NEW ERA FOR DIGITAL INVESTIGATIONS

You are considering installing digital investigation systems but are still contemplating about it? Look no further and dive into how these useful systems can save you from your worst nightmare!

What are Digital Investigations Labs?

Digital Investigations Labs are infrastructures consisting of locations, networks, devices, software and procedures required to perform Digital Forensics, investigations and eDiscovery. Traditionally, these labs have been very costly to set up and require dedicated personnel to manage in an on-premises environment. Now, in the cloud age new opportunities are available to dramatically reduce many of the challenges of the mentioned labs.

Here are 6 of the most important opportunities describing why these infrastructures are worth investing into.

Enabling users to work from anywhere at any time

Needless to say the Corona epidemic has stirred the pot in terms of traditional workplace perspectives. Now, most managers and employees in both enterprise and government agree that working from home to some degree is positive. For Digital Forensics and eDiscovery specialists, managing enormous data amounts and forensic processing often means a lot of waiting for technical staff. Depending on the workstyle of the employee, this waiting time may be used for private activities in the traditional working hours and return to work later in the day when processing has finished, and analysis has to take place. For the non-technical investigators and document reviewers the ability to sit in the quiet confines of your home office makes it easier to focus and dive into the matter with full focus and no distractions.

Many Digital Investigations Labs are either air-gapped or closed for accessing for employees working from home. Enabling external access either through VPN or other internet gateways is often very complicated without compromising the security of the rest of the corporate network or evidential data.

With your Digital Forensics/eDiscovery Lab in the cloud, it becomes much easier to set up access for employees and external parties to access relevant parts of the Lab efficiently. You leverage security measures that are proven for even the most sensitive activities. You can e.g., restrict that the user can only access from approved devices, and from office or home location, using either IP-address or geolocation filtering. You can limit lab work to being remote desktop-only so that files cannot be taken out of the lab without going through a file interface with better audit than normal file system copy operations.

No upfront investments

Digital Forensics and eDiscovery are all about sifting through large data amounts quickly to uncover the truth. Traditionally that requires large investments in hardware infrastructure to handle all that data in the desired timeframes. When you put your lab in the cloud, the hardware investments are made by the cloud provider. You pay for a subscription to use a part of their infrastructure, monthly or yearly. The days are gone where you need to carefully pick the right hardware to buy, allocate physical space, setup cooling, cable management and secondary power. And if you partner with a professional cloud service provider, you do not have to worry about setting up the cloud lab either.

Nowadays most software vendors prefer to sell monthly, yearly or usage-based licenses, instead of perpetual licensing. So, there are no large upfront license investments either. If you do not want to buy a full year license upfront you can engage with a reseller that can split the payments for a small surcharge.

Total cloud cost may be higher on paper than hardware cost of building your own on-premise lab, but the risk of making the wrong investments, spending the precious forensic/eDiscovery specialist’s time, and inflexibility of multi-year financial allocations should make you consider the cloud option.

Limitless scalability for any major incident investigation

Major incidents, e.g. the attack on the Capitol, the Boston Bombing, or suspicion of systemic fraud activity across an enterprise, where time is of the essence, often results in a surge in data that needs to be processed and reviewed quickly. In an on-premise lab, if you are faced with a case with 100x more data and review staff than usual, you most likely will not have any option but to wait for extra hardware to arrive or deploy drastic triage to the data and risk that the critical evidence may not surface during review.

Scaling up on storage and computer power is incredibly easy in a cloud environment and can be done in a few minutes. Making whatever software technology you have increase performance at the same rate requires both the right technologies and the right skills to configure scalability. if these factors are dealt with professionally, you will be able to cope with a 100x surge and close it all down once done with no financial risk.

Easy sandboxing of new technologies

Large corporations and governments struggle to be agile enough to cope with ever accelerating requirements from the outside world to keep up with new developments and standards. Being able to try our new ways of working or new technology in Digital Forensics and eDiscovery specifically, seems like a hurdle so great that the risk of the trials not bearing fruit becomes unbearable. The consequence is that new ways of working or new technology does not get implemented until backlogs have grown too large to accept, or employees leave in numbers that put the operation at risk.

When having your lab in the cloud you can create a fully features testing environment in minutes that allow you to test new ways of working and new technology. You can scale this to your liking as you’d like to, both these features, performance and scalability. Only needed to be set up once and you go on to the next task on your agenda. Since data bearing assets are always fully encrypted (if setup right) you simply delete the resources once done testing.

Better information security, audit and observability features

Information security is probably the first risk that comes to mind when considering moving from on-premise to the cloud. The physical perimeter and access systems are primary security measures for many organisation – and these measures are pretty useless for information in the cloud, right? However, there are still ways information can get compromised in traditional on-premise labs, e.g. by not having complete control of all your physical IT assets, insiders doing extractions of information to a USB-stick, employees not locking their screens when leaving their desks, unvetted cleaning personnel and building contractors that get access to the insides of the buildings, etc.

When data is in the cloud, you can control and check who has physical access to the hardware. Besides, all major cloud providers have documented and audited security standards that far exceed anything your organisation will be able to execute. you can bet that the cloud provider will be out of business soon if it’s uncovered that they suffer a breach because of not adhering to these standards. That’s a powerful motivation for management to ensure that security standards are upheld.

What many IT security specialists love about cloud infrastructure is that tools required to comply with security standards are so powerful while being easily accessible. E.g. information about if all servers are covered by the right endpoint security and remediation tools, and who made which changes to infrastructure is built-in and accessible in seconds. In on-premise environments it’s extremely difficult to get the same policy coverage and complete observability. And there are many examples like this – the question is if the better access to security tools and observability in cloud environments outweighs the benefits of the perimeter in traditional environments?

Access for external stakeholders

The amount of real-world traffic and logistics taking place when observing across the industry of Digital Investigations is staggering. In a world where both personal and business data flows seamlessly across the internet, Digital Evidence is still transported via currier or sometimes staff drive for hours to deliver a hard drive. Collecting Digital Evidence from the public is also an area that many agencies struggle to do efficiently. Once data is delivered, each party of matter tend to use varying tool sets to process and review the information because none of them can provide access to the other parties due to the closed setup of traditional labs. This leads to added costs for all implicated, misunderstandings around facts and failure to comply with court rulings in a timely manner.

When your lab is in the cloud you can leverage either built-in features or special tools to upload and download data in a highly efficient and secure way. You can also provide access to external parties, utilizing their identity existing providers, e.g. Microsoft 365 or Google G-Suite, to verify the identity of the person gaining access to e.g. review of a subset of documents in a matter. When collecting digital evidence from the public there are specialty technology vendors that have created software that makes it easy for the public to upload e.g. photos, video or other media, and store that data in a way that makes it seamless to consolidate the data with the rest of the evidence of a case while adhering to chain-of-custody standards. This is all profoundly less complicated when your lab is located in the cloud – free from the physical barriers of traditional environments.

Summary

Anyone who is a stakeholder in making decisions about Digital Investigations and eDiscovery Labs should be mindful of the pros and cons of potentially moving all or parts of the lab capability to the cloud. The advantages are enormous, and the risks can be mitigated through careful management.

About the author

Jacob Isaksen, Founder and CEO of Avian Digital Forensics. Seasoned professional and thought-leader within Digital Forensics and eDiscovery Labs optimization, processes and automation. Avian Digital Forensics supplies and manages Digital Forensics and eDiscovery Labs to government and enterprises on-premise and in the cloud. Avian’s flagship service Avian Cloud delivers one-click automated provisioning of dedicated, ultra-secure Digital Forensics and eDiscovery Labs, ready to use with the most trusted user tools in the global Digital Forensics and eDiscovery-market.