DOCSLIB.ORG

The State of Corporate Digital Forensics in Cybersecurity 2021 Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The State of Corporate Digital Forensics in Cybersecurity 2021 Report MAGNET FORENSICS 1 THE STATE OF CORPORATE DIGITAL FORENSICS IN CYBERSECURITY 2021 REPORT Extracting experiences, unearthing insights, and pulling predictions from DFIR experts 2 MAGNET FORENSICS CONTENTS Corporate digital forensics is a relatively new and rapidly emerging domain that applies forensic science processes and an array of digital tools to use cases within corporations—from small businesses up to enormous enterprises. By surveying corporate digital forensics professionals and analyzing the results, we have created a uniquely illustrative snapshot of the state of this ever-changing domain at the end of 2020. EXECUTIVE SUMMARY ................................................................................................................. 3 INTRODUCTION ........................................................................................................................... 4 THE EMERGENCE OF CORPORATE DIGITAL FORENSICS ............................................................... 4 LEARNING FROM THE EXPERTS THEMSELVES ........................................................................... 4 GETTING TO KNOW CORPORATE DIGITAL FORENSICS PROFESSIONALS ........................................... 5 IN-HOUSE DIGITAL FORENSICS PROFESSIONALS ....................................................................... 6 DIGITAL FORENSICS CONSULTANTS ......................................................................................... 6 BRINGING IN A THIRD PARTY .................................................................................................. 8 FORCES SHAPING DIGITAL FORENSICS ......................................................................................... 9 THE IMPACT OF COVID-19 ....................................................................................................... 11 CONDUCTING INVESTIGATIONS .................................................................................................... 12 CASES ................................................................................................................................. 12 DATA SOURCES .................................................................................................................... 13 DAY-TO-DAY CHALLENGES IN DIGITAL FORENSICS ....................................................................... 14 LOOKING AHEAD—HOW WILL DIGITAL FORENSICS CHANGE IN FIVE YEARS? .................................. 17 FORCES SHAPING THE FUTURE ............................................................................................... 15 THE ROLE OF THE CLOUD ....................................................................................................... 17 CONCLUSIONS ............................................................................................................................ 18 MAGNET FORENSICS 3 EXECUTIVE SUMMARY PEOPLE platform that can support the expanding IT environment and ever-growing list of evidence and artifact types. Digital forensics professionals perform a wide range While no doubt unforeseen barriers will arise, of functions and tend to be very hands on—no doubt it digital forensics professionals believe that helps that almost two-thirds of them have experience automation and artificial intelligence both have in information technology, with many also bringing the potential to help practitioners cope with security operations and law enforcement expertise. tomorrow’s challenges. On average, digital forensics professionals have worked in the field for just over seven years, with consultants having slightly more experience than in-house CASES AND DATA SOURCES resources. In practice, DFIR professionals work a range of Based on our findings, between 20% and 30% of cases, with phishing and malware investigations organizations regularly bring in digital forensics being the most common, ahead of fraud, policy consultants, most frequently to access a specialized violations and HR-related investigations. skill or tool. Gone are the days when PCs were the primary source of evidence. Organizations now have a CHALLENGES multitude of data sources including Macs, mobile devices, cloud services and even IoT devices. A number of forces shape the field and make it more Mobile devices and tablets, dead box forensic challenging. In a year characterized by unexpected images and remote computer evidence acquired change, evolving cyberattack techniques and the by the forensic examiner are the most frequently extension of the official IT environment topped the list of used types of evidence. challenges reported by DFIR professionals. This variety of devices and data is creating a need Phishing and ransomware have plagued organizations for a more consolidated forensics platform that for years, but increased specialization and can acquire from several different sources and operationalization have made attacks easier to execute. analyze the data in a single case file. Plus, the rapid roll-out of new IT infrastructure has created new opportunities for remote exploits. Unsurprisingly, the COVID-19 pandemic has made THE FUTURE digital forensics more challenging, most notably by Looking ahead to 2025, evolving cyberattack increasing the need to perform remote acquisition from techniques remain the largest cause of future endpoints not on the corporate network—a task that is concern, just ahead of growing data volumes. already problematic with many legacy solutions. The cloud’s impact goes beyond being a new data The biggest day-to-day challenges faced by digital source: more than 90% of survey respondents forensics professionals are inaccessible data sources believe the cloud will also have a significant and budgetary constraints that limit the ability to impact on how digital forensics is performed in acquire new tools. general, with forensics-as-a-service offerings In-house professionals felt that there are too many seen as the most likely result. point solutions, pointing to a need for a forensics 4 MAGNET FORENSICS Performing digital forensics effectively requires a INTRODUCTION varied skillset that draws upon an understanding of information technology (IT), cybercrime, investigative Digital forensics is a rapidly growing and continually techniques and human psychology—and remaining evolving branch of forensic science that focuses on effective in the face of rapid technological changes acquiring, analyzing and reporting on evidence from demands constant evolution on the part of digital digital systems. forensics practitioners. Although the field has existed since at least the late 1970s, it was only in the early 2000s that international LEARNING FROM THE EXPERTS standards and training programs emerged. Digital THEMSELVES forensics has its roots in criminal law and has been embraced by law enforcement agencies as a vital For an occupation and field that is all about extracting investigative toolset for traditional criminal activity as insights and discovering the truth, relatively little is well as white-collar and cybercrime. known about the state of digital forensics in today’s corporations. No doubt this absence of information is THE EMERGENCE OF CORPORATE DIGITAL partly due to the practical need for secrecy around the FORENSICS tools and techniques of investigators—but it’s also at least partly due to a combination of frequently changing digital forensics landscape and the simple fact that In recent years, digital forensics has gained significant seemingly few attempts have been made to acquire, traction in corporate environments and, again, its analyze and report on the field and its practitioners. applications are not limited to cybercrime. Within a corporate setting, the techniques and tools of digital Until now, that is. forensics are applied to a wide range of case types, With this report, our intention is to replace assumptions from incident response (IR) pertaining to high- and opinions with facts and data. Our goal is to provide profile cyberthreats (e.g. phishing and ransomware), insight to digital forensics and incident response (DFIR) to resolving personnel disputes and harassment professionals, the organizations that employ them and complaints, to investigating asset misuse, data anyone else interested in this fascinating and growing exfiltration and intellectual property theft—and much domain—so they can better understand the landscape more. in which they operate and help drive positive change. As companies grow, so do their digital footprints, And who better to provide insights into the field than the leading to soaring data volumes spread across wider practitioners themselves? geographies. While this growth unlocks new efficiencies and opportunities, it also introduces new complexities To power this report, we surveyed hundreds of DFIR for digital forensics. This complexity is exacerbated professionals who work in, or provide services to, the by new evidence types and digital artifacts from an corporate realm. To these experts, we offer our sincere ever-growing collection of devices (e.g. Macs, mobile gratitude for sharing their experiences, insights and devices, the Internet of Things), applications and— predictions. We have aspired to represent their input increasingly—cloud services. faithfully, letting the data collectively speak for itself and providing analysis or interpretation primarily as a way As the technology footprint of corporations expands, to guide the reader through the findings. so too does the complexity of digital forensics, with new evidence types and digital
Load more

Recommended publications
  • University Departure Checklist
    University of Kansas University Departure Checklist Departing Individual Information Departing Individual Name: Supervisor or Unit Designee Name: School/Department/Center/Unit Name: University Departure Checklist and Review Pursuant to the Employee and Affiliate Departure Policy, all departing faculty and staff employees and affiliates (except for affiliates with less than one month of service) and their designated supervisor or unit designee are to complete and verify that the applicable checklist tasks are completed prior to the date of departure. If the departure is sudden or the departing individual is otherwise unable to complete the checklist, the supervisor or unit designee should complete the checklist as necessary and work with Human Resource Management (HRM) representatives as appropriate. Departing Individual Yes or N/A Unit Responsibilities Yes or N/A Submit resignation letter with date of resignation to your supervisor The supervisor or unit designee provides a copy of the or unit designee as soon as possible. termination/resignation letter with unit acceptance to the Shared Service Center for processing. An Affiliate Data Sheet is to be completed by the unit for Affiliate appointments ending early. Notify any committees or boards on which you serve, including Confirm the departing individual has received and is completing the community memberships or affiliations. Departure Checklist and related activities. Refer to HRM’s Leaving Employment and Benefits Transition Inform departing individual that HRM Benefits will provide a letter with webpage regarding COBRA continuation of health insurance, leave information about continuing health insurance, accessing retirement payout, email and accounts access, accessing retirement funds, etc. funds, etc. Inform departing individual of leave payout information on Contact [email protected] with questions.
    [Show full text]
  • Strategic Employee Offboarding Roadmap—The Big Wins of a Positive Goodbye
    STRATEGIC EMPLOYEE OFFBOARDING ROADMAP—THE BIG WINS OF A POSITIVE GOODBYE UPON NOTICE Employees leave for all kinds of reasons. And your Provide employee Confirm employee Begin processing Begin processing any Obtain & accept Enter employee departure Provide employee Begin processing any employer brand goes with them. So make the most of resignation letter date in HR system to with link and with link and appointment with outstanding expense of paid time off required return of an exit experience. When employees leave, they take all (unless involuntary) trigger offboarding instructions for instructions for benefits team reports, petty cash and/or leave signing bonus or of their experience and knowledge with them. A good checklist and alerts to key offboarding checklist formal knowledge or other expenses balances moving/relo exit process will capture that knowledge, ensure departments transfer reimbursement compliance with your exit policies, collect feedback on the organization and reinforce the best parts of your 2 WEEKS IN ADVANCE OF DEPARTURE DATE employer brand. An intentional strategic offboarding program puts a Remove personal Identify and transfer Collaborate with Notify team and Schedule final Employee meeting to Employee meeting quality closing experience onto an employee's tenure. It information from manager/team files, documents, employee on knowledge appropriate review relevant with HR team to discuss creates a warm, consistent experience can strengthen company-owned lunch/happy hour with emails, department transfer list of current stakeholders of departure policy benefits, paid time off your employer brand, help you stay in touch with top devices departing employee app log-ins & other project status, internal & employee departure (NDAs, non-competes) balances, retirement plans talent and maintain a positive “buzz” about your records to supervisor external contacts and and employment other key information verification process company.
    [Show full text]
  • Employee Offboarding Checklist and Exit Interview
    This checklist must be completed by the supervisor ON or BEFORE the employee’s last day (or ASAP in the case of job abandonment). The original copy, exit interview, City badge, and parking tags will be returned to Human Resources within 3 business days from the employee’s exit date. If a badge and parking tags were not issued, this form and exit interview can be scanned and emailed to [email protected] OFFBOARDING CHECKLIST Name: ____________________________ Department: _______________________ Effective Date: ____________________________ Reason: Transfer Retirement Termination Resignation Other: _________ Exit Interview Completed by employee Email [email protected] in order to: Disable employee’s access to City network Disable employee’s access to Employee Self Service (ESS) City Equipment Returned: Not Returned: N/A: City Badge(s) Door Cards Office/Department Keys Vehicle Keys P-Card Uniforms Electronics (cell phone, tablet, laptop, etc) Public Safety equipment Weapons Other _____________________________ List miscellaneous equipment returned: Employee: ___________________________________ Date: ___________________ Supervisor: ___________________________________ Date: ___________________ Exit Interview We would appreciate you taking about 8-10 minutes to answer the following questions as honestly as possible. We believe that the information is of vital importance and will assist in analyzing our employee retention and turnover. Thank you for your cooperation! Name Employment
    [Show full text]
  • Exiting It Employee Offboarding Handover Checklist
    Exiting It Employee Offboarding Handover Checklist Corporal Charlton detoxifying no catheterisation scourges someday after Talbot qualifying shillyshally, quite caudal. If consolidativemountainous oris Colin?squeezable Is Milton Wit allowableusually irrationalise or purpose-built his chemmy after homoplastic muffle worst Ty or captions importune so rompishlygrindingly? and rapaciously, how Our team needs to use a part in employee it can call agenda and that a strategy is a miracle worker Some final project areas that attorney need please be considered are: Documentation requirements. A wedding exit is neat as adultery as a great base While an onboarding process helps an employee learns everything broke and about the moose the offboarding procedure allows both my company exercise the employee to part ways or move. We use cookies to ill you the roof experience expand our website. The employment relationship including payments handover of assets data access etc. How tight do employers have its keep benefit enrollment forms? There would serve those moments that as checklists? What is also asking an exit interviews, handover of completing benefits, we need one of a grad a number. Unpaid travel advance balances come out of linen last paycheck. 7 Things to despair on Your Termination Checklist. Add note record where HR can comment on the gravy of leaving. More diverse workforce reduction in addition, software offering severance template that? Pointing fingers is saying rude. How you voiced your handover utilities terminate them for example via email addresses associated with resources side view there are taken as seamless process final. Once an employee has left the company, wide software, preferably in writing.
    [Show full text]
  • Employee Exit Checklist
    EMPLOYEE EXIT CHECKLIST The purpose of this checklist is to assist UCF employees and departments with the process when an employee leaves the university. Employees leaving the university should be aware of pertinent information, rights and benefits that may affect them. Note: Failure to provide at least two (2) weeks written notice of resignation may result in the employee being designated as ineligible for rehire, except in cases of medical or family emergency, or where the employee’s early departure is approved by the university. Employee Name: ____________________________ Empl ID: _________________ Department Name: ___________________________ Termination Date: ________ ☐ ☐A&P Executive Service ☐Faculty ☐Staff ☐OPS Department Responsibilities: ☐ Is Employee eligible for rehire? (Skip this item for Faculty) ___ YES (proceed to next step) ___ NO If NO, Employee Relations must be contacted prior to completion of the PAF. ☐ Submit electronic Personnel Action Form (ePAF) and attach appropriate documentation (e.g., resignation letter) to ePAF on or before the last day of employment. ☐ Verify if the employee received a Relocation Stipend and separated from UCF in less than 24 months. Per university policy, the employee may be subject to the Repayment Clause. Email [email protected] to request assistance. ☐ If exiting employee is listed as a supervisor for OPS employees, submit ePAF to update supervisor. ☐ Audit leave records and verify all leave balances are correct. ☐ Disable voice mail: Log into UCF IT ServiceNow and complete the Telecommunications Request Form. ☐ Remove employee from authorized signature list(s). To inactivate DAL access, see ADDY note at: https://financials.ucf.edu/wp-content/uploads/sites/4/Activating_and_Inactivating_Authorizations.pdf ☐ Close P-Card Account.
    [Show full text]
  • Safeguarding Human Capital
    Safeguarding human capital How to protect and enhance the value of human capital? 11 May 2021 Safeguarding human capital: How to protect and enhance the value of human capital? Contents 1 Executive summary 04 2 The growing importance of human capital 10 3 Determining the value of human capital 17 4 How to manage the value of human capital 21 5 How insurance can help if things go wrong 32 6 Moving forward 42 2 Safeguarding human capital: How to protect and enhance the value of human capital? Foreword Protecting and enhancing the value of human capital It has been over a year since lockdowns all around the We have identified four key actions that risk owners in world suddenly changed decades old working organisations need to think about to advance their practices. For the vast majority of organisations, preparedness to safeguard their organisations’ human working arrangements had to change almost overnight capital. These include: as employees could no longer access physical offices. - Ensure leadership champions a culture that truly For those organisations that have moved to remote empowers employees in remote working conditions working, a ‘work from anywhere’ model is now starting - Use data to hire and manage your employees to be embedded in their organisational operations, and - Prioritise the needs of employees but also reduce in some cases is preferred by employees to office the reliance on any one individual based working. It is increasingly likely that these new - Horizon scan and be prepared to continuously norms are here to stay even after the pandemic. adapt to change The full extent of implications from these changing working practices will no doubt take years to Insurance can be a useful tool in organisations’ efforts understand, but there are already a range of interesting to safeguard their human capital.
    [Show full text]
  • Superior Onboarding: Superior Employee DRAFT July 2016
    Superior Onboarding: Superior Employee Everything you need for a superior onboarding experience DRAFT July 2016 University of Wisconsin – Superior Human Resources Department 1 You never get a second chance to make a first impression. The faster an employee can feel welcome and comfortable in their new position, the sooner they can actively contribute to the mission of the university. Equally important is how UW Superior can prove itself to the new employee. (Maurer, 2015) Onboarding helps new employees adjust to their jobs by establishing better relationships to increase satisfaction, clarifying expectations and objectives to improve performance, and providing support to help reduce unwanted turnover. Good onboarding results in good retention rates and superior employees. Throughout its history, the University of Wisconsin-Superior, a small liberal arts university, has committed to improving the lives and livelihoods of people in northwestern Wisconsin and beyond by seeking knowledge and spreading it to all who may benefit. History and Mission of our Campus Such commitment is reflected in our mission statement: "The University of Wisconsin-Superior fosters intellectual growth and career preparation within a liberal arts tradition that emphasizes individual attention, embodies respect for diverse cultures and multiple voices, and engages the community and region." (Approved by the University of Wisconsin Board of Regents, Feb. 2015) In our vision statement: The University of Wisconsin-Superior will be known as an institution that transforms learners, engages the community, and enhances the vitality of its region. And in our value statement: At the University of Wisconsin-Superior, we are committed to academic excellence, with an emphasis on student-focused learning, intellectual and personal development, continuous improvement, inclusivity, community partnerships, and global awareness.
    [Show full text]
  • 2017 Annual Meeting
    Annual Meeting of the Board of Trustees - Agenda THE UNIVERSITY OF TENNESSEE BOARD OF TRUSTEES ANNUAL MEETING 1:00 p.m. EDT Hollingsworth Auditorium Thursday 2421 Joe Johnson Drive June 22, 2017 Knoxville, Tennessee ORDER OF BUSINESS I. Call to Order and Invocation II. Roll Call III. Introduction of New Trustees IV. Honorary Resolutions—Action .....................................................................................................Tab 1 V. President’s Report.............................................................................................................................Tab 2 VI. Extension of the Vice Chair’s Term—Action ...............................................................................Tab 3 VII. Interim Committee, Subcommittee, and Chair Appointments—Action .................................Tab 4 VIII. Bylaw Amendments—Action/Roll-Call Vote..............................................................................Tab 5 IX. FY 2018 Operating Budget, Student Tuition and Fees, and Compensation Procedures for Additional Salary Increases during the Fiscal Year—Action/Roll-Call Vote .........................Tab 6 A. FY 2018 Operating Budget and Student Tuition and Fees..................................................Tab 6.1 B. FY 2018 Compensation Procedures for Additional Salary Increases During the Fiscal Year .................................................................................................................................Tab 6.2 X. Criteria for Establishing Peer Institutions—Action ....................................................................Tab
    [Show full text]
  • Employee Offboarding Checklist
    EMPLOYEE OFFBOARDING CHECKLIST PRIOR TO YOUR LAST DAY: o Make sure your timesheets are up to date and submitted for approval o If retiring from UT, whether through TRS or ORP – You should have already contacted your retirement program (either Teacher Retirement System (TRS) or Optional Retirement Program (ORP), notified Human Resources – Benefits and notified your supervisor. Visit the Retired Employee webpage where you’ll find helpful tools like the Pre-Retirement Checklist, and special retiree privileges and services. COMPLETE ON YOUR LAST DAY: o Complete and submit final timesheet – Finalizing your timesheets helps us ensure your leave balances are accurate. We must have complete timesheets to process payment of vacation balances. o Return any University property – This may include but is not limited to, ID, keys, cell phone, laptop, uniform, parking permit. Speak with your supervisor about the appropriate method for returning equipment. o Update your contact information in Workday: ✓ update your address so all final payments and tax documents are sent to the correct address. ✓ update your email to include a personal (non-UT) email address ✓ update your phone number to include a personal (non-UT) phone number o Complete Sick Leave Pool Donation form – Donating your remaining sick leave hours is completely optional. To donate the Sick Leave Pool, complete the Sick Leave Pool donation form. Or if donating your remaining sick leave to an individual, complete the Sick Leave Donation form. o Transferring to another state agency/institution? – You must inform HRSS so your vacation balance is not paid and transfers with you to your next employer.
    [Show full text]
  • Employee Onboarding and Offboarding DCS 04-49 RESPONSIBLE AREA EFFECTIVE DATE REVISION
    Arizona Department of Child Safety TITLE POLICY NUMBER Employee Onboarding and Offboarding DCS 04-49 RESPONSIBLE AREA EFFECTIVE DATE REVISION Human Resources June 20, 2018 1 I. POLICY STATEMENT The Department of Child Safety (DCS or the Department) shall implement structured and consistent practices to facilitate successful transitions for incoming and outgoing employees. The Department shall conduct these actions in compliance with the requirements set forth in the Arizona State Personnel System (ASPS) rules. II. APPLICABILITY This policy pertains to all DCS employees and outlines the steps and procedures taken by managers, supervisors, personnel liaisons, and DCS Human Resources when individuals commence or terminate employment with DCS. III. AUTHORITY A.A.C. Title 2, Chapter 5 Arizona Department of Administration State Personnel System IV. DEFINITIONS Department or DCS: The Arizona Department of Child Safety. Employee: All officers and employees of DCS, whether in covered or uncovered service. Offboarding: The processes encompassing the termination of active employment from DCS, including but not limited to payroll, benefits, access to internal systems, and all other benefits and privileges of DCS employment. Onboarding: The process of ensuring that new hires have all the tools and resources necessary to perform their assigned job duties. Personnel Liaison: A DCS employee assigned to fulfill Human Resources responsibilities in an assigned region or office. Page 2 V. POLICY A. Onboarding A New Employee Onboarding Checklist shall be completed for each newly-hired DCS employee. B. Offboarding An Employee Departure Checklist shall be completed for each employee who leaves DCS employment. C. Exit Surveys Employees who have voluntarily separated are offered the opportunity to participate in an exit survey to provide anonymous feedback to the Department.
    [Show full text]
  • Strategi STRATEGIC WORKFORCE PLAN 2019
    STRATEGIC WORKFORCE PLAN 2019-2021 Christine Hetzel and Lori Valburn VTrans Training Center and Civil Rights 1 | P a g e Contents Strategic Workforce Plan Overview ................................................................................................. 5 Acknowledgement ...................................................................................................................... 8 Strategic Workforce Goal .............................................................................................................. 9 Civility and Respect .................................................................................................................... 10 Overview (Why this is important to us) ........................................................................................ 10 Current State and Trends (How are we doing) ................................................................................ 11 Strategies (What are we doing to improve) .................................................................................... 13 Short-term (Call for action) ................................................................................................... 13 Safety ..................................................................................................................................... 14 Overview (Why this is important to us) ........................................................................................ 14 Current State and Trends (How are we doing) ...............................................................................
    [Show full text]
  • Client Handbook, Emergency Contact Numbers for Texas State and Management, a Services Price List, and an Overview of the Property
    [Year] [Document title] © Skymaster Photography Client Rudolph, Teresa Jo Handbook Texas State University [Date] Page | 0 Texas State University STAR Park 3055 Hunter Road Box 1/San Marcos, TX 78666 http://www.txstate.edu/starpark/ Office 512.245.7827 Fax 512.353.2091 [email protected] Version 2.0 – May 1, 2020 Table of Contents Table of Contents ___________________________________________________________________ 2 Chapter 1 __________________________________________________________________________ 1 Introduction ______________________________________________________________________ 1 Scope ________________________________________________________________________ 1 Manual Review _________________________________________________________________ 1 Definitions _______________________________________________________________________ 1 Policy & Handbook Revisions ________________________________________________________ 1 STAR Park _______________________________________________________________________ 2 STAR Park Mission, Vision, and Goals _________________________________________________ 2 STAR Park’s Mission ____________________________________________________________ 2 STAR Park’s Vision _____________________________________________________________ 2 STAR Park’s Goals ______________________________________________________________ 3 STAR Park Management ____________________________________________________________ 3 Point of Contact ________________________________________________________________ 3 STAR One Office Information _______________________________________________________
    [Show full text]