If You Had To Support A Corporate Investigation, Would You Be Prepared?

right uh good afternoon everyone uh hope you're having a wonderful bside uh my name is Kieran Craigs I'm a digital forensic and E Discovery specialist um I currently work for one of the big four Professional Service Professional Services organizations uh here in the UK uh my day job essentially is Project managing uh teams that work on large corporate investigations involving electronic data and digital forensics um before I go into a bit more detail just a bit of additional background about me um so I'm a graduate of leads Becket so hopefully there's some wonderful leads Becket uh folks in the room be looking to you for some support um my career before my current position uh very much mixture of digital

forensic position and cyber investigation positions uh across different organizations dealing uh with government law enforcement work uh and of course uh corporate investigations as well um as you will shortly tell um there are well there is one slide in this presentation which has very kindly been donated by James because believe it or not I didn't turn up to bsides this morning with a laptop up uh and the idea that I was going to do a presentation um so I have everything on one page um so if there's anything that I don't explain well hopefully there'll be time for questions at the end or you can come and speak to me after okay so I going to start with a question

for the audience hopefully there is a willing volunteer so just put your hands up uh if you had to support a corporate investigation uh involving electronic data in your current job do you think you would be able to do that successfully brave brave brave uh well hopefully uh by I say hopefully maybe not hopefully for you but uh hopefully by the end of uh this presentation uh I might be able to change your mind slightly we'll we'll see uh but anybody else that is very uh very confident in their organization's uh security and compliance posture um please do let me know afterwards uh if I've given you anything to think about and I'll be asking the same question at

the end as well so if anybody additional wants to uh answer that would be faom very eager to hear whether you've learned anything uh by the end so before I go in to the the main portion and there's one more thing that I will throw in is why should you actually care about this right um corporate investigations doesn't sound particularly sexy does it what's you know what's the motivation what's the benefit behind it well I'll give you this example say you are a reasonably sized business um you one day you have a knock on the door from a reg regor uh and that regulator has legal powers to come into your your premises and take data relating to something that

they suspect may have happened if that was to happen to you what would be your plan and if you weren't able to deal with that in a good way what do you think the repercussions might be so let's think about things like Financial penalties for example you think about breaches in gdpr massive potential monetary penalties there and also reputation as well reputational damage uh to organizations is a really massive uh issue so the way that certainly in my experience we tend to deal with one of these investigations is using ecovery um so not many of you in the room might have heard of ecovery or fully know what it is um but essentially ecovery is the process of

identifying collecting and producing electronic information in response to a legal matter or investigation um very helpfully particularly for my presentation um there is uh a model uh that underpins ecovery called the ecovery reference model or edrm uh that has several stages in it which essentially guide you on how you would go from identifying data that might be relevant to producing it to somebody else on the other side so I would go through the key bits of the model just to give you all a bit more of a understanding perhaps give you some things to consider in your own organizations um and then at the end I'm going to give you a three point framework um on how you could

potentially be better prepared for one of these types of situation so the first step in the edrm then is identification so before we even do anything technical we need to identify the data so that can range from identifying physical bits of equipment to to systems as well so a very complex it environment or even simple it environment made up of multiple systems doesn't have to be Hardware it can be applications so if you think for example you might have some file servers over here you might have um a financial application over here all of those are potentially very very relevant sources of data for somebody doing an investigation um in terms of identifying those think about your environment as a

whole so if I was to ask you what are your key production systems could you tell me do you have it written down do you have a network map do you have a systems list if you don't you're going to have a bit of a problem uh and also it's about the personnel as well so who are the Personnel in that organization that that hold all of that knowledge do we readily have access to them do we know who they are the next step is Preservation um so once we've got an idea of what the systems are how do we actually protect that data so we might have identified some systems which we think are relevant to the

matter say a fraud investigation for example um but how do we spam the gap between identifying those and actually taking receipt of that data there needs to be a middle step and that middle step is preservation so it's how do we protect the data so there's a few different ways that you can do that uh commonly you'll hear phrases like legal hold or litigation hold so that's essentially a technical control in a system say like an email system for example which stops retention policies and things like that being applied so that data will stay in state in the system until you lift until you lift that hole so that gives you the opportunity then to decide whether that

data is going to be relevant to your matter or not the next step is collection so we've identified the data we've protected it we now need to think about how we're actually going to extract that data from the systems that we're looking at so if we take email as hopefully an easy to understand example let's say you run your email environment in Office 365 or Microsoft 365 for example Microsoft 365 has a very handy ecovery feature uh where you can collect data and then export it in a very handy format but it's not as easy as you think it is so if you think if you think about that as a whole within your environment

actually that's a feature that requires additional licensing so does your organization have those licenses do you have agreements in place to get them if you need them and uh do you have roles set up in the environment so that appropriate personnel can use those features uh and also are people even trained in how to use them um and then also as well I'll briefly mention digital forensics um which sometimes is a bit of a dirty word in EC Discovery um so generally EC Discovery is kind of a best Endeavors type exercise where you know we're doing a reasonable amount of work to try and get the data that we're looking for in theory you'd like to do that in a

full digital forensics manner full audit Trail belt braces tick tie Etc um but you don't necessarily need to do that but the one thing that I will give you as a takeway on that point is regardless recordkeeping is very important particularly you know think about you might be dealing with something inside an organization like a like HR matter things like that keeping documentation around the process that you followed how you've got the data how you went about identifying is really important uh when people come to ask questions about how you did something later um the the the next two I will cover sort of briefly because I want to get onto the three-point framework um so

the next step I've kind of muddled together which is processing review and Analysis so that is all about which you've got that data how do you get it into a structured format that other people can then look at so commonly in E Discovery you'll do that uh using tools such as nux and relativity and things like that um they'll essentially grab all of your data and put it into a structured format where it could be put in a review environment so com one of the common products on the market is relativity these are the ones like reveal and accelerate and things like that essentially they are quite feature document review environments so that lets some other specialist look at the

contents of the documents of the data to make a decision about whether the material is relevant to the matter or not um and then the the the last point in the edrm is production and presentation so thinking you know to the end of that process um how do we report our findings um so there's lots of things that go into that you might have proprietary types of data in your own organiz that don't necessarily translate very well into just a document format so really have a think about how you would report that data to somebody else so on to the three-point framework then uh so very simply the first point is knowing your data so like I said at the

beginning who are the key contacts what are the key production systems and having that readily available to compliance teams legal teams teams whoever may need that information the second point is about retention and backups um so retention uh doesn't mean backup necessarily uh you should really treat them separately but retention we're talking about what Technical and administrative controls do we uh do we apply to different uh types of data to make sure that we're keeping it uh in compliance with uh organizational policy and legislation so for example if your financial services Business Financial conduct Authority says that you have to keep certain types of data between three and 10 years so do you have a plan in place for that have

you tested it are the controls there do they work and then the final point that I'll leave you on is having a plan having a plan is massive you'd have a plan for any other business continuity problem a cyber incident whatever it may be but you should have a problem for an you should have a plan for an investigation as well so think about you know an event where you might have a dawn raid or something like that which essentially like I said at the beginning a regulator or law enforcement could come in use their legal powers and take your data what what's your plan what would you do who would you contact where's the

data you know what are the key technical administrative problems that you're going to have if that event happens um and then also as well um thinking about having that plan visible in the business very much like all the other types of plan you have to deal with an incidental problem in the business it needs to be front of Mind of the people that are going to be involved in the technical delivery and administration of that so going back to uh my point at the beginning uh if you had to support a corporate investigation would you be prepared uh perhaps not looking at James this time but somebody else has your answer perhaps changed from what you

were thinking initially yeah yeah so do you want to give me an example of a point that you've picked up yeah I mean I think definitely kind of around having a plan for that type of investigation so I think you for C investigations for internal investigations for HR investigations but not

necessarily fantastic was there somebody else so again planning but also the fact that there's a lot of tools in in products we already use like office5 that can make this easier get familiar with those now rather than when somebody turns up at your door and is demanding this information yeah and and and that is an excellent point you I I you know worked with tons of organizations where they don't have plans around this and you start asking them about their environment and actually say taking the Office 365 example like you say tools are already there they just don't know about it um and having you know I think having good knowledge about the products that you've

got in your environment is really important because you you know you'll lean on them when you have a problem like this um that is the end of my time um so thank you very much for listening uh my LinkedIn is on the slide uh so feel free to follow and uh give me a message if anybody wants to come and have a chat after uh please let me know thank you very much