A case for not letting your client’s “IT Guy” do forensics…

We are now learning that the initial attempts to recover critical evidence from the San Bernardino County terrorist, Syed Rizwan Farook’s iPhone may have been hampered by the ill-advised response of the individuals that initially took custody of the now famous iPhone.  You may recall that the terrorist’s phone was owned by his employer, San Bernardino County.  Apparently, his employer, either in an attempt to recover data from the phone in the critical hours after the attack, or at the direction of the FBI, reset the iCloud account on the device and then tried to collect evidence from the phone.  This action, a well known “rookie mistake” in the forensics world, had the effect of eliminating the possibility of an “auto backup,” which would have allowed the recovery of data from the phone…the same data that the FBI is now unable to recover.  The evidence obtained in this backup could have yielded important phone call log files and contacts, the very evidence that the FBI is attempting to uncover via an Apple-assisted hack of the phone.  It is still unclear if or when Farook had disabled his iCloud backup feature, but now we may never know.

Yes, that is correct.  The real heartbreak backstory here is that the first responders to this horrible incident, with the Apple iPhone in hand, may have been able to recover critical data from the phone if they had done things right.  How?  By taking the phone to Farook’s home or workplace, (where it would have automatically performed a WiFi auto iCloud backup). The result?  If backups are still active, they typically produce call logs and other recent user activity that can provide important digital evidence.

The FBI may have ordered the phone’s owner, San Bernardino County, to reset the iPhone password in a hasty attempt to try to collect immediate information without the hassle of a subpoena, but these early actions may have had unintended consequences

Stressed business man at the office.This is not unusual.  We are often brought into engagements in which a well-intended IT person, in his initial efforts to preserve or recover critical electronic data after an incident, has inadvertently destroyed, or rendered inadmissible, the very evidence he was trying to obtain.  Perhaps he tried to install a software “patch” after a data breach attack on a server which effectively erased critical log files, or maybe he made “copies” of data on a computer’s hard drive to try to preserve it, only to learn that this “copy” was NOT a forensics image that could be authenticated in the subsequent legal proceeding.

In other examples we have encountered, IT staff members have been asked by company management to “investigate” the computer behavior of employees involved in internal investigations, only to accidentally destroy the “metadata” related to employee’s computer activity that would have helped prove management’s investigative theories.  Ouch.

These are common errors that occur in the heat of battle in all too many computer incidents.  Unfortunately, these IT  missteps can have case-destroying ramifications that can not be undone.  While it remains unclear if San Bernardino IT staff members were working on their own or at the direction of the FBI, at this point it really does not matter.

It’s About Training
We have the pleasure of working with some very fine IT folks in the course of our engagements. Most IT professionals, however, simply do not have the training, experience, or skills to do forensic work.  They have not received instruction on evidence preservation, forensics analysis, the chain of custody documentation, or electronic data authentication.  As a result, some of their good intentions cause more harm than good.  In other situations, a company’s internal IT person has a conflict of interest, (in cases, for example, in which they are being called upon to offer an opinion on how a breach may have occurred… on the very IT system they failed to secure.)

iStock_000061102178_SmallAnd Now a Word About MDM
There are also reports that San Bernardino County is getting heat for not having a Mobile Device Management (MDM) system and policy in place.  MDM software enables organizations with multiple employee-used phones to essentially register those phones within the organization’s IT systems.  This enables a centralized administrator to manage the data on the devices, secure them, and access data on them when necessary. MDM is being increasingly used by companies to manage the ever-growing amounts of company data that is often contained on mobile devices and tablets. In hindsight, MDM software would have enabled San Bernardino to pull the data from the phone with a centrally-controlled password after the incident.  It costs around $4 per phone.

The Take-Away
Bad News during vacationWhen the stakes are high, instruct your clients to “Step Away From the Computer!”  After an incident, caution them to avoid the almost irresistible temptation of “poking around” on IT systems or devices to see what electronic evidence can be recovered.  Doing so can destroy fragile digital evidence that can sometimes have a very short shelf life.

In a suspected data loss-event, for example, determining that an incident did NOT result in a reportable data breach can save a company, or their insurance company, millions of dollars in avoided remediation, customer notifications, reputational harm, and litigation.  Arriving at this conclusion requires an independent investigation conducted by a qualified forensics firm.  Call in the professionals.  I recognize, of course, that this advice may be considered self-serving…coming from a guy who owns a forensics firm.  But who wants to explain to a board of directors, law enforcement, or a grieving victim that the evidence that could have brought justice to a case was destroyed in error?