As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy the second part of a three part blog series by digital forensics expert Jim Vaughn, a Managing Director of Intelligent Discovery Solutions.
By Jim Vaughn
This post is designed to build on Part 1 of this three part series on digital forensics. Part 1 addressed the subject of BYODs ("Bring Your Own Devices) in the workplace.
Staying on the subject of BYODs, what are the company policies and rules for these hybrid-devices? Does your company have well written policies, such as whether the employer can remotely “wipe” the entire device (business and personal data) if the device is lost, or if the employee and the company part ways? Have you considered how to deal with that issue before it happens?
IT departments originally focused on managing infrastructure, (tier 1 support), but this causes new challenges as employees use a greater variety of devices to access data in both the employer’s network (or cloud) and from their own personal sources.
From a digital forensic perspective, this may have implications that counsel should address. If a company does not ban BYOD outright, they should try to manage the risk of security breaches, prepare for the worst, and manage employee expectations.
In addition to implementing and reinforcing a culture of security, and reserving the ability to "wipe" devices if they are lost or stolen; companies should also consider ongoing training, annual acknowledgements, and otherwise set and manage employee expectations about the privacy they will have to surrender in exchange for the convenience of using their personal devices for work.
Privacy? Aren’t employees already mixing personal and business information? Yes, they are. But in a non-BYOD environment, this is typically an employee putting personal information on a portable work device. This does not trouble privacy experts and judges as much as an employee putting work information on a portable personal device.
Should the need to examine portable devices arise, what are some of the artifacts one could look for to ensure confidential company data has not been taken, or no longer resides on a departed employee’s device? In my Part 1 post I mentioned backup jobs created by portable computing devices, such as Blackerry’s, iPhones/iPads or Android devices.
Let’s assume you have reason to inspect a portable computing device (e.g. your forensic examiner found applicable backup jobs on the departed employee’s work computer).
Examples of artifacts to look for may include; attachments that have been broken apart from an email and saved to the device, installed software that allows a direct connection to a company computer that may bypass a particular security protocol, names of file attachments that may exist within personal email accounts on the device, pictures that may have been taken of a trade secret document in lieu of the actual file being taken, Internet history and/or text messages, just to name a few. The data on the actual device may differ from the last backup, especially if the device is used more frequently and more recently than the last backup.
Similar to an official BYOD policy – what about the usage of personal or home computers for work? It is not uncommon for employers to allow employees to utilize home computers for work, whether they realize they are allowing it or not. Some of the ways this occurs is by enabling web access to company email; allowing a personal computer to connect to a company network through a virtual private network connection (aka VPN connection); by allowing access to personal email accounts while at work; by allowing access to personal cloud storage areas while at work; or by allowing un-controlled portable devices to be used on work computers with no controls in place.
Many of these access rights can be monitored, limited or excluded, according to your needs and situation. For example, USB ports can be configured as read-only, essentially preventing the exportation of data.
What if the user is actually someone who is granted certain administrative rights within the company because it is part of their job responsibility, but they have then allegedly abused those rights post-employment or prior to departure?
In a recent case, an employee is actually accused of setting up Dropbox™ on the company server before leaving the company and having the software automatically backup (export) the company data on a near-real-time basis.
In my experience as a forensic expert (I am not an attorney), there has always been a delicate balance of interest by courts regarding the importance of preserving potentially relevant data from home computers while maintaining individual privacy concerns. Sometimes referred to as proportionality, sometimes referred to as the balance between relevancy and prejudice.
In United Factory Furniture Corp. v. Alterwitz, 2012 U.S. Dist. LEXIS 48795 (D. Nev. Apr. 6, 2012), the court approved of a mirror imaging protocol of the defendants’ computers. The case generally involved an employee’s alleged misuse of company information and improper access to a server. The court concluded that the appointment of a third-party neutral expert to image and collect hard-drives was the appropriate way to satisfy the competing interests at stake. In some cases, the mere usage of a home computer may, whether intentional or not, destroy potentially relevant data. Some data is more transitory than other and in this case an important fact may be to show how this alleged improper access was occurring from the computer(s).
I will share some thoughts on what a forensic examiner may look for in this matter, but would like to note the following; I have no facts about this case other than reading the summary of the court’s order, I am merely providing thoughts on what may be looked at without knowing the facts and therefore the analysis I refer to may or may not be relevant for this particular matter. Part of the allegation is that one of the defendant’s had IT expertise, and had used that expertise to access the plaintiff’s server using a "back door" he created, and that he had "manipulated, copied, transferred, deleted and/or used" data, files, and other information.
The term “back door” as used here simply refers to a way for someone to access a particular computer while circumventing normal security protocols. In this case it sounds like the IT person has been accused of creating an unauthorized account. One of the recommendations made to companies is to perform an audit every so often for potentially rogue network accounts, especially if you have an IT person leave the company. Certain logs, if available may be used to show access dates and times, as well as where the access was made from. The varying methods of tracking such access may be through a user name and password and/or by capturing an IP address, which is essentially the equivalent of a street address.
The logs (or records) may be available from the firewall, VPN router, server(s) and/or the person’s computer used to perform the access to the server. All of these sources are dependent on configuration, length of time, whether they were being stored to begin with, etc. Manipulation, copying or transferring of data can be examined from different angles. Aside from content analysis between an original document and an alleged manipulated document, an examiner can look at metadata. Generally, when a document gets manipulated (altered), the operating system metadata will reflect the date and time for such activity. When a document is deleted, you may be able to reference when, or at least within a window of time the deletion occurred. If a document was opened on a computer that was connected to the server, you may find text fragments on the computer in the area known as unallocated, or slack space.
The transferring of files is not always easy to detect. As mentioned in Part 1, there is no record that tells you the name of files that were, for example, copied to a connected USB device. However, the evidence may show that on a certain date and time a USB device was connected, and then hundreds of files (last access) dates were triggered. Assume the triggering of these last access dates were not from some automated process such as a virus scan, could you infer those files were copied to the connected device? These are but a few suggestions of things to look for. In my next post, Part 3, I will delve into protocols with greater detail.
Mr. Vaughn is a digital forensics expert who has given testimony in nearly 65 cases involving topics such as evidence preservation, documentation of events, and computer forensic methodologies. In addition to being an EnCase Certified Examiner (EnCE), Mr. Vaughn is certified by the International Association of Computer Investigative Specialists (IACIS) as a Certified Forensic Computer Examiner (CFCE). Mr. Vaughn has extensive experience working on litigation and consulting matters involving computer forensics, e-discovery and other high technology issues. He serves his clients through the litigation or consulting lifecycle by assisting them with important issues like data scoping, preserving, gathering, processing, hosting, review and production, as well as deeper diving issues uncovered through the use of computer forensics. Mr. Vaughn can be contacted at firstname.lastname@example.org. Please note that each case may be unique and this single blog post is not intended to fully cover everything related to trade secret investigations or constitute advice, legal or otherwise. It is always best to consult a qualified person to assist with any investigation.