Remote Investigations Are Here to Stay
Despite well-publicized demands from CEOs and other executives, the modern workforce will almost certainly never be fully onsite again. While some surveys show remote work almost back to pre-pandemic levels, other surveys find that four to five times as many workers work remotely as did just four years ago
Even if workers are frequently onsite, corporate network infrastructure has also evolved. Hard perimeters are largely a thing of the past, and workers frequently use their smartphones, laptops, and other devices off-network and off-VPN. Organizations must account for cybersecurity risks both inside and outside their network perimeters—and be able to investigate and remediate them immediately, wherever they occur. Whether you're concerned about malware and ransomware, data breaches, or employee malfeasance, there's a way to conduct those investigations remotely using technology like FTK Enterprise
Why You Need to Conduct Remote Investigations
Older IT policies, such as shipping or physically bringing devices into an office for updates, patches, and repairs, aren’t viable in modern remote workplaces. The costs are high, and productivity suffers when employees must wait for critical devices to be fixed. These approaches are also impractical when dealing with insider threats, where a device could be wiped before it is ever collected.
To effectively conduct remote investigations and protect your organization’s assets, you need a complete, accurate device inventory and the ability to investigate and remediate any device upon detection of intrusion. This is enabled through a technology known as a remote digital forensics agent.
What Is a Remote Digital Forensics Agent?
Remote digital forensics agents are programs installed on organizational endpoints—such as employee computers (Mac or PC), servers, and other connected devices. These agents remain dormant in the background until needed.
When a potential threat is detected, the agent activates and collects relevant data from the endpoint. It then transmits that data back to a central forensic platform, where investigators can review, analyze, and respond to potential cybersecurity incidents.
Types of Remote Digital Forensic Investigations
Here are three common types of remote digital forensic investigations and when to use them:
- System Activity Logs
System and activity logs are relatively small text files that track user activity over time—typically three to six months. On Windows and Mac systems, logs can show application usage, connected devices, internet activity, network connections, and timestamps. Mobile and wearable devices can also provide activity and location data. These are useful for investigating time theft, data exfiltration, and cyberattacks. - Volatile Memory
Volatile memory refers to data that exists only while a device is powered on, such as RAM. If the device shuts down, this data is lost. It may also include temporary data in printers, routers, or displays. Preserving volatile memory is critical in data breach and incident response investigations, followed by scanning for indicators of compromise. - Full Disk and Partition Scans
These investigations involve collecting large amounts of data, so they should be used selectively. Full disk or partition scans are useful when a comprehensive dataset is required, such as in employee exit investigations, intellectual property theft cases, or legal preservation for litigation.
To learn more about remote investigations, download the Comprehensive Guide to Remote Investigation
