When hearing the words “forensics”, many people may think of the investigators portrayed on TV shows, such as CSI or Bones, looking for physical evidence. Today, digital forensics, a previously lesser-known discipline, is gaining attention in response to growing cyber crime, fuelled by an increasingly digital society.
According to Glen Kenny (pictured above left), senior technical consultant for Envista Forensics in Singapore, digital forensics is the gathering, preserving, analysis and presentation of digital evidence.
“This expertise requires specialised training and equipment, and every process follows the same general rules as other forensic disciplines,” Kenny said. “All findings must be repeatable and verifiable by a third-party expert.”
However, the natures of electronics and cyberspace mean there are also differences between digital forensics and other disciplines.
“The state of the evidence can change radically moment to moment, because digital devices today perform numerous functions at once, including both user-driven processes and system-based processes,” said Jason Conley (pictured above right), digital forensic examiner at Envista. “A sense of urgency and special care is required to capture the evidence without altering it or minimising any alterations as best as possible. In addition to the volatility of data, there is constant change in the operating systems, programs, and applications on different devices. For example, the Macintosh brand of computers and iPhones undergo very frequent changes in the form of upgrades – which can completely alter (and sometimes, limit) the examiner’s ability to preserve and analyse the evidence in a timely fashion.”
According to Conley, one of the most essential functions of digital forensics is the validating that a cyber loss event did occur, as well as assessing the attack’s extent.
“This may sound strange, because most people imagine that something as potentially catastrophic as a ransomware attack would be very easy to identify – the threat actors infiltrate an organisation’s network and deploy a vicious ransomware variant that locks down all their servers, and possibly the employee workstations too,” Conley said. “But there are countless instances where insured organisations are so rushed to get their business back up and running, that they often wipe and reload all their systems if their backups survived, failing to realise that they needed to set aside the appropriate samples to allow a digital forensic examiner to validate that an attack actually occurred, as well as assist an adjuster in measuring the damage.”
Following a cyber attack, digital forensics plays a critical role in understanding the chain of events, with specialised subdisciplines, such as cyber investigations, memory forensics, network forensics and malware analysis, each providing insights, such as the attack vector and techniques used by the threat actors in penetrating a network and compromising security controls.
“This critical insight lends itself to understanding what security controls need to be added or altered to protect an organisation – or numerous organisations when a new threat or vulnerability has been discovered,” Kenny said. “For example, zero-day attacks (undocumented, previously unseen ‘new’ threats, such as a modification of a particular malware variant) can be quickly dissected, and information about them can be quickly disseminate to the IT security community at large. Other discoveries can include a vulnerability in a network hardware device, such as a firewall or router, that had been exploited during an attack – which had not been made public knowledge. The proceeds of these investigations form the critical datasets required to observe trends and patterns in the directions of cybercrime.”
Read more: Backing up your claim
Another major use for cyber forensics in insurance is detecting fraud. Insurance fraud schemes have been on the rise, with the number of reports tripling between 2018 and 2020, according to the General Insurance Association of Singapore.
“As digital records have replaced almost all physical documents, most frauds of a white-collar nature occur directly on a computer, or with the use of another computer,” Conley said. “Sophisticated frauds may involve large databases, whether internally in an organisation, or accessed remotely across the internet with compromised credentials.”
According to Kenny, identity theft is also largely a result of compromised data, which can also lead to fraud and other crimes that digital forensics examiners are involved in.
Moving forward, Kenny predicts that the insurance industry will be more aware and intertwined with digital forensics as cyber risks continue to grow. This could also lead to increased employment opportunities in the field.
“I think requirements for cyber insurance coverage will become more stringent, and that insurance companies will begin hiring those with IT security experience, particularly with cyber investigation experience, in their underwriting departments,” he said.