After the Breach: When cybersecurity fails, forensics specialists come in to investigate the theft

Saturday, April 15, 2017 - 07:14

All the attention cybersecurity has garnered recently makes it easy to forget that computer forensics goes back long before the days of Dropbox, thumb drives, BYOD and the cloud. The contrast is not lost on RVM’s Greg Cancilla, who got his start during a time that now feels like a bygone era. He sat down with MCC to deliver what turned out to be (among other things) a history lesson. The interview has been edited for length and style.

MCC: How did you get started in computer forensics?

Cancilla: I was a developer when I first started, about 15 years ago. We were getting tons of calls at the company I was working for about investigating theft when employees left companies. It intrigued me, so I went and took some classes offered by New Technologies, Inc. and Guidance Software – the makers of EnCase Forensic Software.

MCC: What was the field of computer forensics like 15 years ago?

Cancilla: You had one computer you would analyze. There weren’t the mobile devices and all the cloud computing that we have nowadays. It was just basic computers. One person had a laptop, maybe some email at that point in time.

MCC: Tell me some of the milestones you’ve seen since then – the technological developments that have caused changes in your job over the years.

Cancilla: Back in the day, you would have a single corporate email account that people would typically use. Now we’ve seen it evolve into people having multiple email accounts: Gmail accounts, Office 365 accounts, Yahoo accounts – whatever they may be. It’s evolved from just a corporate email landscape to one where they have personal email accounts. We’ve gone from laptops and desktop computers to mobile tablets and mobile devices, cloud storage systems, all those types of things.

MCC: And each new development has, of course, led to new problems, new challenges for people in your field.

Cancilla: Exactly. The advances in, and adoption of, new technologies steadily and consistently outpace the old policies and procedures organizations had used to govern the spread of sensitive data. Identification of the various, and often very different, endpoints can change the scope of an investigation dramatically.

MCC: Who hires you typically?

Cancilla: It would either be the lawyer for the law firm in the case, or we’re hired by the legal folks at the corporation.

MCC: When it’s an in-house legal department, who do you typically work with?

Cancilla: We would typically work with the general counsel and his team.

MCC: What are some typical circumstances when the general counsel calls you in?

Cancilla: There’s suspected employee theft. Someone has left and gone to a competitor. They believe they may have taken privileged and confidential information with them, such as pricing or whatever it may be. They call us to come in and investigate, take a look at their computers and their devices, see what may have gone outside the corporation and who walked out the door with it.

MCC: How do you work with the lawyers? Can you describe the kind of working relationships you develop?

Cancilla: The lawyer is the one who will facilitate getting us the devices, getting access to what the employee used during his employment at the business. He would also be the one that we’d work with to come up with certain keyword terms that they may want to search his devices for, date ranges that they may want to limit to a specific time period.

MCC: What kinds of keywords are you asking for?

Cancilla: A lot of times it has to do with client names. They come up with things that may be of relevant importance, so if it did leave the corporation it would be of some serious impact. A lot of times, it would be client lists, pricing sheets, email addresses that they’d want searched, those types of things.

MCC: What are some common misconceptions and misunderstandings you find when you work with law departments?

Cancilla: A lot of times the law departments – and it’s evolved again over the years – but a lot of times they don’t have a full understanding of what we can do from a forensic recovery perspective. When we go in and image a computer, they don’t typically know that we’re able to pull deleted information from the computer. That’s evolved a little bit, but they don’t know that when we get a mobile device, we can recover deleted text messages. I think it’s just the extent of information that’s available from a forensic investigation and what we can pull information from.

Another thing: The corporations aren’t necessarily aware of the various areas where employees can now store information. Back in the day, they would store it on their computer, maybe email it to themselves. Nowadays they have Dropbox available to them, all of these various cloud storages available where they can potentially copy information prior to leaving.

MCC: And what kind of work don’t you do?

Cancilla: We don’t do cybersecurity work. We’re not cybersecurity experts by any means, where we’re going to investigate intrusion detection, who hacked into someone’s network. There’s a specialized type of company that would do that.

MCC: It’s interesting that all of these specializations have developed. Can you spell out the different specialties in this work these days?

Cancilla: There are a lot of different specialties within the forensic aspect of it. Like I said, when we started out back in the day, we were just looking at computers. Now there are various software products and skill sets that are needed to look at mobile devices, to look at email accounts, to figure out how people would disseminate information outside the organization.

MCC: What have you had the most success doing?

Cancilla: Most of what we get is theft of intellectual property. I would say we’re most successful in being able to prove what information may have left the company, if in fact any information did.

MCC: What are the hardest things to do?

Cancilla: People encrypt hard drives. It’s very difficult to pull information from encrypted hard drives; sometimes it’s almost impossible. With mobile devices, it’s also difficult to be able to get into devices that are locked when we don’t have the passwords.

MCC: Are you seeing more and more encryption and more and more locked devices?

Cancilla: We are. Typically, back in the day, encryption would’ve been limited to a company computer. Now we’re even seeing it on a personal level. People are very aware of their devices and information that they store on those devices, so they password-protect them; they encrypt those devices, which makes it very challenging from the examiner’s perspective.

MCC: How have the people you’re investigating changed, as far as their level of knowledge and the tools they’re using?

Cancilla: They’re significantly smarter nowadays with all the information that’s available just by going online to Google and looking to see how to counter a forensic investigation. A lot of times, they’re able to remotely wipe their devices. If we get our hands on an iPhone, a user could be sitting thousands of miles away and remotely wipe that device if we don’t take the proper precautions. They’ve evolved and gotten smarter so that they know what to do and how to take information so that they’ve covered their tracks.

MCC: What about your side? What are your most potent tools to counter with these days?

Cancilla: The industry-standard tools that we use would be EnCase, Access Data’s forensic tool kit. There are a lot of tools, and the tools are evolving with the technology.

MCC: What do those tools do?

Cancilla: A lot of times they’re able to break some of the encryption that we see. They’re able to allow us access to the data on the devices so that we can perform our investigations. One program called Cellebrite is able to get into the mobile devices from a file system level, so that we can do an analysis on those devices to see what happened and what may have occurred.

MCC: Who is winning the technology war, the good guys or the bad guys?

Cancilla: That’s a tough one. I’d like to think that the good guys are, but the bad guys always seem to be one step ahead in what they do. If someone really wants to get away with something, they’re going to find a way to get away with it.

MCC: What are the biggest dangers to companies today?

Cancilla: One of the biggest dangers that we see is the “bring your own device” policy – corporations allow the employees to bring their own mobile devices. Then when employees leave the corporation, those devices go with them – and a lot of times so does intellectual property. That’s one of the biggest challenges we see. The other challenge is the integration of cloud storage systems – Dropbox, Google Drive, whatever it may be – where employees have information that can easily, with one click, go right out the door.

MCC: Just from a security standpoint, if you were the CEO of a company that was worried about these potential vulnerabilities, would you ban Dropbox and Google Drive? Would you ban “bring your own devices” from company policy?

Cancilla: A lot of corporations do that. It’s a good policy, not to the extent that you don’t use those things as a corporation, where you need to have access to them. Bring your own device, by banning that, you’re saving a lot of headache when an employee leaves. Dropbox, Google Drive – if there’s no reason to be using them in the ordinary course of business, there’s no reason that you shouldn’t have those banned.

MCC: Have you been in touch with companies that have banned those technologies and heard back about how things were going?

Cancilla: We have. Even here at RVM, we do, to some extent, restrict the use of Dropbox and cloud storage systems. We restrict the use internally of accessing personal email accounts. We also restrict the use of thumb drives being plugged into a computer. We block the common ways for people to copy information and take it with them.

MCC: How have employees responded?

Cancilla: There really hasn’t been much pushback on that. As far as the employee’s perspective goes, if they don’t need the access to that information for the ordinary course of business, there’s really no reason to have it.

MCC: What’s the best advice you can offer in-house lawyers whose responsibilities include cybersecurity and an overview of this area?

Cancilla: Stay on top of your data retention policies. When we go into corporations, a lot of times we do data collection work for large-scale litigations. Corporations seem to have massive amounts of data that’s still available. Stay on top of those retention policies so that when litigation does come down, and we come in to collect, we’re not pulling tons and tons of data that may not be relevant, that may be outside of the time period that’s relevant. It can save you a ton in costs when that litigation does come down.

Greg Cancilla is the director of forensics at RVM Enterprises, Inc. He is responsible for the preservation, identification, extraction, documentation and interpretation of digital data. As a certified forensic engineer, he has performed countless digital forensics investigations since entering the field in 2003. He can be reached at: gcancilla@rvminc.com.