When the discussion of computer data breach incident response is brought up, very little if any mention is made of forensics. Oftentimes, the discussion focuses on breach notification with respect to the who, what and when.

Without question, the potentially affected individuals will need to be contacted, as well as the senior managers who will need to decide who will sign the notification letters that are sent out to the affected parties. In addition to all of this, your organization’s legal staff and public affairs should be contacted so that they may assist in crafting the notification letters that will be sent out, particularly if your notification letters will be deviation from your pre-sanctioned notification template. Additionally your organization’s public affairs office will possibly need to coordinate a press release and a set of talking points in case any of the senior leaders of the organization are approached about the breach by the media so that the message conveyed by them is consistent. 

Most of these actions that are taken thus far in response to the breach are with the intent of mitigating the extent of the damage as well as to satisfy legal requirements to notify the potential victims of a data breach so that they can take steps to monitor their credit reports with the various credit reporting bureaus for evidence of identity theft. The actions just described also serve to minimize legal liability of the organization.

However, at this point, the exact extent of the damage is unknown because it may not be readily apparent as to just how much information was leaked or accessed as a result of this breach. This is where the computer forensics team comes into play. Forensics is defined by the National Institute of Standards and Technology (NIST) as “the application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.” Having a computer forensics capability within your organization, or at least accessible to your organization through a contract with a third party provider, is crucial. It is best to contract with a computer forensics provider that has experience with complying with the various generally accepted practices concerning preserving the evidence gathered, just in case your organization decides to take legal action against any individual(s) involved with the data breach so that it will have a better chance of standing up in court. 

Take, for example, that your organization has decided to terminate an employee in the equal opportunity/civil rights office who has access to sensitive data on various personnel in your organization. This individual may download sensitive files from internal websites and also from databases to a flash drive as well as print out paper copies of these documents and take them home without permission or the knowledge of the organization. Upon being informed of being terminated, the individual then goes to sell the information. The sensitive information may include Social Security numbers as well as other information that could aid in helping a criminal assume the identity of any of the employees affected by this data breach, to include obtaining credit in their name. The terminated employee may have less sinister intentions, such as leaking the sensitive information and causing embarrassment to various individuals within the organization.  In either case, whether the intentions are to sell the information or to simply cause embarrassment, neither intention is without malice.

Yet another possible scenario is one that happens all too often, and this is the case of the lost thumb drive. A lost thumb drive that contains sensitive information poses a big liability for any organization. Whether it is information that is downloaded to a drive that is later lost and possibly found or just information that is downloaded and the drive not found, a computer forensics expert stands to have a positive impact on either situation because the forensics professional can review the logs to determine what information was downloaded or even printed. If individuals delete data in an effort to cover their tracks with regard to clandestine activities, the forensics professional can also possibly recover the data. The type and extent of a forensics response should be dependent upon the situation at hand. Minor incidents obviously are not deserving of a significant number of hours of the four phases of the forensics process, those being data collection, examination, analysis and reporting.

Undoubtedly the forensics team should be a part of your computer incident-response team because it will allow your organization to determine the exact extent of the breach by determining what data was downloaded, saved and or printed. Forensics professionals can also provide suggestions as to how to prevent future recurrences of the incident at hand because they will have examined the equipment and determined just how the breach occurred.  This type of insight will be important to include in the final step in the incident-handling process, and that is creating the lessons-learned report so that additional measures can be taken to prevent similar incidents from occurring in the future. The lessons learned should also contain any recommendations that the forensics team has for making improvements to your organization’s current processes or procedures. These recommendations may address user access as well as other preventative measures such as configuration and/or other steps that could improve the ability of forensics to analyze the next incident or steps that could prevent the next incident. 

The inclusion of forensics as part of an incident-response plan is crucial to understanding the true extent of a data breach. A breach may look minor on the outside and actually be worse than what it appears to be, or it may not be as bad as previously thought. This was the case when, in May 2006, a Department of Veterans Affairs employee’s laptop that contained the Social Security numbers as well as other sensitive information of more than 26 million veterans was stolen and later recovered just under two months later, according to The Washington Post.  The good news with this situation is that computer forensics performed on the laptop confirmed that the data was not accessed. 

For more information on how to integrate computer forensics into your organization’s policies and practices, consult the NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response.