The modern corporate landscape is a digital one; business floats on a sea of electronic information that allows for rapid communication and the storage of information on a scale that was incomprehensible just a few years ago. The data is often critical to the creator, user, or recipient, but sometimes events take a turn and data is stolen, misused, or improperly accessed. Legal action may become likely or necessary, or that data may become relevant in a related employee investigation. In these cases, data identification, collection, and preservation then become the highest priority.
Legal entanglements are rarely planned, but modern organizations can encounter them in any number of ways, including:
- Data breaches
- Pending litigation
- Intellectual property theft
- Employee misconduct
- Embezzlement/fraudulent activity
These scenarios will rely heavily (and sometimes, exclusively) on electronic evidence, properly analyzed by a digital forensic investigator. But the analysis of the evidence presupposes that there is relevant evidence to collect for examination; steps taken early on to preserve this data can make all the difference in later forensic efforts.
Modern computers can retain and hold a wide variety of evidence, both direct and circumstantial, even if “deleted”. The flip-side is the data can be overwritten and scrambled, so timely and proper collection are very important.
When faced with a situation that may require forensic analysis, there are some important points to remember to ensure that the most relevant data is preserved for later analysis:
- Everything that is saved to a drive is potentially overwriting critical evidence. Deleted files are not always truly deleted and can be recovered.
- If it’s off, leave it off. Leaving it off preserves the data for collection and retention.
- If it’s on, remove it from the network and leave it on. Information stored in the active memory can be recovered and retained.
- Mobile Devices have different rules. If a mobile device is involved, engage a digital forensics professional as soon as possible to collect and retain the information.
- Don’t forget the cloud. Cloud solutions complicate data collection, but often have massive amounts of data that can be used in support of the investigation.
- Never work on the original evidence. Always take a forensically sound copy and do the analysis on the copy, original data needs to be retained for the duration of the investigation.
- Documentation is critical. Document and maintain the “chain of custody” to avoid challenges to the integrity of the collected information
- When in doubt, contact a forensic professional. Every situation is different; having a trained professional provide advice, respond to the scene, or walk you through the early steps can mean the difference between success and failure.
As always, if you need information or assistance with forensics or a digital investigation, please feel free to contact the RubinBrown Cyber Security team at any time.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.