Remotely recovering digital evidence from off-network devices

Modern digital investigations are difficult, time-consuming and complex to conduct. They often involve many systems and devices spread across geographical boundaries and locations, and may…

OpenText Security Cloud Team profile picture

OpenText Security Cloud Team

August 13, 20204 minutes read

Modern digital investigations are difficult, time-consuming and complex to conduct. They often involve many systems and devices spread across geographical boundaries and locations, and may involve local or national law enforcement or regulatory bodies.

Three trends in particular create a perfect storm for investigators today:

1. Proliferation of endpoint devices

The number and type of endpoints that organizations must manage and secure continues to rise. That means not only traditional computers and laptops but mobile devices, wearables and smart IoT sensors on the edge of the network. A large enterprise with 100,000 employees could easily have 250,000 endpoints to manage and secure. And any of those endpoint devices could contain vital digital evidence.

2. Remote working and off-network devices

The trend towards increased remote working has been accelerated by the COVID-19 pandemic. For many organizations this will be a permanent change to a hybrid workforce where employees use their computers and mobile devices across the home, co-working spaces, local office outposts and corporate headquarters. As a result, more devices will be increasingly off-network, making them difficult for investigators to physically access to recover and preserve evidence.

3. Regulatory and legal risks

Investigators have a lot of ground to cover across different types of investigation, such as employee separation, fraud, employee misconduct, IP theft, breach response and more. And governing bodies and regulators are increasingly adding protections and mandates that involve digital investigation capabilities. GDPR, PCI-DSS and Sarbanes-Oxley (among others) all include requirements that necessitate the collection and analysis of digital data to maintain compliance.

If investigators can’t access a device or obtain an incorrect result due to a lack of information recovered, this poses a huge risk to producing defensible findings that might be needed to satisfy regulators, law enforcement and courts.

How to tackle these investigation roadblocks

To meet the stringent requirements of modern investigations, complete visibility and access to enterprise endpoints is a necessity, no matter the location, device or file type.

Investigators need to be able to access off-network devices discreetly without alerting a suspect, to avoid evidence being tampered with or deleted. And they need to be able to deal with new encryption technologies, such as T2 on Apple devices, and also search across cloud and content repositories.

Investigate everywhere with OpenText EnCase

OpenText EnCase Endpoint Investigator allows you to fully investigate any endpoint regardless of the operating system, cloud source, encryption technology or artifact type.

Critically, the enhanced agent in EnCase Endpoint Investigator can collect data from off-network stores locally, and transmit investigation data the next time the device connects to the network. The agent sits at the kernel of the machine and remains idle and inactive until it is called upon for an investigation. If an endpoint drops offline mid-job the agent can finish the collection job locally in the free space of the target machine.

Encryption support also allows investigative teams full access to encrypted drives and Apple devices secured with the T2 chip. The EnCase Mobile Investigator add-on allows you to collect from and review  the widest variety of mobile devices to find evidence within text messages, emails, call records, associated cloud repositories, internet history, photos, application data and deleted data. And Media Analyzer for EnCase uses AI to reduce the manual effort involved in identifying images and videos containing visual threats.

Not only do these capabilities allow comprehensive collection and access to all relevant endpoint data, it reduces investigation time, speeds up evidence processing, maintains discretion and delivers defensible results that meet the investigative requirements of governing bodies. And evidence is preserved in the industry-standard EnCase Evidence file format, proven forensically sound and accepted in courts worldwide.

Download the white paper ‘Investigate Everywhere with OpenText EnCase’ to find out how you can conduct investigations with comprehensive access to cloud, mobile and endpoint evidence.

Share this post

Share this post to x. Share to linkedin. Mail to
OpenText Security Cloud Team avatar image

OpenText Security Cloud Team

See all posts

More from the author

Dissecting IcedID behavior on an infected endpoint

Dissecting IcedID behavior on an infected endpoint

IcedID, also known as BokDot, is a banking trojan that was first discovered in 2017. It targets a victim’s financial information and it is also…

March 30, 2023 4 minutes read
Technology meets tenacity

Technology meets tenacity

Technology alone won’t defeat cybercriminals. Effective cybersecurity isn’t something you buy off the shelf, set, and forget. To secure your data, you must be proactive,…

November 3, 2022 4 minutes read
OpenText MxDR platform: a team player

OpenText MxDR platform: a team player

There’s a truism in the cybersecurity sector that says enterprise technology stacks are so large because the market demanded big-stack solutions. Convenience, fiscal constraints, and…

November 1, 2022 3 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.