In American series they call the CSI, in the UK they call in the socos (scene of crime officers). Whatever you call them, crime series just wouldn’t be the same without forensics teams. In IT, they are some of the most-in-demand specialists both in investigative authorities and enterprises. Because for one, the economy is hugely threatened by cybercrime, on the other hand, nowadays, in almost every crime the smartphone is useful for forensics and evidence collection. There are also numerous cases in which companies suffer losses because workers are reckless or negligent with company data.
So it doesn’t need to be a case of criminal activity for Christoph Boser or Steffen Steitz to be called in. In Bechtle’s growing IT forensics team, they are the most experienced, working in all investigation environments and as expert witnesses in court. Unfortunately, both of them estimate that nine out of every ten companies are not in a position to follow up on the causes and origins of data loss or other digital damage. What is needed is a strictly methodical approach, even if only to make investigative measures unassailable for court proceedings. Secure, analyse, present—S-A-P—is the process required. The first step is creating a forensic duplicate of relevant data that can be proven to agree with the original. What are known as “write blockers” therefore prevent manipulation during data transfer. This process, like many other steps, is photographed and logged. Comprehensive documentation is important to ensure that the chain of evidence is not broken if the results ever need to be presented in court for example Prosecutors, judges, and attorneys need a traceable and watertight facts—not every judge is lucky enough to be an IT expert. Forensics analyses can also take hours, days, or even weeks, depending on the complexity of the investigation—and meanwhile, Article 33 of the GDPR requires data protection incidents to be reported within 72 hours. A comprehensive arsenal of forensic software makes it possible to reconstruct the course of events—and, in many cases, restore data believed to have been lost. The exact equipment needed is, not least, a question of experience and expert knowledge.
But some of the investigation does take place as on TV. If an employee is suspected or even if it’s just their computer that’s affected, the crime scene is first sealed off, their office closed, or even the workplace shut down. It’s important in many cases that the computer is kept running, because key traces of malware are often irreversibly lost upon shutdown.
There still isn't an emergency number for digital crises but even so, all data security incidents have to be reported to the authorities in Germany within 72 hours. Failure to do so will incur hefty penalties.
If data media is still physically intact, Bechtle’s IT forensics team are able to recover data thought lost in some 90% of cases.
The hunt for clues might need to be expanded to other components of the IT infrastructure. Particularly sophisticated attack tools such as the latest generation of Emotet can extensively infect the network—largely under the radar—and penetrate deep into many applications, especially when Emotet downloads more modular malware as a “Dropper”. E-mails and address books can be tracked in this way and subsequent attacks used or phished files sold on. This type of attack can also create large ripples and requires a forensic end-to-end analysis. For this integrated overall view, there are suitable software tools such as X-Ways or Nuix—when competing against attackers, the key is to always be more powerful than they are. Standardisation and automation are being intensively developed, including with artificial intelligence. In comparison to the classic SIEM (Security Information and Event Management) systems, self-learning solutions analyse network traffic and even detect previously unknown attack methods and sound the alarm proactively. Creative cybercriminals continue to find possible attack points—and ever more accomplices. The digital crime sphere has always been highly lucrative, and is an important hub for organised crime.
IT forensics can shine a light on this and also bring the perpetrators to justice. Previously, many companies invested only in preventative measures. As a special field, forensics has to complement a sustainable prevention, detection, response security concept. But there’s a lot more to it than that—the development of resilience, a sensitivity for social engineering such as descriptions on splash pages and an overall far deeper occupation with IT security.
Christoph Boser is a senior consultant at Bechtle Offenburg and certified in triplicate: as a data protection officer, an IT expert in forensics, and an IT data protection auditor. Steffen Steitz is an IT Solutions Architect at Bechtle Chemnitz and, like his colleague, advises and supports companies and public bodies on IT security in general, but especially in forensics. Moreover, he is also responsible for crisis management for affected companies. Both are part of the rapidly growing Bechtle Cybercrime & Defence Competence Centre.
Forensic intelligence often goes hand in hand with a sharp shock for affected organisations. It often shows them how badly protected and prepared they really are. Christoph Boser or Steffen Steitz stepping in is often a wakeup call. It's at this point at the latest that the company starts thinking about a security concept. Having and also consequently implementing one is a requirement when taking out cybercrime insurance to cover losses that could still arise despite all protective measures. Because there is no such thing as one hundred per cent security. You can only protect yourself as best you can. IT forensic teams could write a book on the subject.