Digital Forensics Guide — Steps to Investigate a Data Incident

You don’t have to be a cyber security expert to competently and thoroughly investigate a digital incident.

You do have to understand how such investigations work, however — in general terms, at least. And you need to have digital security experts on your side — if not on your internal team, then at least on call to come to your aid at a moment’s notice.

Such situational awareness and commitment to proactive response helped organizations like Asiaciti Trust manage the fallout of the Pandora Papers, a significant data intrusion disclosed in 2021. Other organizations have done the same in response to similar past incidents, and will no doubt do so for future incidents as well.

So, how should your approach to digital forensics look? Follow these steps to investigate and move on from an unwanted cyber event.

  1. Confirm That the Event Actually Occurred

 This might seem beside the point if you’re “sure” an intrusion occurred, but you still need to check this box. And the answer to this question — did this data event really occur — could surprise you.

That’s because sophisticated threat actors are adept at covering their tracks. They may leave few if any clues about their activities, even if they’ve spent weeks or months inside a computer network. Indeed, Asiaciti Trust and other companies affected by the Pandora Papers could find no clear evidence of system compromise, suggesting the information release occurred by other means.

The best party to definitively determine whether a data event has occurred is a professional data forensics team. 

  1. Determine the Scope and Scale of the Event

 Once it’s confirmed, a professional data forensics team is also the best party to determine the scope and scale of an adverse data event. You’ll want your team to investigate:

  • Which systems and networks were affected
  • Which corporate divisions or functions were involved
  • Whether any information was corrupted
  • Whether any information was copied
  • How many individuals were affected (and need to be notified), whether employees, customers, or others 
  1. Try to Reconstruct the Event

 It’s not always possible to reconstruct a data event, blow for blow. But you and/or your data forensics team should do your best to fill in as much detail as possible, including:

  • The origin of the event
  • How the compromise occurred, if any
  • The means by which information was corrupted, copied, or removed
  • Any internal stakeholders involved in the event
  • How the event ended, or its current status if it remains in progress 
  1. Build a Theory of the Case

 Your event reconstruction should help you build a working theory of what happened and who might be responsible. This second part is critical if you plan to involve law enforcement in the investigation, or if law enforcement is already involved at the request of other affected parties. You should expect that private and government-affiliated investigators will request interviews with people on your team, and you’ll want them to be prepared to share what they know (and what they believe) about what occurred. 

  1. Expel Any Intruders and Begin Repairing Damaged Systems

 Often, data incidents are discovered while they’re still in progress. If you find yourself in this position, your digital forensics team will need to expel the intruders or take other measures to secure your systems from further harm. Depending on the team’s capabilities and the nature of the event, it’s possible you’ll need to retain a separate cyber defense unit. In any event, only after the threat has passed can you begin repairing damaged system and restoring lost or corrupted data. 

  1. Notify Affected Parties

 At some point, you’ll need to notify any individuals or entities affected by the data event. Retain legal counsel before doing so and wait to make nonrequired disclosures until all investigations have run their course. Otherwise, you could compromise said investigations. 

  1. Effect a Return to Normalcy

 At some point, the data event will be over and the investigations into its origins will be far enough along that you’ll be ready to return to business as usual. This means winding down your crisis response efforts and refocusing resources on normal business activities. But it could represent something of a sea change for an organization accustomed to being on war footing, so you’ll need to plan for it carefully and move gradually. 

Prevention Isn’t Always Possible

 If we’ve learned anything from the data incidents that affected Asiaciti Trust, Home Depot, and other global firms, it’s that preventive measures offer no guarantees. Sophisticated, determined threat actors very often get what they want, one way or another.

That’s why digital forensics is so important. If we can’t prevent the next intrusion, at least we can make sense of it — and, hopefully, assign blame.