5 min read

Preventing an Effective Forensics Investigation

Featured Image

This article was original content on the ACEDS Blog and written by Gavin W. Manes.


As eDiscovery and digital forensics experts, there are some frequently occurring actions we’ve seen that can hamper our ability to perform thorough and effective forensics investigations. This blog is designed to give a basic outline of some things to watch for when handling devices that may be subject to digital forensics investigations. Of course, it can be hard to determine if an issue will arise later, but many of these are good information technology “hygiene” as well.


The Basics

We often see computers that have been re-issued to new employees, which are then needed to investigate the actions of the former user and employee. Therefore, the new user’s activity overwrites key information from the former user. If there is any thought that a computer or other digital device might be needed for an investigation, it’s a good idea to make a forensics image or simply retire that device until there’s certainty it’s no longer needed. Also note that allowing a computer to idle while powered on can overwrite some logging, which can erase user activity traces. Indeed, it is critical to preserve as soon as possible from a logging perspective.

Another common occurrence is a “pre-investigation” being performed on a device before it has been forensically collected. This can damage important metadata, like changing the modified or created dates of files. Again, if there is any thought as to the future forensic value of the information in the device, it is best to either forensically image it or set it aside, unpowered, until it can be forensically imaged.

Office 365

Logging is an issue that rears its head in the collection of data from Office 365 information: the most common issue is not having the appropriate logging turned on for a specific cloud environment. Most versions of O365 - including Business, Enterprise, and Education - support standard audit logging for 90 days. E5, F5, and A5 licenses support premium logging, which retain logging for 1 year, up to 10 years for additional cost. So it’s important to consider how long logs should be kept based on investigations or other incidents in the past when answering the question of which license to purchase.

Another feature that should be enabled is auditing. Since January 2019 this has been enabled by default, but auditing status should always be checked to make sure it is turned on (via PowerShell or Microsoft Purview.)

Google

Logging is another principal issue in Google, and you can use this link to show what’s logged and what isn’t in Google. We recommend administrator audit logs always be enabled. Data access logs are disabled by default, and they require a fee to enable, so that’s a consideration based on the types of investigations that are occurring in your situation.

Third Party Apps

Other third-party apps like Zoom, Slack, and GitHub have similar logging that can be turned on and off and expanded. When Slack first arrived on the scene, attachments weren’t linked, edited messages weren’t tracked, and their original content was not available. More modern Slack exports come in the form of a JSON, which is data rich but may not be useful to a non-technical user. Here is how to download a company’s conversation from Slack. Public channels can be downloaded by an admin or owner level account for all plans.

  1. Make sure your company is using the right plan. Only the top two paid plans grant the option to download all private channels: "Business+" or "Enterprise Grid." The free "Basic" and paid "Pro" plans do not have this feature
  2. The account needs to be either a "Workspace Owner" and "Org Owner" level. Normal admin level accounts do not have the ability to request the download conversations from private channels. 
  3. With the right plan and account setup, the next step is to request access to the export of all conversations feature from Slack. If approved, export can proceed.

This is a good example of the general progression when a new tool comes out – at first, it’s unlikely that an export or investigative workflow was considered since that is not the primary task for the developer. Getting useful exports from an eDiscovery perspective generally comes after the first generation of investigations, which historically is laid at the hands of law enforcement, where they see the evidence first and then a solution is crafted that works for them but may not work for civil litigation.

Encryption and Authentication

If a drive is encrypted with no password and if investigators don’t have administrative credentials or a recovery key, we can’t access the machine. If a drive is encrypted from the factory, it is usually in a suspended state. If BitLocker is suspended, the drive data is still encrypted but it puts the key in a clear state that can be read by Windows and some tools. The drive can be put on another computer box via a write-blocker and the contents of the drive may be seen but a forensics image can’t be taken. Further, investigators can’t see the content when loading the forensics image because the clear key can’t be read. Most of the time, the imaging software will prompt for the BitLocker Recovery key when processing is attempted.

We have found it more successful to obtain a full disk image first before decrypting. This is because decryption makes changes to the drive and since the computer is on and logged in, the nature of performing that activity also potentially overwrites registry entries, log entries, etc. Even if nothing is overwritten, it will certainly write new entries to those logs and to the registry depending on the activity performed while logged into the machine.

We frequently encounter issues with BitLocker being suspended so users don’t realize it’s encrypted in the first place. Therefore, they don’t know the key. In that case, it’s necessary to use a tool that can read the clear key in order to be able to process the image after it’s taken. The process for this is decrypting and then imaging, or imaging, then mounting the image with a tool that can read the clear key and reimaging after decrypting the mounted image. Fortunately, more tools are now able to read the clear key. There are more tools now that read the clear key, but that is a change that has evolved over the last decade, as not all tools could do this in the past.

The presence of two-factor authentication, which is quite common, can also be a challenge to forensics. It’s not an unsolvable problem, but it does require the cooperation of attorney, client, and sometimes opposing parties. Being unable to perform two factor authentication on a device doesn’t allow access to the account and therefore our inability to perform an effective forensics investigation.

Conclusion

The target of an investigation may no longer principally be the end device like it was five years ago. Logging in the cloud and hosted software may be another source of data, but it’s important to quickly understand how much information is being preserved and for how long. Checking a few settings can go a long way towards ensuring that data needed for forensics investigations will be available.


What did you think? Any good takeaways? Let us know here.