Data Breach Remediation and Recovery: Privacy Technical Investigators Local and Ready To Serve 24/7
Has your organization had its network breached? Is it possible that “someone” has downloaded credit card information, access employee files, extracted social security numbers, or accessed unique digital intellectual property such as drawings, formulations, or other critical data. In some cases, the unauthorized access to networks is designed to simply just destroy. An ex-employee who illegally accesses your network and destroys a client database, a CFO who while trying to cover up an accounting fraud deletes hundreds of records and attempts to destroy backups.
The news is filled with state sponsored attacks, such as the recent attacks that have come out of Iran. Our investigative experience tells us that equally impactful and more common are attacks from existing and former employees or simply greedy competitors that may have a IT background.
The Incident and Data Breach response team includes experienced digital forensic investigators so that you can properly preserve, collected, document the incident. At the same time the team can begin to develop a measured response and recovery plan.
Working with the McCann data breach response team you will be able to answer the tough questions being asked or you.
- What was the root cause of the attack? Was it internal or external?
- Is the attack still occurring or has it ended?
- What data was exposed or lost? What is compromised?
Once the crisis has been addressed and we have worked with your IT team to address the holes we can begin to move on to recovery. McCann data breach investigators can help you review your entire IT security software, hardware, policies and procedures. McCann can also schedule regular reviews of systems and lead IT audits and vulnerability testing such as simulated phishing attacks or social engineering. Remember, you can feel comfortable that McCann is going to provide licensed techs who have undergone extensive background check.
The Data Collection Process
Once the scope of the case is established and the digital media has been secured and a chain of custody established, the imaging and acquisition process can begin. This is typically done using a write blocking devices in a process known in the digital forensic process as imaging.
The computer or digital forensics process is a recognized forensic process used in computer forensics, mobile forensic, network forensic and cloud forensic investigations. In its very essence it is the process from the time the original evidence is obtained, processed and a finding is reached. The process in obtaining the results needs to be defensible and repeatable so that typical scientific method can be demonstrated. Digital media obtained for investigation is typically described as an “exhibit” in legal terminology. McCann digital forensic investigators employ the scientific method to acquire digital evidence to affirm or negate a hypothesis, either for a court of law or in civil proceedings.
What is the problem that the digital forensic examiner faces? Does the case involve multiple laptops, smart phones, drives located on a server, or data stored off site at a remote facility. How will the digital forensic examiner approach the case? Can a clear chain of custody be made on the digital media to be acquired and imaged? Can the steps taken be recorded and recreated in a defensible manner in a court of law.
Acquisition and Imaging
Once the scope of the case is established and the digital media has been secured and a chain of custody established, the imaging and acquisition process can begin. This is typically done using a write blocking devices in a process known in the digital forensic process as imaging. The typical tools used for the duplication process are EnCase or FTK Imager. The acquired image is reviewed by the digital forensic technician using the SHA-1 or MD5 hash functions. The digital forensic examiner ensures that the “hashing” can be verified so that the acquired and imaged data has not been altered
Once the proper image has been acquired, the digital forensic technician can begin the process of reviewing the acquired data and attempting to create reviewable files. This is done so that the client can see what types of files have been recovered, in general, and what information existed on the digital media. Data may be recovered from accessible disk space, deleted or unallocated space or from within operating system cache files. The ability to segment the reviewable data into understandable file types is a hallmark of McCann digital forensics materials. The ability to review emails, documents, web history, recovered web mail, images, etc, can be designed with the reviewer in mind. In some cases the client wants just recovered emails that were attempted to be deleted. In other cases they simply want to see all photos recovered from the laptop hard drive.
During analysis an digital forensic investigator attempts to recover evidence via various tools and methods, this typically begins with the recovery of deleted digital material . Digital forensics examiners us a variety of tools that include industry standards such as EnCase and FTK. The type of digital data recovered can included such items as email, chat, word documents, excel sheets, internet history or other types of digital documents. The digital forensic examiner will typically try to recover the digital nfrom accessible disk space, deleted (unallocated) space or from within operating system cache files.
Reporting and Expert Testimony
When a digital forensic investigation is completed the data is often reported in a form designed to be digestible by the lay reader. The details of the case, the methods used, the analysis and the final facts are detailed in an understandable format.
The digital forensic examiner will then be prepared to testify in court or in some type of judicial proceedings. Typical questions asked during these proceedings relate to chain of custody, method of acquisition of the data, the analysis process and a defense of the conclusions. McCann digital investigators are licensed and prepared to answer the questions.
Database Forensics is digital work performed on a specific database. Cases of database forensic may related to financial programs such as quickbooks, SAP,Sage,and scores of others provides. Database forensics may also relate to the use of such programs as ACT or other CRM related products. Often times, the digital forensic investigator is asked to see if material has been downloaded, removed or deleted. This type of investigation is common in non-compete enforcement cases, IP theft, data breach cases, or intentional sabotage.