Remote Investigations Are Here to Stay
By Tim Rollins
Despite well-publicized demands from CEOs and other executives, the modern workforce will almost certainly never be fully onsite again. While some surveys show remote work almost back to pre-pandemic levels, other surveys find that four to five times as many workers work remotely as did just four years ago.
Even if workers are frequently onsite, corporate network infrastructure has also evolved. Hard perimeters are largely a thing of the past, and workers frequently use their smartphones, laptops, and other devices off-network and off-VPN. Organizations must account for cybersecurity risks both inside and outside their network perimeters–and be able to investigate and remediate them immediately, wherever they occur. Whether you're concerned about malware and ransomware, data breaches, or employee malfeasance, there's a way to conduct those investigations remotely using technology like FTK Enterprise and modern investigatory processes.
Why You Need to Conduct Remote Investigations
Older IT policies, such as shipping or physically bringing devices into an office for updates, patches, and repairs, aren’t viable in modern remote workplaces. The costs of shipping or bringing a device into an office are invariably high, especially considering the lost productivity when a worker has to wait for repairs to a critical device. These policies are completely impractical to address potential insider threats, who may wipe the device, destroying valuable evidence of wrongdoing.
One of the truisms of cybersecurity is that organizations need to protect all their devices all the time, but bad actors only have to break through once to compromise the entire network’s security. To effectively conduct remote investigations and protect your organization’s assets, you need a complete, accurate device inventory and the ability to investigate and remediate any device upon detection of intrusion with a technology known as a remote digital forensics agent.
What Is a Remote Digital Forensics Agent?
Remote digital forensics agents are programs that can be installed on all of an organizations “endpoints,” such as employees’ computers, whether Macs or PCs, servers, and any other device that connects to the company network. The remote agent sits dormant in the background on each endpoint, and waits until it is called upon to gather data from the endpoint.
When cybersecurity software detects an intrusion or other indicators of malfeasance, the agent is activated. Then it transmits data back to a central installation of enterprise digital forensics software, where an IT analyst or digital forensic investigator can review, analyze, and remediate cybersecurity risks.
Types of Remote Digital Forensic Investigations
Here are three types of digital forensic investigations and some types of cases where you'd want to consider using them.
- System Activity Logs: System and activity logs are relatively small and easy to collect text data files that track user activity on a remote device over a period of time, usually three to six months. On Windows and Mac computers, system logs capture a timeline of the user’s actions, allowing an investigator to see every application the user opened, any external devices they connected to their computer, what Internet activity the user performed, which network the user was connected to, and at exactly what time this activity occurred. Smartphones and wearable devices like the Apple Watch or FitBit capture user activity levels and locations throughout the day in their native health data logs, as well. These investigations can be useful for time theft, data exfiltration, and cyber attack cases.
- Volatile Memory: Volatile memory is any data storage that only lasts as long as a device is powered on. If the device powers down, the data is lost. Volatile memory may include things like computers’ RAM and the data stored in printers, routers, and local LCD displays. Make sure to preserve volatile memory data for data breach or incident response investigations and then conduct network scans for other indicators of compromise (IoCs).
- Full Disk and Partition Scans: Since these types of investigations require large amounts of data to be transmitted remotely, evaluate whether you need them before embarking on this type of investigation. You'll want to scan a full hard drive or a complete logical partition of a drive to preserve a comprehensive body of evidence if you’re not able or not certain what you need to look for, such as in routine investigations of dismissed employees, possible intellectual property infringements, or for legal preservation for potential litigation.
To learn more about other types of investigations, as well as tips, tricks, and technical overviews for all these types of investigations, download our new Exterro quick guide, Conducting Remote Digital Forensic Investigations!