Few techniques in cyber security are as mature, but also as poorly understood as the process of digital forensics. Generally viewed by many industry observers as a “black art,” forensic investigation involves experts focusing on providing full visibility and accurate intelligence in computing environments where data might have been corrupted, lost, or mishandled. It is a difficult task and requires considerable experience and expertise on the part of the forensic investigator. And yet, with the provision of world-class tools, digital forensic experts continues to exceed expectations, supporting a range of difficult needs including support for tough litigation cases, proactive threat intelligence gathering, and compliance program management. With so much attention on digital forensics in the news lately, I thought it would be helpful for us to hear from one of the great experts in the field, my friend Patrick Dennis, CEO of Guidance Software.
EA: Patrick, has the basic role of the digital forensic investigator changed much in the past decade?
PD: I guess the high-level goals associated with digital forensics, eDiscovery, and endpoint security have not changed dramatically in the past decade, but the specific investigative techniques, the underlying platform used to support investigations, and the consequences of most forensic cases we’ve seen, have all changed pretty significantly. In our support for the investigator at Guidance Software, we try hard to maintain focus on the fundamentals – namely, providing excellent visibility into target systems and endpoints, supporting accelerated needs to surface useful facts in a super-timely manner, and adding automation to the protection of endpoints. These goals have not changed as we’ve supported so many companies – almost 80% of the Fortune 100 at last count – in these important investigative and response tasks.
EA: To what degree is the investigator dependent on technology? Is the skill and instinct of the investigator a factor?
PD: That’s an interesting question. First of all, every investigator will point to instinct as being critical to a successful engagement, whether it be forensic investigation of a cyber intrusion or an eDiscovery task for some legal matter. In every case, the skills, experience, and intuition of the investigator will play important roles. That said, it is our mission at Guidance Software for the automation to enable data visibility to help discover malware – and this obviously requires advanced algorithms and automation, and to support the entire incident response task from start to finish, managed by workflow process automation. So while everyone agrees that human skill is needed, we believe our platform provides incredible value to the end-to-end process.
EA: Do you see more cyber security teams trying to do proactive forensic investigations, perhaps to find early indicators rather than just waiting to investigate after an attack?
PD: That certainly makes sense, because proactive forensics, which is sometimes referred to as cyber hunting, is really no different if the investigator is searching for early indicators than if the investigator is searching for evidence of a persistent attack. This also helps explain our more recent focus on Guidance Software’s tools as endpoint security solutions, rather than as purely investigative support. We realized that since our tools were so good at providing visibility into operating systems, devices, and infrastructure – as the many generations of EnCase users have long know – well, these are precisely the types of requirements associated with good endpoint security.
EA: Has modern litigation changed the nature of digital forensics? I would assume that most lawyers have gotten savvier in recent years about the power of the forensic expert.
PD: Yes, there is no question about it – the legal profession has come to recognize eDiscovery and also digital investigative forensics as essential to their work. We tend to see several primary business areas growing amongst our customer base. First, as you suggest, there is the litigation support that our world-class eDiscovery tools have long assisted. But in addition, we also see significant growth in the regulatory compliance area, breach detection and response in the enterprise, internal employee investigations of insider activity, and as you’d expect – law enforcement investigations, which has always been such a proud part of our business at Guidance Software.
EA: You mentioned regulatory growth. Does compliance have any impact on forensic planning? To what degree, for example, do frameworks like PCI DSS and HIPAA affect or influence the digital investigative process?
PD: They have a dramatic influence on forensics, simply because breaches today involve loss of sensitive personal and business data. These are real business problems and the compliance and regulatory community is determined to reduce the risk. So it should come as no surprise that our EnCase platform would be such an important solution to dealing with compliance problems in the payment card industry, the health field, and many other sectors. We are so proud of our massive reach, with many tens of thousands of trained users of our platform, located around the world.