Virtual DFIR: Why digital forensics needs to go remote

Digital forensics and incident response (DFIR) are a routine part of ensuring the business has a good security posture. Investigations may be carried out for a multitude of purposes, from ensuring regulatory compliance, to verifying data security or establishing the cause of a breach. But the move to remote working has now made the process a far more complex undertaking in terms of accessing and recovering electronically stored information (ESI).

Hybrid working, whereby staff work some of their time remotely and some in the office, is fast becoming the norm, with the Office for National Statistics reporting that only 8 percent of workers plan to return to the office full time. What’s more, high earners who have privileged access to information are more likely to follow this model or work from home full time, which means remote working poses a real risk to ESI.

When it comes to conducting an open investigation, the necessary equipment is usually sent to the user to capture the ESI but covert operations are much more problematic. Previously, the device in question might have been requested under the guise of a routine audit but in a remote set-up there’s no way to physically acquire the device. What’s more, it may not always be connected to the corporate VPN or even the internet.

Remote access

So how can businesses carry out digital forensics remotely? It’s not just a matter of remotely accessing said machine. The process needs to facilitate the remote scanning of the device, centralise that information for analysis and preserve the integrity of the process so that the evidence itself is protected and seen as irrefutable. Plus it need to make that data securely available for analysis.

The most effective way to achieve this is to Install an agent locally on the device that allows the ESI to be collected and transmitted securely to a validated server. In the event that the device goes off network, the agent simply suspends data imaging and resumes this when the connection to is re-established. Centralising the data then allows it to be examined easily by authorised personnel, providing visibility across the entire information estate and enabling the investigator to track any subversive activity.

For example, it’s possible to log on to machines remotely, search for specific files or even commands and determine the users that made them. As the analysis is carried out in real time, the investigator isn’t hindered in anyway, so the investigation can proceed at pace and even open up new vistas, often revealing new areas or potential risks.

But this is leagues away from current practices. The Enterprise DFIR Benchmarking Report 2022 found organisations routinely investigate between 25-30 devices per month with some analysing up to 350, making DFIR time consuming. Remote incidents typically see hard drives shipped to the user who then performs a screen share with the investigator who walks them through the ESI collection process. The encrypted hard drive is then shipped to the investigator for analysis. It’s a long-winded process and in the case of time-sensitive exploits such as ransomware, can prove hugely costly in every respect.

The same report also found that few of the businesses questioned had in place well defined, repeatable, managed and optimised processes. This meant every investigation was carried out from scratch, making it much harder to respond in a timely manner. Clearly it’s a process ripe for transformation.

Automate to accelerate

Automation can help here. For instance, integrating the agent with the Security Information and Event Management (SIEM) and/or the Security Orchestration, Automation and Response (SOAR) technology can trigger endpoint data collection the moment an incident is detected, helping to preserve evidence immediately. It’s disappointing to note, however, that while the majority of those surveyed for the report had a SIEM or SOAR only six percent had integrated it with their DFIR solution.

Centralising the data also allows it to be sent not just to specialists but to multiple teams. In the report 77 percent said they collaborated on cases (it’s now increasingly common for multiple areas of the business to become involved such as HR, legal and compliance). But over half said they have or would like to have the ability to share cases with reviewers outside their organisation, such as legal counsel or third parties.

Key to facilitating this will be remote DFIR that can support secure collaborative working thus preserving the chain of custody. In order to ensure this, data travel between systems should be minimised to prevention corruption or loss of ESI, making it preferable to use a single DFIR solution.

What about zero trust?

One of the main stumbling blocks for businesses with respect to remote DFIR is how to carry it out in a zero trust environment. A Zero Trust Network Architecture (ZTNA) demands users are only given the minimum access required, making it potentially problematic to access remote endpoints.

To solve this issue, it’s necessary to use whitelisted agents on the endpoints which are installed by and can only be accessed by those with admin access. These are then managed by a service such as ZScaler which allows whitelisted applications in compliance with zero trust and can manage network connections to external devices.

But what about giving remote investigators access to that ESI? Typically, forensic tools
require installation, administrative access and permission to connect to external devices, all of which are anathema to the zero trust approach. But by using a browser-based review solution that securely connects to a centralised platform, it’s possible to give investigators access to centrally stored ESI. A self-contained installation-free client is run locally without admin or dependencies and access is granted to the investigator via a shared cloud link.

So, in summary, yes the way in which we work has changed but this can and should act as a catalyst to transform how we do remote DFIR. To meet the challenges of highly targeted and costly attacks and attackers that can rapidly pivot their actions, DFIR has to become agent-based and automated . It’s only then that it can instantly capture, preserve and help to remediate attacks.