As investigators or Forensic professionals, surely we can all relate to the pressures that we are put under when starting an investigation. The client typically wants to know how long the investigation will take, how much is it going to cost and how soon before they can suspend or prosecute an employee or third party? A major input into answering these questions is knowing what evidence is available to support the investigation and how to preserve and collect it in a forensically sound manner.
In our experience, a large part of the initial investigative effort is spent just trying to understand what information is available, where it is stored, how is it maintained, who has access to it and what activity is audited? In addition, if the period of the investigation extends further into the past, you have the added complexity of differentiating between legacy and current systems and distributed storage archives in various states of availability and maintenance.
Wouldn’t it be so much better if you did not have to reinvent the wheel each time you started an investigation, particularly if you do regular work for a long-standing, established client or you are part of an internal corporate forensic team? Imagine at the beginning of a case if you knew exactly what information was available to support the case, where it was stored, how it was maintained, what retention policies were applied, who has access to it and how it can be preserved and collected for processing.
Understanding the Risk and Data Landscape
Developing a Discovery Risk Mitigation approach together with your client or in your business will allow you to be more responsive at the beginning of the investigation. You will be better equipped to identify, preserve and collect evidence, in so doing reducing the risks of over or under-collection or spoliation. It is overall a higher value strategy as the faster and more accurate collection reduces the overall cost and duration of the investigation. You will also be able to get a clearer picture of the role players and fact patterns, allowing your client to act earlier on in the investigation if required.
So how do you get started with Discovery Risk Mitigation? It is a risk-based remediation approach that begins with discussing potential vulnerabilities and risks with your client. For example, which areas of the business have a risk of data breach and why? Where has theft or the misappropriation of assets recently occurred in the business? Once you have documented the risks, you then need to develop an understanding of your client’s information governance policies and associated data landscape. A large percentage of the client’s data landscape will be ROT – redundant, obsolete or trivial information. While corporates have very valid reasons to retain information for compliance and regulatory reasons, there is a trend of over-retention or a lack of action taken once a retention period has expired. Our view is that the focus should instead be on defensible deletion to reduce the costs and risks associated with the over-retention of corporate information.
Mitigating Future Risk
As mentioned, work with your client to understand their vulnerabilities, risk appetite and business processes. Gain insight into the systems and devices that support the business processes as well as the information stored by those devices/systems. You then need to understand how that information is governed, retained, backed up, archived, disposed of and accessed. This builds into a “data map” of the client’s environment which will help you respond faster and identify information that is potentially relevant and needs to be preserved. The “data map” is a living document that should be updated periodically as the client’s risk profile, information governance policies, processes and information infrastructure changes.
Being Prepared
Once the “data map” has been developed, you need to extend your client’s Discovery Risk Mitigation strategy to include a technical plan on how they can preserve and collect potentially relevant information effectively and repeatably. This requires a response process and resourcing plan with clearly assigned responsibilities and roles as well as knowledge of which technologies allow in-place preservation and collection (e.g. Microsoft 365) and what forensic tools may be required to support the preservation and collection effort.
An approach involving both tactical remediation and longer-term strategic mitigation, in which your clients improve their information governance and security frameworks concerning access, auditing, data classification, retention and disposition, will undoubtedly improve your investigative responsiveness over time.
Working with your client to develop a Discovery Risk Mitigation strategy will save you, the investigative firm, and your client a lot of headaches at the beginning of an investigation. You will be better equipped to respond faster and more accurately to their investigative needs allowing you to become more competitive in the market, the de facto trusted advisor and consequently be more likely to retain clients in the long term.
Salient, together with our sister company Cloud Essentials – a Microsoft Gold Partner with a strong information governance focus, can assist you in transitioning your clients to a more proactive investigative stance… fast.