Remotely recovering digital evidence from off-network devices

Modern digital investigations are difficult, time-consuming and complex to conduct. They often involve many systems and devices spread across geographical boundaries and locations, and may involve local or national law enforcement or regulatory bodies.

Three trends in particular create a perfect storm for investigators today:

1. Proliferation of endpoint devices

The number and type of endpoints that organizations must manage and secure continues to rise. That means not only traditional computers and laptops but mobile devices, wearables and smart IoT sensors on the edge of the network. A large enterprise with 100,000 employees could easily have 250,000 endpoints to manage and secure. And any of those endpoint devices could contain vital digital evidence.

2. Remote working and off-network devices

The trend towards increased remote working has been accelerated by the COVID-19 pandemic. For many organizations this will be a permanent change to a hybrid workforce where employees use their computers and mobile devices across the home, co-working spaces, local office outposts and corporate headquarters. As a result, more devices will be increasingly off-network, making them difficult for investigators to physically access to recover and preserve evidence.

3. Regulatory and legal risks

Investigators have a lot of ground to cover across different types of investigation, such as employee separation, fraud, employee misconduct, IP theft, breach response and more. And governing bodies and regulators are increasingly adding protections and mandates that involve digital investigation capabilities. GDPR, PCI-DSS and Sarbanes-Oxley (among others) all include requirements that necessitate the collection and analysis of digital data to maintain compliance.

If investigators can’t access a device or obtain an incorrect result due to a lack of information recovered, this poses a huge risk to producing defensible findings that might be needed to satisfy regulators, law enforcement and courts.

How to tackle these investigation roadblocks

To meet the stringent requirements of modern investigations, complete visibility and access to enterprise endpoints is a necessity, no matter the location, device or file type.

Investigators need to be able to access off-network devices discreetly without alerting a suspect, to avoid evidence being tampered with or deleted. And they need to be able to deal with new encryption technologies, such as T2 on Apple devices, and also search across cloud and content repositories.

Investigate everywhere with OpenText EnCase

OpenText EnCase Endpoint Investigator allows you to fully investigate any endpoint regardless of the operating system, cloud source, encryption technology or artifact type.

Critically, the enhanced agent in EnCase Endpoint Investigator can collect data from off-network stores locally, and transmit investigation data the next time the device connects to the network. The agent sits at the kernel of the machine and remains idle and inactive until it is called upon for an investigation. If an endpoint drops offline mid-job the agent can finish the collection job locally in the free space of the target machine.

Encryption support also allows investigative teams full access to encrypted drives and Apple devices secured with the T2 chip. The EnCase Mobile Investigator add-on allows you to collect from and review  the widest variety of mobile devices to find evidence within text messages, emails, call records, associated cloud repositories, internet history, photos, application data and deleted data. And Media Analyzer for EnCase uses AI to reduce the manual effort involved in identifying images and videos containing visual threats.

Not only do these capabilities allow comprehensive collection and access to all relevant endpoint data, it reduces investigation time, speeds up evidence processing, maintains discretion and delivers defensible results that meet the investigative requirements of governing bodies. And evidence is preserved in the industry-standard EnCase Evidence file format, proven forensically sound and accepted in courts worldwide.

Download the white paper ‘Investigate Everywhere with OpenText EnCase’ to find out how you can conduct investigations with comprehensive access to cloud, mobile and endpoint evidence.

Related Posts

Back to top button