As a computer forensics investigator, FTI Consulting’s Bryan Lee examines evidence of corporate employees stealing data, embezzling company funds, committing fraud, and performing a wide range of other nefarious activities. In many of the cases Bryan has investigated, the employee attempts to cover their tracks using various methods such as deleting their internet history. Recently, there has been an upward trend in users altering their computer prior to performing their intended actions.
There are a vast number of techniques users can use to conceal their actions that are well documented on the Internet. While some techniques are quite simple, there are others that can be highly technical, generally written by members of the “blackhat” community. This group of tools and techniques, when employed by a user in a deliberate fashion in order to thwart investigation, is known as anti-forensics.
Anti-forensics methods can include using software to securely delete files, making changes to time stamps on a computer through software or systems built into an operating system, deleting or altering logs, using file, folder, or volume encryption on a drive, and using tools built into bootable flash drives or CDs to alter data.
If an employee uses anti-forensics techniques in an effort to cover up illegal activities before their data is collected in an investigation, the time and cost of the investigation can increase drastically. Bryan and his colleagues have identified a handful of proactive and reactive steps to mitigate anti-forensics efforts and reduce costs stemming from internal investigations.
- Implement Effective IT Policies. IT policies that limit what applications can be used, what external devices can be accessed, and whether employees have administrative rights on the computer all help. It is important to balance security needs with usability needs and understand that employees require a certain level of accessibility and flexibility to be effective in their jobs.
- Enable Detection. There are numerous tools for monitoring employee actions that prevent and detect security incidents. For many companies, these tools provide timely notifications of significant threats.
- Collect ASAP. It is of the utmost importance in a forensic investigation for pertinent digital media to be collected as soon as possible. The investigation team (typically comprised of a group of internal stakeholders from legal, IT, and security departments, along with trusted external providers and outside counsel) should make every effort to ensure that any data that could be relevant to the matter be forensically preserved immediately.
- Leverage Expertise. In the cases where a corporation has suffered from anti-forensics activities, bringing in digital forensics experts to help is critical. Skilled forensic investigators have the knowledge and ability to discover and work around many anti-forensics techniques.
Read more about anti-forensics, and Bryan’s recommendations on how to address these techniques in his recent Corporate Counsel Magazine article here.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.