A forensic approach to data

In the three years that VMForensics has been in business, the challenges facing forensics investigation has increased, but its founder is still as focused as ever.

“We don’t want to be a jack of all trades, we want to be an expert in what we do and we want to stay the best in what we do.”

When it comes down to the direction VMForensics is heading in, its founder Dr Vivienne Mee is keeping things concise. Founded in 2014, the company has grown steadily and over the last 12 months, it’s branched out to include risk assessment and security audits in its portfolio of Forensics, Data recovery and Electronic Discovery services.

Forensics is still the core of the business, yet with the developments in the security industry and GDPR coming into effect in May, the focus is on expanding deliberately, not introducing something because that’s what the trends are pointing towards. Supporting data breach investigations for GDPR is becoming a huge area for IT, in addition to helping organisations to become investigation ready.

“Cyber is the new buzzword and with all the new legislation coming in with GDPR, a lot of organisations are being formed offering services to coincide with the new regulation,” said Dr Mee.

“I don’t want VMForensics to be focusing on services that are seasonal or topical. We’ve always provided investigation services, even for the current data protection laws, therefore we are ensuring that we are continuing to improve the current services line with any new changes in law, and to focus on quality services to our clients.”

For the larger companies out there, this has been on their radar for quite a while, but for SMEs who may be solely focused on developing a business, security is likely an afterthought as they don’t have the resources.

The problem is that GDPR, while not introducing any major changes in the security field, will affect any business which deals with personal data and the countdown, as well as much of the talk around fines and consequences of not following through, is leading to much fear and confusion.

“I’ve some clients coming to me asking: ‘Why do we have to put this in? Is there a cooling-off period so we can get it in place?’ and I say ‘No, it should be in place now’,”, said Dr Mee. “It’s just making people become more aware. There’s a lot of scaremongering now, a lot of providers are saying ‘If you’re not ready, you’re going to get fined some of your turnover and if you don’t have a strategy, you’re going to get fined.’ Because of the unknown of what’s going to happen in May with breaches, they don’t know if they’re going to get fined or not and people are starting to worry.

“Organisations can only be as ready as they can be with policies and procedures in place that they can rely upon for the managing and storing of personal data, along with incident response and investigatory steps in the event of a breach.”

Challenges in the cloud

While cyber has become one buzzword that has been overused, the same too can be said about the cloud. Over the last few years, practically every collaboration, storage and productivity product aimed at businesses mentions this as a major feature. While the term has been overused, the use of it has brought a number of challenges in the forensics space, some of which can end up halting an investigation.

Dr Mee mentions that more of her clients are moving towards scalable cloud-type offerings such as Office365 instead of having servers located in their office. While it brings with it added convenience for workers, it also adds complications.

“I’m seeing a lot of investigations where you might seize the desktop or laptop and the information may not actually be on the device any more,” she said. “[When] we’re looking for the root of an attack, we need to work closely with the admin teams to get onto the cloud environments to make sure we get any supporting logs that may exist to piece together the investigation or incident. It’s proving a bit difficult in that we’re seeing a lot of organisations have their cloud environment implemented and it’s working well for day-to-day tasks.But when an investigation comes around and they need to delve deeper into the system, they realise when they have nothing to investigate.

“In some cases, some organisations didn’t implement any logging or enable full auditing on the system and therefore it is not possible to determine what happened. So if no controls are put in place, it’s often not possible to obtain an outcome of an investigation.”

The other issue with cloud is it adds another party to the mix, the service provider. Gaining access to physical machines in an office environment is one thing, but doing the same with a major cloud company like Amazon, Microsoft or Google can end up being an insurmountable challenge.

“It means you will probably never get to a physical box and the chances of you getting to a physical box in a cloud environment are very slim,” said Dr Mee. “[We primarily deal with] corporate investigations but for criminal investigations, it’s causing major havoc because for them, as you have to have a chain of evidence there, you have to have the original, you have to be able to stand over it, [and for it, cloud] is causing major issues.

“We can see the problems already when it comes to investigations . . . [back then] we were given a hard drive and access to servers and off we went. Now we’re asking ‘Can we get logs from the IT or service provider and can you give us access to log in here?’ We rely on them to provide us with information as well for us to piece it together which gives [away some of] the control or certainty of a forensics report . . . we’re not as much in control as we used to be.”

To add to the issue, there aren’t any major guidelines for cloud forensics, meaning companies like VMForensics have to interpret each situation to the best of their ability.

To help deal with this, one of Dr Mee’s team is pursuing a masters in the area to help improve their knowledge in the area, but for the most part, cloud forensics is an area that’s open to interpretation.

“It’s an area that hasn’t been developed for forensics as such. We have all the ACPO (Association of Chief Police Officers) guidelines, which is the guidelines sent out from all law enforcements . . . but there hasn’t been any guidelines for cloud forensics or if there really is any best practice,” she said.

“We try and keep all our evidential and forensic best practices principles in place, but there’s nothing really in place for the cloud,” she said.

“We’re dealing with all of these providers and it is really difficult for our industry so this is why I have encouraged one of our team to embark on this area of research on cloud environments and forensics in the different jurisdictions as well. What we would love to see come from it is the next best practice principles for cloud forensics, but we’ll see how we get on.”

Keeping it impersonal

When you look away from the issues of cloud, the obstacles that forensics investigators have to deal with become a little more familiar. Someone trying to cover their tracks through the use of anti-forensics software is one concern, and cloud continues to complicate things.

“If we’re doing an investigation where it involves a virtual machine up on Amazon or Azure and they’ve decided to delete that entire thing, the chances of getting that back is very slim,” said Dr Mee.

“It’s even hampering investigations now, but looking at it legally, we have to be able to stand over it. We know that whatever the issue, we have to be able to go into court, stand over it, get cross-examined and know they’re going to ask this, have they done it, have they not, is it possible that it could be malware, is it possible that it could be someone else that the person didn’t actually do it at all. We always go in with the mindset that the person is innocent until proven guilty and you have to keep that impartiality until you get enough evidence against an individual.”

To ensure that the investigation is as fair and as thorough as possible, hearsay and gossip are avoided. Part of the reason why a company would get in the likes of VMForensics is because they’ve no connection. It’s harder to do an investigation if you know the parties involved, be it personal, professional or both. Often organisations have the capability in-house to perform the investigation, however, they often would prefer a third party to perform the investigation as they are impartial to the parties involved.

“If we do go meet clients, we have our opening meeting, they give us background information, we do not take on board the hearsay information, we only take the facts,” said Dr Mee. “If there is a person of grievance, while we do take on board what the grievance is, at the end of the day we are only interested in the facts of the investigation presented to us . . . then we can find out the rest from our analysis to determine the complete picture. We have to remain impartial.”

So what about those companies who want to make sure they have all their bases covered on the off-chance that a forensic investigation is needed?

Dr Mee recommends that before implementing anything, they should think of it as if they’re going to investigate something that has happened.

“If their data is all in the cloud, how can they get access to it, who has access to it, what logging in is enabled in the background, can they switch logging on or can they not and what exactly is in the logs,” she said.

“They’re the key principles, to make sure that logging, auditing and access is there to aid any investigation. Another thing with a third-party provider or cloud provider is will they actually give you access. Sometimes it’s written in the contract in small writing that they won’t, we did come across a few of these in the past, so it’s reading the fine print in the contract to make sure they will let you have access to it and let you do a security audit yourself.”

While the logs and audit reports are important, having a plan of action is crucial too. Dealing with cloud and similar environments isn’t the easiest thing to get to grips with, but thinking about the processes needed and breaking them down into more manageable chunks can help.

“[If an organisation has] a breach, they have to tell the Data Protection Commissioner (DPC), but the DPC will expect a report from them telling them what happened,” she said.

“We are already doing this with companies where we are performing a full investigation and producing a full forensics report, detailing what led to a data loss and why it happened. This forensic report can then be used for submission to the DPC. Organisations should have an incident response plan ready even if they are going to the cloud. This should include simple steps like what do they do, who do they ring, will the service provider provide a contact number they can ring, do they have the steps written in a policy and a plan in place.

“These are really important aspects of cloud investigations. It’s not just about your logs and auditing, it’s also about how to interpret them and get them into the report to detail findings of the breach, they’re the key things.”

VMForensics will be training organisations and helping them in preparing for an investigation or breach in relation to GDPR. From there, it’s a matter of growing the main areas they focus on: forensic investigations, security, auditing and risk assessment. The latter becoming a particularly busy area for it.

“As part of the risk assessment services, we provide ISO 27001-type work getting organisations ready for ISO 27001,” said Dr Mee.

“We help perform the gap analysis, we get them ready for certification, we also help them with the internal audit piece of it as well . . . that’s a pretty busy area as well as it ties in with GDPR as well. What we find with most organisations is if they have a strong ISO 27001 framework in place, they tick most if not all the boxes with GDPR. That’s where we see a lot of our work in the next 12 months going and that’s where we’re going to stay focused on over another couple of years.

“Rest assured, no matter how little organisations are prepared or lacking in procedure, there is still time to get something in place in advance of May deadline. Putting solutions in place now will save money, anxiety and possible fines in the short, medium and long term.”