specialist as soon as they can, after they realize a crime has been committed. The longer a device is used, the more likely for data to be compromised.
That being said, even if you think there's a chance that evidence important to your case has been lost or contaminated, you will want to contact a Digital Forensics expert right away because often if information is lost in one place, there is a strong chance the Computer Forensics specialist can find it hidden somewhere that you didn't even know about. Operating Systems will often create duplicate records of files, but they aren't easy to find.
Still, even with multiple records being written, the longer a computer is in use, the more likely the data will be compromised, so your safest bet is to call a Digital Forensics specialist sooner rather than later.
When do we start the eDiscovery process with a Digital Forensics professional?
If you found you have been victimized electronically, by an employee or an unknown hacker, or anyone in between, what you need to do is...
STOP! TURN OFF YOUR COMPUTER AND DO NOT USE IT!! Be sure to secure it tightly so nobody else is able to use it either.
Using a computer that was used in the crime can cause irreversible to damage to any precious digital evidence you may have.
Whew! Now that we have that out of the way in BIG BOLD LETTERING, here are the steps to take:
- Just to reiterate, the first thing to do is NOT use your computer.
- If the computer is off, leave it off!
- If the computer is on, don't touch it. Turning it off can harm the evidence!
- Call PTG right away, and we will instruct you on how to proceed in the eDiscovery process.
- Keep the compromised computer/device out of the hands of your staff, including your IT staff. It's unlikely they are certified in Computer Forensics, and they may (either accidentally or purposefully) destroy or damage ESI.
- If you do allow anyone besides a Computer Forensics expert look at or touch your computer, be sure you keep an extremely detailed log of who/what/when/where/why/how. It is very important and we will need to review the logs after we receive your computer.
Now, it's possible you did not read this section, and your IT staff decided to take a stab at it... It's not ideal, but not all hope is lost. It may make retrieving relevant data more difficult and expensive, but an experienced Computer Forensics specialist should still be able to help. Give us a call and we can perform a mini-Analysis to see if recovery is possible.
Here at PTG, we understand that being the victim of a crime, electronically or not, isn't easy, and you don't always know what to do. If you aren't sure whether you need a Computer Forensics expert or not, feel free to schedule a free consultation with Craig by CLICKING HERE or calling us directly at 919-422-2607.
Top qualities: Great Results, Expert, High Integrity. I have seen Craig grow his business from when he first started with us as our IT Consultant. He is great person all around. Easy to work with, very conscientious on his work, and always willing to help. He has worked extremely hard and I'm glad to see the rewards of his hard work with his company expanding and thriving. His Top qualities are: Great Results, Expert, High Integrity.
I would recommend him to any client who is looking for any IT help for their organization. I have worked with Craig with the implementation of EMR (Electronic Medical Records) in the Durham area. He is extremely professional and very knowledgable with the current technologies. He ensured that we never had any issues with the IT infrastructure at the practice and that was one of the primary reasons that the implementation went smoothly. He scored high points with his client and us with his professionalism and knowledge and I would recommend him to any client who is looking for any IT help for their organization.
Craig is very insightful and has the experience and expertise to fix any IT Support issue your company may run into.
Petronella Technology Group, Inc. is responsive, professional, conversant and able to communicate extremely technical information in comprehendible terms. We have been working with Craig and his team for more than 16 years for all of our company's computer, network and IT Support needs in-house as well as for off-site offices. Everyone at Petronella Technology Group, Inc. is responsive, professional, conversant and able to communicate extremely technical information in comprehendible terms. Our confidence level has allowed us to recommend Petronella Technology Group, Inc. to long-time business partners and associates.
We appreciated the quick response time and excellent follow-up. We recommend them very highly. We are extremely pleased with Petronella Technology Group, Inc. Our experiences working with Craig have always been excellent. You and your firm are able to diagnose and correct the problems very quickly and professionally. We appreciated the quick response time and excellent follow-up. We recommend them very highly.
Craig is an absolute professional and a great pleasure to work with. would highly recommend Petronella Technology Group, Inc. and constantly receive positive feedback on Craig and his company.
Craig is a wonderful partner who follows through with great service and good value. Craig is a wonderful partner who follows through with great service and good value. His knowledge of systems sets him apart from anybody else.
Whatever your needs, we will use the latest technologies and techniques to devise a custom solution to connect you with more clients or customers to help grow your business.