Lawyers Ask Forensics Investigators for Help Outside Cybersecurity

Digital forensics investigators are meticulous sleuths, and their skills are increasingly being sought after outside of cybersecurity to help corporate and outside counsels with tasks such as document authentication. With the growing number of data breaches and intellectual property thefts, cybersecurity experts getting involved in e-discovery, fraud cases, and other legal disputes is not as unusual as it used to be.

Attorneys and traditional investigators may not be as skilled in understanding risk and personally identifiable information, says Aravind Swaminathan, a partner at Orrick, Herrington & Sutcliffe LLP. It is the ability to see things as being something other than how they appear that sets apart a cybersecurity investigator from traditional private investigators.

For example, a simple e-discovery analysis turned into something far more when a lawyer questioned the authenticity of a document, says J-Michael Roberts, a forensics expert for Law and Forensics, a legal engineering firm. In that instance, the data on the document seemed off; a deep dive into the document metadata and a full analysis of the computer on which it was created revealed the document had been doctored. Artifacts uncovered in a forensic search of the system proved the document and much of its content were added at different times and brought together to make the composite document.

"[It] went from a simple contract dispute essentially into a very large and significant matter where one side was actively working to defraud the other," Roberts says.

Bringing a Different Perspective

According to Steven Hailey, an instructor on digital forensics at Edmonds College in Lynnwood, Wash., forensics investigators can uncover evidence that turn simple cases into serious crimes. A dispute over a family business following the death of the patriarch and owner centered on the authenticity of contemporaneous notes of discussions about the future of the business. The resulting forensics investigation discovered that the documents were not created at the time they appeared to have been made, and artifacts in the documents and computers showed the documents had been manipulated.

"To the average person, it would look foolproof – all these documents in chronological order," Hailey says. "We have an expert understanding of the evidence left behind when data is created, manipulated, stored, and moved throughout an organization. This expertise often uncovers important but disparate data sets in an investigation that would have otherwise gone unnoticed or considered unimportant to the matter at hand."

Helping Boards Understand Incidents

Unlike a major incident, such as an airplane crash, where the event occurs and then is done, cyberattacks are ongoing, and it takes a while to even pinpoint what the event actually is. Even after the defenders manage to remove the adversaries, there is still the possibility of a follow-up attack or that the attackers were not completely removed in the first place. Forensics experts must make decisions on imperfect information, which is why CISOs run tabletop exercises to prepare boards for incident responses.

Boards fail to understand that organizations are judged on their responses to a breach, not the breach itself. Having the right team in place for incident response, including the forensic teams working with the attorneys, is crucial to responding appropriately.

"The notion that there's answers, that we will find out what happened, and we'll find out quickly, is a challenge that boards have because sometimes there are no answers, and we sometimes don't find out quickly,” says Swaminathan.