Digital Forensics: Managing an Online Crime Scene - Brit

We’ve all seen the crime scene investigation tv programmes when a team of police detectives clad in white forensic suits meticulously analyse a taped-off scene, collecting evidence to try and find their culprit. While the means are different, cyber crime isn’t that different from a physical heist. You have a person or group of people who are attempting a break-in. They have researched vulnerabilities, understand what they could potentially take, and have a specific plan to evade detection or capture. 

Cyber criminals operate in comparable ways to offline criminals. The forensic teams brought in to unpick how crimes unfold also have their digital counterparts. To help understand how digital forensics fits into the world of cyber security, alongside our Breach Counsel and Ransom Negotiators, we have spoken to someone who deals in cyber crime every day. The digital forensics specialist we caught up with is an expert in incident response with Kroll, one of our cyber security partners. Their insight is invaluable in helping us understand how cyber attacks are executed, and how vulnerabilities are addressed.

What is digital forensics?

To fully appreciate the role of digital forensics in the insurance process, it’s important to understand some basic definitions. Our expert from Kroll gives their summary of the principles;

“Digital forensics is the science involved in analysing digital information and presenting or interpreting that data to arrive at a factual conclusion. The arrival of a factual conclusion can then typically be used for presentation in a court of law. There's a scientific discipline to the review and the meaning of data, just like in traditional forensics.”

Kroll

Where does digital forensics fit into the incident response timeline?

A well-defined incident response process is critical to cyber security measures. Our digital forensics specialist explains that things can move quickly, but there are necessary steps that happen within the first few minutes of an insured reporting a cyber attack. 

“When an insured suffers an attack, and Breach Counsel instructs us, our digital forensics team would conduct a scoping call to collect the facts of the incident and ensure we can support them with the right fit for their business.” 


Initial Contact and Assessment

A well-defined incident response process is critical to cyber security measures. Our digital forensics specialist explains that things can move quickly, but there are necessary steps that happen within the first few minutes of an insured reporting a cyber attack. 

“When an insured suffers an attack, and Breach Counsel instructs us, our digital forensics team would conduct a scoping call to collect the facts of the incident and ensure we can support them with the right fit for their business. Following an initial discussion, we take the facts away, create a statement of work, a budget and methodology for how we will respond to their incident.”


Initial Scoping Call

The first step involves an initial scoping call to gather all necessary facts about the incident. This call is crucial as it forms the blueprint for the entire response process. The critical actions during this phase include:

Collecting Technical Data

Understanding the nature of the attack and the extent of the compromise.

Contracting and Engagement

Reviewing and finalising contracts, ensuring alignment with the insurance provider's terms, and obtaining the green light to proceed.


Kick-off and Immediate Actions

Once the engagement is confirmed, the response team moves into the kick-off phase, typically initiated with another phone call. During this call, the forensics team establishes a schedule for daily touchpoints over the first five to seven days. This period is characterised by several parallel actions, such as:

Forensic Evidence Preservation

Ensuring that all necessary data is preserved for both the client and for legal purposes, including determining if there are any legal notification obligations under state, provincial, or federal laws.

Technical and Operational Measures

Implementing immediate technical measures to mitigate the impact of the ransomware and start the recovery process.

Augmenting Internal IT Capabilities

One of the critical services provided by digital forensic experts like Kroll is staff augmentation. Ransomware attacks often involve data destruction or encryption, rendering servers and data unusable. Threat actors might also delete backups, further complicating recovery efforts. To address this, Kroll can deploy additional IT personnel to support the company's internal team. These experts assist with the following:

Rebuilding Data and Operating Systems

Restoring lost or compromised data and reloading necessary software to get systems back online.

Accelerated Recovery

Ensuring a quicker return to normal operations than the company could achieve on its own, all typically covered by the insurance policy.

 

Continuous Support and Coordination

Throughout the initial response and recovery phase, the digital forensics response team maintains continuous communication with the client. This includes daily updates and coordination to manage the various moving pieces of the recovery effort efficiently.

 

The importance of swift support from digital forensics in incident response

During a cyber incident, digital forensics must be involved as soon as possible to help work towards a speedy resolution. The digital forensics specialist shares their view on the turnaround time;

“Sometimes we will deal with a straightforward case like a business email compromise. This can take between 7 to 10 days from initial scoping in triage calls to the point we’re offering additional services. However, some cases require additional investigation and can take much longer to reach a point of resolution. Regardless of the timescale, the fundamentals of our incident response at this stage are still the same.”

Kroll

Urgency and Prioritisation

From the outset, the digital forensics response team prioritises urgent actions. Critical national assets like hospitals or infrastructure facilities require immediate attention. Given the high stakes involved, the emphasis is on rapid action rather than a prolonged forensic investigation.

 

Data Preservation and Analysis

A vital part of the initial response involves preserving forensic evidence. This ensures that the data remains intact for later analysis and potential legal requirements, which is crucial for understanding the breach and meeting regulatory obligations.

 

Containment and Expulsion

Once the immediate data triage is underway, the response shifts to containment. This involves identifying and isolating the threat actor within the network. The goal is to "put out the fire" metaphorically, removing any malicious software and tools the attackers may have left behind. This containment step is akin to ejecting intruders from a house, securing all entry points to prevent re-entry.

 

 

Incident notification timelines
and reporting across jurisdictions

When a cyber incident occurs, the Breach Counsel manages the communication strategy. Digital forensic specialists support this process by providing the necessary data and advice but remain in coordination with the Breach Counsel’s guidance.

 

Ongoing Updates and Analysis

The notification process is not a one-time event but evolves as the investigation progresses. Initial responses might be required within days, with subsequent updates as more information becomes available. This step-by-step communication strategy is crucial, particularly in jurisdictions with stringent notification requirements.

 

Regulatory Timelines

Different countries have varying notification timelines for cyber incidents. For instance:

India and the United Arab Emirates

Both India and the UAE have very short notification timelines. In India, the window is just 6 hours, requiring rapid responses.

Brazil

A country like Brazil has an evolving legal framework with tight notification requirements.

USA

In the United States, each state has its own notification laws, many of which are similar but with slight variations. California, for example, requires notification within 72 hours whereas Idaho has a 24 hour timeline.

UK

The UK has a longer notification timeframe, similar to many US states. Attacks need to be reported to the Information Commissioner’s Office within 72 hours.

These differing requirements necessitate constant communication between the digital forensic team and the law firm to ensure timely and compliant notifications across various incidents.

 

Understanding the Incident

Not all ransomware discoveries immediately qualify as notifiable events. The digital forensics team must conduct a thorough investigation to determine the nature and extent of the breach. This process can take several weeks, while the legal team assesses whether the event meets the criteria for mandatory disclosure.

What are the most common types of incidents that require digital forensics?

Generally, digital forensics experts deal with four different types of threat actor and there’s several ways to categorise their attacks.

1. Organised Crime Groups

These financially motivated groups are often behind ransomware attacks. Their objective is to extort money through cyber crimes. These organised criminal organisations are well-known for their structured approach and financial goals.

 

2. Nation-State Actors

Also known as Advanced Persistent Threat (APT) actors, these groups are typically funded and supported by government agencies. Their focus is on intelligence collection and espionage rather than financial gain. These actors conduct sophisticated cyber operations to gather information about other governments, fulfilling national intelligence requirements.

 

3. Insider Threats

Insider threats can be categorised as negligent, accidental, or malicious. Negligent or unintentional incidents occur from individuals who unintentionally expose sensitive information due to a lack of knowledge or mistakes. Malicious attacks come from business insiders who have access to sensitive information and intentionally steal or leak data for personal gain or to benefit another organisation.

 

4. Initial Access Brokers (IABs)

These actors specialise in gaining unauthorised access to networks and then selling that access to other cyber criminal groups. They act as intermediaries, planting the initial "flag" in a system which can then be exploited by organised crime groups or nation-state actors mentioned above.

 

Incident Types

By the time a digital forensics team is called in, the initial breach has often already occurred. The experts are then tasked with investigating various incident types, such as:

Forensic Ransomware Icon

Ransomware Attacks

Forensic Email Icon

Business Email Compromises

Forensic Insider Icon

Insider Threats

Forensic Financial Icon

Financially Motivated Crimes

Forensic Tradetheft Icon

Trade Secret and Intellectual Property Theft

The Role of Digital Forensics

Regardless of the type of incident, digital forensics experts focus on properly interpreting digital evidence. They aim to understand how data was accessed, manipulated, or moved and provide clear insights that help organisations respond effectively to the breach. This process involves meticulous analysis and often requires a global perspective due to the international nature of cyber threats.

What is your background, and how do candidates get into digital forensics?

“Kroll has a lot of people that come from the private sector, learning digital forensics out of college or other higher education, but we are definitely a blended team. A lot of them are former law enforcement. We're trained investigators, myself included. I spent about a decade with the Federal Bureau of Investigation (FBI) as a counterintelligence and cyber-focused special agent, so my whole career was focused on understanding the clues left behind by nation-state threat actors following cyber attacks. 

Before that, I owned an IT company. I had a tech background, but the FBI honed my skills in investigative work. Kroll has a real blend of expertise across tech and law enforcement. We have some incidents that end up in court, so it’s important to have people with a legal background who can effectively communicate our findings in that setting. It’s important to not be an expert in only tech or law enforcement – it’s that blend of skills that’s essential.”

 

What are the latest trends and what’s surprised you about digital forensics?

"In my role as a digital forensics expert, I’ve been struck by the evolving tactics of cyber criminals over the years. Twenty years ago, the focus was on defacing websites and stealing data to sell on the dark web. There was no ransomware then, just straightforward data theft. Over the past decade, we’ve seen a shift towards ransomware attacks, where criminals encrypt a company’s data and demand payment directly from the victims. 

Recently, we’ve noticed a hybrid approach emerging. While ransomware remains prevalent, there’s been a return to stealing information to sell it again. This is partly due to increased security measures and stricter insurance requirements pushing companies to improve their defences. cyber criminals now have to adapt by refining their methods.

One surprising trend is the resurgence of social engineering tactics and ‘living off the land’ techniques. Instead of relying on malware that triggers security alerts, attackers impersonate employees to get passwords reset and gain access. For example, recent high-profile attacks involved threat actors calling security centres, posing as employees, and using basic personal information to reset passwords. This method bypasses technical defences and exploits human vulnerabilities.

It’s fascinating, albeit concerning, to see this cyclical nature of cyber crime. What we’re witnessing now is a blend of insider threats and organised crime using social engineering, reminiscent of tactics from two decades ago, but adapted to bypass modern security measures. This cycle of criminality highlights the constant need for vigilance and adaptation in our defensive strategies."

 

Why should businesses avoid trying digital forensics themselves?

"Kroll operates as an independent verifier of facts, aiming to help clients understand issues they may not encounter daily. As a digital forensic provider, this is our everyday work, our background, education, and training. We usually recommend that clients don’t handle these issues themselves because, eventually, they will need to answer to regulators, investors, and third parties. It’s not ideal for the team managing the network and investigating the incident to be the same. An independent third-party verifier can objectively state what happened and how it happened without any vested interest. They don't risk losing their job due to mistakes like unpatched vulnerabilities. This independence adds strength and defensibility to the findings.
 
Thus, clients should avoid conducting investigations themselves. If they do, they should still consider having an external third party review their work to identify overlooked aspects. This external perspective is crucial because it is our daily expertise.”

Kroll

Learn more about cyber protection

Learn more about what cyber protection we can offer your clients to ensure they have a support system in place if they are hit by a cyber incident - speak to Brit's Cyber Team today.