Has an employee stolen data? How could a hacker encrypt our data? Whenever evidence in the digital realm needs to be used in court, IT forensic experts are regularly called in. In this interview, Aaron Hartel, Commercial Director of Trufflepig Forensics, explains what business owners need to know about this topic.
Crime and law enforcement have long since ceased to take place only in the analog world – to convict criminals or collect evidence, computers, smartphones and IoT devices such as smartwatches, fitness trackers, etc. must increasingly be secured and evaluated. This is where digital forensics comes into play: “It originally comes from the law enforcement sector, where it is still highly relevant for the preservation of evidence in criminal proceedings,” explains Hartel.
Meanwhile, however, IT forensics also plays an important role for companies. “After a hacker attack, digital forensic experts are able to determine where the hacker was able to penetrate the company"s IT structures, how they spread, how they infiltrated the company step by step and, in the end, if it was a ransomware attack, how they encrypted the company,” says Hartel.
The second major field of application is internal company investigations. Here, IT forensics is used, for example, when employees or managers have displayed criminal behavior or embezzled money – think of the Wirecard scandal. Often, in the run-up to such incidents, employees are poached, frustrated or part of a personal conflict within the company. “They therefore want to harm the company, secure data on a data carrier and take it to the competition.” The IT forensic experts at Trufflepig Forensics have been called in on many occasions in this context: “We have had several cases in which we were able to prove the evidence, which was ultimately interpreted to the disadvantage of the defendant in court proceedings.” It makes sense to initiate IT forensic investigations in the following cases:
As revealing and helpful as IT forensic investigations can be, the reason for them can be unpleasant. To prevent this, preventive measures should be taken at an early stage. To protect against hacker attacks, a comprehensive IT security strategy should be in place and the current state of IT security should be regularly checked by pentests and simulated threats.
To avoid internal investigations and the loss of sensitive data to competitors, a good working atmosphere is important. In addition, access should only be granted when actually needed and not given out freely, and access data and rights should be blocked when an employee leaves the company. “The clearer you are, the better thought out the strategy is, and the better the IT security is in the company, the fewer reasons there are for an IT forensic investigation and the fewer opportunities there are for employees to steal data.”
After the IT forensic investigations have been completed, the results are evaluated by the experts at Trufflepig Forensics and presented to the company in a detailed report. In the case of investigations that extend over a longer period of time, interim reports are also provided. “This way, the company can see the results of the investigations to date, can use them to derive further questions if necessary, can assess whether the evidence secured so far is sufficient or is not enough and can no longer be found and the investigation should be discontinued,” summarizes Hartel.
