At Data Narro, a good portion of our digital forensics work involves matters of employment law and employee separation. When we are called in, we are often asked to investigate the suspected theft of proprietary digital assets – this might include customer lists, sensitive contracts, engineering files, software code, etc.
With 20 years of experience and an arsenal of tools at our disposal, we are specialists in uncovering unauthorized data access and transfer. During this time, we have discovered simple steps that companies can take to prevent the theft of sensitive company information, or at the very least, make it much easier for digital forensic investigators to gather evidence of wrongdoing. This article will present some ideas that IT departments can implement to better protect company data.
Data Loss Prevention Software
Our first suggestion isn’t exactly revolutionary or groundbreaking, but not a lot of companies have fully embraced it – it’s the implementation of “data loss prevention” or “DLP” software. DLP solutions are used to help monitor, detect, and block the migration of data from and to unauthorized users. While the use of DLP is not widespread, its use is becoming more common as security software heavyweights like Symantec and McAfee offer DLP add-on options to their enterprise security offerings.
DLP solutions work to protect data using different methods across different platforms. When installed on the network, DLP software can scan the content that passes through an entire company’s networking infrastructure, providing important reports that detail what data is being shared, who is accessing it, and where it is going. DLP can also be deployed on individual workstations to prevent unauthorized data migration to physical devices such as CDROMs and USB drives. DLP software is particularly effective at protecting data stored in cloud environments, providing granular control of users access privileges.
Even if DLP software doesn’t directly block the unauthorized sharing of data, it can create a detailed audit trail that records the access history of data files. Having this additional information may be all that is needed to help your digital forensics investigator gather evidence for potential civil litigation or dispute resolution.
We feel that the market for DLP software is going to expand significantly over the next decade as companies look to protect their valued digital assets. Not only that, a wave of privacy-focused legislation, such as GDPR and the California Consumer Privacy Act of 2018, require companies to take proactive step to prevent the intentional and unintentional transmission of sensitive consumer data.
NTFS Timestamping
What if you can’t implement a DLP in your organization, either due to budget concerns or organizational indifference? There may be a simple ‘trick’ you can employ that will help provide additional information concerning the access of files. This trick is a configuration that works with all Windows machines that utilize the NTFS file system.
What computers use NTFS? Ask your IT professional, and they will tell you that NTFS was introduced to Windows machines in 1993 starting with Windows XP and is still in use today.
In the NTFS filesystem, there are a number of timestamps that are recorded with each data file. Forensic examiners can utilize these timestamps to aid timeline analysis of file interactions within an operating system. When correlated with user information, examiners can use timestamps to determine who interacted with a particular file.
There are four important timestamps that examiners can gain access to. They are:
- Creation Time (C): This is the time the file was created
- Modified Time (M): Time content of a file was last modified
- MFT modified Time (B): Time that the metadata of the file was last modified
- Accessed Time (A): Approximate time file data was last accessed
Starting with 2009 with Windows 7, Microsoft disabled the recording of Accessed Time (A), making only three of these four timestamps available. Why? At the time, Microsoft used this change to improve the performance of their operating system and to protect media with a limited number of write cycles (thumb drives, etc.). Ten years later, concerns about limited-write media and performance are greatly diminished.
How do you enable this? It’s straightforward and requires the editing of a single Windows registry key. (See below.)
Set: SYSTEM/CurrentControlSet/Control/
FileSystem/NtfsDisableLastAccessUpdate
To: 0
While there is still debate in the forensics community about the value of Accessed Time, our direct experience shows having the Accessed Time available is a valuable data point for e-discovery analysis. Of course, IT departments will need to do their research to determine whether making this adjustment is worth the effort for their particular organization.
Conclusion
In the post, we have provided some advice that will help preserve essential file data either through the use of DLP software or through enhanced timestamping. Data Narro is always available to talk to legal, IT, or management professionals on strategies that aid in e-discovery or discovery requests. Contact us today.