In today’s ever-expanding world of big data, organizations are not only taking on considerably more responsibility for protecting information assets, but are also facing the likelihood of a continued rise in potential data incidents.
According to Dov Yoran, CEO at New York City-based cyber security company ThreatGRID, security threats have evolved so extensively in recent years that it is inevitable that incidents will occur even at mid-sized businesses. “It’s imperative to have a solid incident response process, which should include data forensics capabilities and recovery methods after the breach,” Yoran says. “Additionally, it is always paramount to have a disaster recovery plan, which normally includes recovery processes, procedures and solutions.”
All tools are not created equal
Fortunately, an array of forensic and recovery tools exists, including data integrity tools provided with the operating system, automated data recovery tools, and specialized forensic data recovery tools. The most advanced tools allow experts to recover significantly corrupted data or structural damage, partially deleted files, and forensically reassemble short fragments of files into their original form. The tools even allow an expert to document the chain of events that led to the data destruction. This all depends on the expert using the tool having an intimate knowledge of how media data structures operate, and good working knowledge of the tool itself.
However, as Yoran explains, not all data recovery tools are created equal. “Some tools are strictly for data recovery, while others have other incident response practical features such as case management,” he says. “The requirements for recovering your data set should be carefully considered. It is often essential to budget for not just data recovery tools but data extraction and analysis tools. These tools can aid the investigator in determining the root cause of breaches. Technologies such as sandboxing [a security tool for separating running programs] and other malware analysis tools, which can reveal compromises, should be considered as crucial as the physical disk recovery.”
Some tools also fail to function in a forensically sound manner, which is necessary for producing defensible electronically stored information (ESI) in legal matters or regulatory investigations, explains Jeff Fehrman, vice president of forensics and consulting for global IT service provider, Integreon. “Defensible collection demonstrates that the appropriate procedures and chain of custody are maintained throughout the process, in order for the ESI to be admissible in court,” he says. “Even the best forensic tools in the hands of untrained users can still present some serious issues for the defensibility.”
Fehrman recommends looking for tools with a track record of successful use in legal and compliance matters and that have respected certification training for users. “There are also expert consultants in the field that have entire toolkits of software available for their use, and the experience to know which ones are best suited for specific types of storage media or environments,” he says. “Some services also allow IT personnel to essentially perform the work under an expert’s remote guidance as a cost-effective approach to ensuring defensibility without the risk of data spoliation.”
There are also legal concerns of key consideration as organizations embark on a data forensics project, explains Peter Laberee of Laberee Law Pc. “When confidential information is kept on the cloud, it is crucial to know, where are the servers? This matters because the laws of the locality where the servers are located may control your right to access the data, even to recover lost information,” he says. Laberee notes that people ask where their data is partly because of the inherent diffuseness of the cloud, plus the fact that legal and marketplace remedies vary from country to country. “Despite the global feel of the cloud, some countries’ laws will be involved when it’s time to sue to get back data or to demonstrate compliance with privacy rules.”
The obligation to provide secure data goes beyond just good business. “enterprises have express legal duties relating to data security financial information and protected health information under HIPaa [the Health Insurance Portability and accountability act of 1996], for example. and, we hear much about Sarbanes-Oxley [the Sarbanes-Oxley Act of 2002, or SoX] in the corporate finance world,” Laberee says. “Under Section 404 [of SoX], reporting companies are required to assess their internal process and controls, and data security and recovery are part of this. Privacy laws are also implicated in data security concerns including Gramm-Leach-Bliley [The Financial Services Modernization Act of 1999, or GlB], the Fair and Accurate Credit Transactions Act [facta], and EU [European Union] rules.”
If the primary goal is to use the results in court, Yoran stresses the significance of forensically sound data recovery software, including sandboxing solutions. “Understanding the fundamentals of the attack and how it affected one’s system is at the core of every investigation,” he says. “Having the right tools on hand to do a deep analysis can not only aid in this effort, but it’s also a requirement when considering the myriad of potential attacks and large volumes of data each organization owns. clearly these tools are most effective when used by a skilled resource on the project, so in the end a successful investigation is really the marriage between people and technology.”
Seeking professional help
In some instances, it makes more sense for organizations to turn to specialized partners capable of providing an array of professional services including litigation consulting, compliance and risk management, e-discovery, forensic data collection as well as forensic examination and recovery exist to assist with ESI.
One reason to do so is that for digital evidence to be valid—and defensible in court—it must be preserved in either its original form or a forensically defensible representation thereof, explains Gerard Boisclair, senior manager at Providence, RI (u.S.)-based forensic risk alliance. “In accordance with the National Institute of Justice, examination is best conducted on a copy of the original evidence,” he says. “Proper forensic collection involves highly trained and certified professionals using specialized tools such as hardware and software write blockers and forensic imaging tools. They also provide documentation to prove data integrity and security via chain of custody, media acquisition and access control, and a series of detailed collection logs.”
According to Fehrman, data forensic and recovery services often vary based on the type of media or environment involved, including hard drives, backup tapes, uSB pen drives, network file shares, e-mail servers, mobile phones, Web sites, social media networks, and cloud-based environments.“Related services include recovery of password protected, encrypted, corrupted, or deleted information,” he says. “Expert analysis or witness services are also available to ensure the defensibility of the methods used, should they ever be challenged during legal proceedings. This is why training and certification through reputable providers is so important, and when there is doubt, there is always the option to utilize forensic experts that can provide strategic advice and provide recommended best practices and methods.”
Regardless of the preferred route, it’s crucial to select a reputable company that practices and promotes industry standards, explains Boisclair. “Whether recovering data at a logical or physical level, it is likely that the data may be private, sensitive or confidential and may even be subject to jurisdictional requirements governing data protection,” he says. “Using a reputable tool or provider may prevent the media from further, irreparable damage, and may also prevent the data from being exposed to identity theft, unauthorized download or use of confidential files as well as improper storage or disposal of media.”
Is the Data Gone?
Is the data really gone? In most instances, the answer is a resounding no. When a user drags and drops a file or directory into the recycle bin, or right-clicks and selects “Move to Trash” or “Delete,” that data is usually recoverable, explains Forensic Risk Alliance’s Boisclair. “Even if the user empties the trash, it may still be possible to access and view that deleted data.
However, data can be securely deleted without having to physically destroy the device or media so as to render it unusable,” he says. “There are a number of software-based solutions that feature the ability to sanitize or wipe media by erasing the data based on recognized government and industry standards.”
Many data-wiping software applications developed in the U.S. adhere to the standard outlined in Department of Defense (DoD) 5220.22-M. At a high level, secure erasure involves overwriting the location on the disk where the data resided a number of times by filling the media with zeros, random bytes, or a known overwrite pattern. It is then possible to verify that the data has been permanently erased by viewing the data location on the media in an application that enables the user to access and view the ones and zeros on the physical disk—ensuring that the overwrite pattern exists and the original data does not. A primary factor in meeting industry standards is the number of times the data is overwritten.
It’s important to note when using data wiping tools, care must also be taken that any such actions are performed in accordance with a company’s documented data retention/destruction policies and schedule, explains Integreon’s Fehrman. “Failure to do so could pose issues during litigation, even if performed prior to a lawsuit being filed. Enforcing data destruction policies is particularly important if a legal hold has been put in place at the start of an investigation or lawsuit,” he says. “The deliberate destruction of potential evidence can lead to serious legal sanctions.”