How MSPs Can Offer Forensic Recovery

How MSPs Can Offer Forensic Recovery

February 13

No one wants to think about it, but people commit crimes and sometimes, those crimes affect your customers. By tailoring your service offering to prepare for this very different kind of disaster, you’ll be able to help them prepare for a kind of disaster they probably haven’t thought about.

What Is Forensic Discovery?

Forensic recovery (or digital forensics) is “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”{{1}}[[1]]Carrier, Brian. “Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layer.” International Journal of Digital Evidence , Winter 2003, Volume 1, Issue 4. 2.[[1]]

In other words, it’s the recovery of digital evidence for use in criminal or civil courts.

The process of forensic recovery is difficult and time-consuming. According to a guide produced by the Department of Justice for first responders, “The nature of electronic evidence is such that it poses special challenges for its admissibility in court. To meet these challenges, follow proper forensic procedures. These procedures include, but are not limited to, four phases: collection, examination, analysis, and reporting.”{{2}}[[2]]Technical Working Group for Electronic Crime Scene Investigation. “Electronic Crime Scene Investigation: A Guide for First Responders.” U.S. Department of Justice Office of Justice Programs, 2001. 2.[[2]]

As you might expect, each of these steps is time and resource intensive.

What’s the Digital Forensic Process?

The digital forensic process is broken into four steps:

  • Collection: The technology pertinent to the investigation is identified and gathered.
  • Examination: The collection materials are evaluated and prepared for investigation. For computers, this usually means taking a sector-level disk image.
  • Analysis: The gathered material is analyzed in search of evidence. In this step, deleted data is restored, if possible.
  • Reporting: Finally, the forensic technician makes a detailed record of everything he or she has collected and done.

Even general, high-level information like this about the process can help you prepare your customers for forensic recovery, especially if you’re called on to help in a civil case.

So How Do You Offer Forensic Recovery?

Depending on the specifics of the case, your involvement with the actual recovery will vary. In criminal cases, for example, the police will most likely handle the recovery. It is your job, then, to prepare your customers for the possibility of a forensic investigation, to educate them in the process, and to set up their systems to withstand an invasive investigation. If you already have a good disaster recovery plan in place, this should be enough, but you’ll want to walk through the process to be sure.

In civil cases, on the other hand, the business is often times required to perform the recovery. In these cases, you are in a prime position to assist. At the same time, you should have already prepared and educated your customers, as well as set up their systems to make such a recovery as painless as possible.

So What Do You Do?

  1. Educate yourself. Spend some time learning the process of digital forensics so that you’ll know what’s required and how to prepare your customer.
  2. Evaluate your customers. Consider their systems. How would a forensic investigation affect them, especially one conducted by the police?
  3. Take stock of your software. You want software that can create complete, pristine disk images that reflect the system exactly. Make sure you can verify the images as well. Ideally, this software should load from a USB key or a disk so it doesn’t change the system at all. Make sure as well that you can easily navigate through the disk image on a granular level, keeping in mind that some complicated software, such as Microsoft Exchange, may require special tools to examine granularly.

In the end, a forensic investigation is more or less just another disaster. It can cause downtime and possibly data loss. But it’s a disaster that most businesses probably haven’t thought of. If you help your customers come up with procedures, best practices, and technology to anticipate it, however, you’re contributing meaningfully to their business continuity.

Looking for a forensic search tool for Microsoft Exchange Databases? Have a look at StorageCraft Granular Recovery for Exchange.

Photo Credit: r.nial.bradshaw via Compfight cc