If you’re a fan of police procedurals and murder mysteries, or you watched the short-lived television series CSI: Cyber, you might imagine that every cybercriminal incident or data breach results in an intense, suspense-filled detective investigation. In reality, this usually isn’t the case.
Although digital forensics can in fact be exciting, the FBI and law enforcement are involved in only a tiny fraction of cyber incidents. And while having access to forensic capabilities is part of a full-scale incident response program, most small and midsized organizations will rarely if ever need them.
What is Digital Forensics?
Also sometimes called computer forensics, the field of digital forensics involves the identification, preservation, and documentation of evidence from digital devices in ways that make it useable within a court of law. Considered a branch of forensic science, digital forensics encompasses specific tools and techniques that have been developed specifically to handle digital evidence for legal purposes.
Digital forensics is a highly specialized discipline. Most cyber forensics examiners today follow highly detailed process models during investigations. Depending on the nature and scale of the criminal charges involved, digital assets — such as computers, laptops and mobile devices — are often seized and kept in the same state they were in at the start of the investigation.
When Might My Company Need to Collect Digital Evidence or Undertake a Digital Forensic Investigation?
Returning to our definition of digital forensics, it’s critical to keep in mind that the entire field exists solely to provide evidence for use in legal proceedings. In general, if you’re not planning to prosecute the cybercriminal that attacked your organization, you don’t need digital forensics.
Deciding whether or not to pursue legal recourse when you’re the victim of a breach or major cyberattack can be tricky. You’ll need to balance the risks and drawbacks against your priorities and the probability that your case can be brought successfully. If you’re truly uncertain, it’s often possible to take forensically sound images of the machines in question and save them, just in case you do decide you need the evidence at some later point.
If you are losing revenue every second or minute that your systems are down and a forensic investigation will increase your downtime — or require you to replace expensive hardware devices that you otherwise could keep — conducting one may not be worthwhile.
Keep in mind, too, that the vast majority of cybercrime goes unpunished. In 2020, for instance, a record number of internet crime complaints were made to the FBI: 791,790. The total financial losses involved were approximately $4.2 billion. Annually, however, the FBI usually prepares fewer than 2,000 criminal cases, which typically result in only a handful of convictions.
Because the vast majority of ransomware operators and sophisticated cybercriminal groups are overseas, it’s usually extremely hard — if not impossible — to find the perpetrators, and even if you’re able to do so, legal action taken across international borders is almost never successful.
Here at BTB Security, we talk far more of our clients out of doing digital forensics than we talk them into it.
With that said, there are certain circumstances when collecting digital evidence and conducting a thorough forensic investigation is a good idea. Some are when you’re dealing with intellectual property theft, suspicious or potentially illicit employee activity, or an insider threat. If the perpetrator is known to you, perhaps because they’re a former employee or a business partner or vendor, gathering as much evidence as possible to strengthen your case against this individual in court can be a good idea.
Naturally, if you’re involved in an FBI investigation that’s trying to catch a nation-state-level threat actor stealing intellectual property or business intelligence, you’ll need to conduct forensics. Popular Hollywood storylines aside, these kinds of cybercriminal activity are mercifully rare.
In some cases, your cybersecurity insurer may require you to have digital forensics capabilities on hand – either by having a service provider with these capabilities on retainer or developing them internally. Often, however, the insurer will have selected its own digital forensic services vendor for clients to work with.
What Capabilities Do I Need to Have to Ensure that I Can Conduct Digital Forensic Investigations If I Need To?
Though digital forensic investigations are rarely needed, the domain of digital forensics has significant overlap with incident response (IR). In case of a breach, being able to identify what happened, figure out how it happened, and quickly recover any compromised data or systems is absolutely essential. Gathering facts, making sense of it all, and determining whether or not there’s evidence of criminal activity are essential parts of the incident response process.
If you haven’t built out the right logging capabilities in your environment, you’ll neither be able to respond to incidents rapidly and effectively nor conduct accurate digital forensic investigations. Collecting enough log data to give you visibility into what’s taking place inside your systems is something that needs to be set up beforehand so that you’re ready for whatever might occur.
High-quality managed detection and response (MDR) services will ensure that you have the right logging and monitoring capabilities in place — which lessens the chance that you’ll ever need them. If you’re interested in learning more about how MDR can help, check out Rapid Advanced Detection and Response (RADAR), our industry-leading service offering.