By Level Legal
Level Legal Vice President of Digital Forensics David Greetham recently shared the history of his field and the rise of intellectual property theft. Now we’re moving more into the present tense: today’s 20 billion Internet of Things devices, proven ways legal professionals can protect their personal information, tips on dealing with work collaboration tools, countermeasures to outsmart generative AI deepfakes, and a rubric for choosing a trusted digital forensics partner.
Q: What’s the case for paying more attention to data today?
A: These days, we rely on technology for nearly everything. Reflecting back to the late ’80s, when forensics was just emerging, experts grappled with the intricate task of creating a forensic image of computers, desktops, or laptops. Fast forward to now, we’ve witnessed an influx of devices, especially mobile ones, and the rise of the Internet of Things. It’s estimated that there are currently 20 billion IoT devices. These connected devices exist not only in our homes but also in commercial settings.
Q: Twenty billion? Where are these devices?
A: In cities like Seattle, they’ve implemented connected trash cans equipped with sensors. When these cans are about 75 percent full, they send a notification to the recycling plant and initiate a message that indicates they are nearly full. This process then generates a collection route for the next day, optimizing where crews should go to empty the bins. Beyond merely alerting the waste collection crew, these systems notify various departments, including health and safety, about upcoming collections and the expected volume.
This concept of connected devices is not exclusive to urban management; it’s prevalent in industries like energy and healthcare. I recall a personal experience a few years ago when my eldest daughter was in labor. In the ward, there was an apparent absence of medical staff, which naturally concerned me. Upon inquiring at the nursing station, I was directed to a set of screens. These screens displayed real-time vital data: the unborn baby’s heartbeat, various health rhythms, and the mother’s vitals. All of this information came from connected devices, creating a comprehensive dashboard of the patient’s status. As new grandparents, it was fascinating to witness such technological integration in various sectors.
Q: What’s an ally in your work that many people don’t know about?
A: In your computer’s registry, there’s a feature called “shellbags.” This feature is designed to enhance user experience. For instance, if you’re on your desktop and you adjust the size or position of a folder or change the arrangement of icons, shellbags ensure that the next time you access your desktop, everything is positioned exactly as you left it. This is achieved by recording your preferences in the registry.
From a forensic viewpoint, this is particularly interesting. Even if you’ve deleted that folder, a record of it, along with your specific settings preferences, remains. Moreover, this record can also retain a list detailing the contents of that folder.
Q: We’ve talked about how companies can protect themselves from theft. What about individuals?
A: Currently, we’re witnessing increasing instances where individuals’ online communications or data are compromised. Often, cyber attackers utilize deceptive attachments or methods that might be unfamiliar to the user. This typically involves social engineering tactics.
In the past, to hack someone’s email, attackers needed direct access to their computer. Now, they just need access to the email account, often hosted on cloud servers. I’ve observed several instances this year where attackers intercepted emails, silently monitored the communications, and strategically intervened at critical moments.
A prime example involves title companies. When a property closing approaches and email exchanges contain sensitive data, an attacker might intercept an email, alter its content, and then let it proceed to its intended recipient. Visually, the manipulated email appears legitimate. There’s a case I’m aware of where individuals mistakenly wired a significant amount of money based on fraudulent instructions in such an email.
How can one safeguard against these threats? Using two-factor authentication (2FA) is now standard. It’s also advisable to frequently change passwords and even the 2FA method. Various platforms offer multi-factor authentication, text message verifications with response-time limits (mine is set to 20 seconds), or use of authenticator apps on mobile devices. Employing a combination of these measures can bolster security. I reset my passwords every two weeks.
Q: Back to companies and forensics. Did the shift to remote work post-COVID make a difference?
A: The transition to remote work hasn’t significantly altered the fundamental need to grant individuals access only to the information they require, though collaboration tools like Slack can amplify the challenge. When employees handle highly sensitive data from home, it’s crucial to enforce stringent security measures regarding data transfer and local storage. If litigation arises, retrieving data from an individual’s personal device poses a hurdle for legal teams. Hence, it’s imperative to have clear protocols in place.
One of our customers, for instance, allows employees to view sensitive information on their screens but restricts any attempts to screenshot or print. Any effort to take a screenshot results in an automatic blur. This strategy ensures data protection while still enabling team members to access the necessary information for their tasks.
Q: Since you mentioned Slack, how have work collaboration tools shown up in forensics?
A: Certainly, while earlier discussions on IP theft often portrayed it as an individual act, we’ve observed groups engaging in such activities. They frequently use collaborative tools, including ephemeral messaging, under the impression it offers them complete protection. This can lead to a misplaced sense of security. Some might rely heavily on end-to-end encryption, mistakenly believing it’s impenetrable. However, if someone has access to the device, the encryption can be bypassed.
In more extensive investigations, we’ve noticed entire business sections collaborating, potentially motivated by dissatisfaction with bonuses or the allure of better opportunities elsewhere. When it comes to collaborative platforms like Teams and Slack, data collection methods remain largely consistent. The main challenge is determining what data is relevant for review and presenting it coherently to the customer.
Q: What else should organizations do to protect themselves?
A: Urgent software updates, often termed “zero-day patches,” indicate immediate threats. However, I’ve noticed that many users tend to procrastinate when prompted to install these patches. They often delay by thinking they’ll handle it “tomorrow,” which isn’t advisable. These updates exist for a reason. Software inherently has imperfections and will never be flawless. Continuous updates are part of managing these imperfections.
There’s a prevalent concern that installing one patch might disrupt another software function. Hence, some users delay updates to see if others report issues online. But in most cases, it’s crucial to apply these patches promptly as they’re designed to guard against threats, especially when malicious actors are keenly trying to breach systems.
Q: There’s a lot of buzz about how generative AI deepfakes will make digital forensics more difficult, if not impossible. What’s your take?
A: Over the years, one constant challenge has been validating evidence authenticity. In many ways, deepfakes present a familiar challenge. Whether it’s a video where someone’s face has been manipulated or an audio recording that’s been altered, these deceptive practices aren’t entirely new. In fact, for the past 10 to 15 years, there have been attempts to alter voice recordings. For example, in the context of a recorded stock trade, someone might claim he didn’t authorize a particular transaction. By examining data patterns, one can often detect alterations.
Recently, this issue has surfaced with law enforcement body cams. The methodology to identify manipulations in such recordings is similar to that used for detecting deepfakes. Given the volume of data, especially with devices that might hold tens of thousands of images or thousands of videos, manual inspection isn’t feasible. As a result, we’re developing semi-automated technology to flag potential manipulations based on the binary data of the file, not its visual content. The challenge is that the quality of some deepfakes is so high, distinguishing them from genuine content is increasingly difficult.
Q: So, few worries about generative AI and forensics?
A: Not really. For instance, when given prompts like a scenic image of a log cabin, mountains with snow, rivers, and streams, it produces impressive results. However, there are anomalies; like when I tried to generate an image of a sports person playing soccer and the result was a figure with three legs. While not conventional, it could hypothetically be an advantage in soccer.
That said, AI technology has potential in forensics. The ability to detect irregularities or patterns in data is invaluable. Data is typically written and stored in a specific sequence, so any deviation, whether in deepfakes or other data manipulation, can indicate deception.
Q: Should organizations outsource forensics work?
A: Some organizations like to handle the work on their own. I’d suggest they watch out for what some refer to as “push-button forensics.” Here, individuals – sometimes even those with a basic understanding of computers or those transitioning from other careers – might buy a forensics tool, undergo minimal training, and assume they’re equipped for digital forensics consulting. However, simply running a tool and presenting an overwhelming amount of data to a customer isn’t sufficient.
Digital forensics goes beyond just using technology. While the latest tools can expedite our search for relevant facts, the true value lies in the interaction with the customer. This involves understanding their specific needs and being able to explain findings in layman’s terms, ensuring they’re comprehensible to customers, judges, juries, or in arbitrations. After all, discussions about binary code and intricate encryption methods might not be universally understood or appreciated.
Interested in learning more about our award-winning digital forensics? Contact us today.