Norm Rooney, Senior Digital Forensics Consulting Manager – SaskTel

What is digital forensics exactly?
Digital forensics is the acquisition of investigational digital data, the analysis of that data, and presenting the findings of that analysis in a report. Investigational data can be found in digital devices such as computers, smartphones, mobile devices, tablets; removable media such as USB devices; and non-conventional devices such as gaming consoles. Digital forensics follows a structured and standard investigational process: Identify the data, preserve the data, analyze the data, document the findings, and present the findings in a formal report.

In what situations would a business benefit from SaskTel digital forensic services?
We can complete a threat assessment if your company has experienced a data or security breach, or if you suspect your company’s network has been compromised by malware. If you suspect intellectual property or personal identifiable information has been exported, digital forensics can help identify what data was exported and how it was exported. On a policy level, if you suspect employee misconduct and want to confirm the inappropriate use of company computers, we can analyse the computers and detail what has taken place. If you would like to baseline your computer systems, we can conduct a computer audit. SaskTel Digital Forensics is here to provide support to your investigation or incident. We can provide consulting to help you understand what has occurred and how to move forward.

How important is it for businesses to bring in professionals when these types of incidents occur?
Professionals like our group have the knowledge, experience, and tools available to assist your company. The most important factor is to not panic, but to seek advice. More harm can be done trying to fix the problem with internal resources without understanding the full scope of the situation.

What typically happens when a business engages the SaskTel digital forensic team?
Our group can be contacted directly (email DFIR@sasktel.com or call 1.844.691.1646) or through a sales consultant. However, once we get involved, we work directly with the client and ensure that privacy and security are maintained. Any information about the agreement, including a signed NDA, is kept between our group and our client. No one else at SaskTel has access to the information. In addition, any data we collect is kept on a secured server. Only our group has access to the data. The server is not connected to the internet, and it is not connected to internal SaskTel networks.

After a discussion about the problem, a statement of work is prepared that details the work to be performed and the cost of the engagement. Depending on the incident, we can obtain the relevant data overtly, or we can attend after-hours and obtain the data covertly. Most importantly, if the system has not been shut down, we will gather the RAM and run our Cyber Triage on the device before imaging the data. Once the available data is collected, the data is brought back to our secured lab and the analysis begins.

The analysis involves processing the data through court approved software. A forensic copy of the data is obtained, so the original data maintains its integrity and is never modified. Two of our main software suites are EnCase by OpenText and Axiom by Magnet Forensics. For mobile devices, Cellebrite is used. For e-discovery, Intella is used. And, for auditing and incident response, Cyber Triage is used. Once the data has been processed, the analysis begins.

The analysis depends on the incident. For example, if malware is suspected, we attempt to locate the malicious files and determine how they were accessed. If suspect files are identified, we will execute the malware in our Joe Sandbox software to determine exactly how it works. If the investigation involves employee misconduct, we focus on key dates and communication between employees. If the request involves e-discovery of email, we have Intella software that can process the PST file that allows the quick filtering and sorting of messages by date or by user. If data theft is suspected, we focus on how the data was copied and by whom. We use our experience to locate the relative artifacts to support the findings.

At the end of the analysis, a written report detailing the results of the investigation is provided to the client. We will answer any questions, provide recommendations, and support our findings in court if required.

What are the main services the team provides?
The three main services are incident response, digital forensics, and auditing. If you have experienced a data or security breach, we can quickly perform incident response and determine what has occurred, what malware is persistent on your network, and what damage has been caused. For digital forensics, we can preserve all content on a business’s computer systems using overt or covert imaging, malware analysis, e-discovery, live analysis, mobile analysis, and an internet history review. We also provide auditing where we will analyze volatile data to identify high threats, persistent malware, user activity, and running processes to understand what is occurring on your systems. Our group has also provided incident response training in past years.

What is one piece of advice you have for businesses?
The most important advice I can provide is when you suspect a problem, do not turn the system off. Too much relevant data is lost when you power off the system. Instead, disconnect the system from the network and call for advice. Allowing the RAM to be captured and running a program like Cyber Triage on the system first is a huge benefit and support to the overall investigation if you decide to continue with an engagement.

So, why choose the SaskTel digital forensics team?
SaskTel Digital Forensics is local and has been providing digital forensic services to the province of Saskatchewan over the past six years. We will respond to an incident within one day of a signed statement of work. Personally, I have an investigative background and 17 years of digital forensics experience. We use court accepted software and have the necessary experience, forensics training, and the resources available to assist your company.

We understand there is a lot to digest when it comes to digital forensics so our experts are here to answer any questions you may have. Our team can be contacted directly by confidential email DFIR@sasktel.com or voice mail (1.844.691.1646). Please reach out to our consultants to continue the conversation about what our digital forensics team can do for your business.