What Enterprise Digital Investigators Are Facing in 2017

Internal investigations, e-discovery, and cyber breach incident response approaches continue to evolve as new sources of data emerge, and the way we conduct business in a digital world also evolves and changes. As a result, corporate IT professionals have had to take on new roles and responsibilities as well, requiring new skills and the proficient use of tools to help adapt to the continually changing digital environment.

Three key factors are driving the need for this change:

1. The Sheer Size of Data

In an investigation, finding the relevant data and quickly getting it to legal, human resources, compliance, or audit teams to make decisions on the situation is everything. The sheer size of data organizations are grappling with today makes this increasingly challenging. Mobile device and computer storage capacity has become ginormous, leaving vast amounts of information for investigators to mine. Last fall, AccessData consulted with several industry veterans on the topic of evolving digital investigations and the impact on IT’s role.

“The data is 20x what it used to be,” said John Wilson of eDiscovery Squared. IT must be able to use technology to identify sources across the network and collect the data while preserving vital system and item metadata for forensic analysis and evidence integrity. Investigators must also be able to filter at the time of collection and during analysis to focus precious time and resources on core facts hidden in the mass of data volumes.

Imagine what digital investigators face when you consider:

• Smartphones can hold 64GB to 500GB of data.
• Average laptop hard drive has 500GB to 1TB of data.
• Average desktop hard drive houses 1TB of data.
• Users typically receive 43,000 emails per year.
• Text message data can involve 30,000 texts per year, per users.

2. Data Sources Get Complicated

Gone are the days where IT can simply take and image a hard drive and be done. Today’s investigations require “live box” forensics to ensure critical evidence such as passwords, encryption keys, and chat sessions found in the computer’s volatile memory are preserved and collected.

The memory chip of a computer can be a treasure trove of information about a subject’s digital activity. The location of where data is being stored is changing also, with more corporations leveraging cloud apps and content-management systems. IT and investigators need to become proficient in using the necessary tools to collect in this live environment. They must know how to collect from multiple device types and multiple operating systems. Identifying malware in a data set or in an incident response investigation is also part of the role now, as is collecting from remote locations with today’s increasingly mobile workforce. And all of this needs to be done in a minimally invasive way, to ensure the data is preserved and admissible in court.

3. Needing Critical Communication and Collaboration

Today’s digital investigations are no longer siloed. Departments from all over the organization are involved and need access to key files and information. It’s not just legal anymore. Human resources, compliance, audit teams, and corporate communications frequently request information and data collection for investigations.

Jason Britton, IT Technical Engineer at iHeartMedia, shared his perspective on this, noting that “communicating has been a problem for a lot of groups because there’s a lack of experience in this shift from dead box to live box investigations.” Investigators need to know what is expected from the investigative work of each different group.

For example, if evaluating a suspect’s instant messages is critical to an investigation, IT must be made aware of the requirement to collect that data, not typically stored on a computer hard drive, so they can be sure they have the necessary tools available up front to enable the collection. Groups need to communicate with the investigator throughout the collection, and get an early look at the data. Communicating and collaborating with vendors that house data you need, or that come in to help with the investigation, is also key.

Ten years ago, sharing the investigative findings was much simpler. Printing out an investigative report on paper worked. Today, investigators struggle to figure out how to push an entire report and timeline to their stakeholders’ review platform. Increasingly, teams such as HR and compliance are starting to use e-discovery technology to slice and dice the data. The volume is just too big to not use analytics to see information on the data set, social interaction in email patterns — tools commonly found in e-discovery technology. Tools that help to unify cross-functional investigative teams on a single platform and minimize data movement can facilitate improved collaboration, and help get evidence into the right hands for expedited analysis.

Conclusion

The proliferation of digital data — both volumes and types — will continue to challenge IT and investigative teams. In an increasingly changing digital environment, it is useless to try and thwart employee adoption of modern technology. Instead, IT teams and investigators must begin to adapt their skills and the tools they use to facilitate thorough investigations and meet those challenges head on. As these challenges are no longer a problem facing IT alone, identifying and collaborating with key stakeholders early and throughout an investigation becomes increasingly important, to ensure critical data is shared in a timely manner and improve investigation efficiency.