A company’s ability to quickly and effectively conduct a forensic investigation is often critical to limiting the impacts of a data security incident, determining the scope of the incident and developing an effective communications plan. In BakerHostetler’s 2018 Data Security Incident Response Report, we analyzed over 560 data security incidents that we worked on in 2017. A forensic investigation was conducted in 41 percent of those incidents, which represents a 7 percent increase from 2016, showing that more companies are realizing the benefits of engaging outside forensic firms. For incidents involving network intrusions, forensic investigations were conducted in 65 percent of these matters. Network intrusions are often complex investigations requiring specialized forensic tools and expertise that many organizations do not have internally. The average cost of a forensic investigation in 2017 was $84,417, which represents a 35 percent increase from 2016 (but is still lower than the 2015 average cost of $102,806). However, the increase in average cost is primarily due to the number of large, complex network intrusion investigations we handled in 2017. For the 20 largest forensic investigations we handled in 2017, the average cost of forensics was $436,938.
In order to determine what happened in an incident and the scope of the information affected, forensic firms use a variety of tools and techniques. For incidents we handled in 2017, the most frequently used forensic technique was log analysis, which was used in 84 percent of the forensic investigations. Log analysis is typically conducted to determine what systems or data were accessed and when, whether data was exfiltrated, and how the intrusion occurred, so that an appropriate containment plan can be developed. Companies that maintain and preserve robust logs are often in a better position to determine whether notification is required and to craft better communications about what happened when notification is required. Aggregating and saving logs in a centralized on-premises database or in a cloud environment helps reduce the time and expense of collecting logs across individual endpoints and systems during the investigation, saving valuable time. The second most frequent forensic tool utilized was imaging of devices for forensic analysis (55 percent of the forensic investigations), which was followed by malware analysis (30 percent). It took forensic firms an average of 36 days after they were hired to complete their investigations of network intrusion incidents, which is eight days shorter than the average in 2016.
To be prepared for an incident and obtain the most value from a forensic investigation, companies should develop a forensic plan as part of their incident response preparedness efforts. Developing a forensic plan begins with ensuring that the internal IT team has a precise understanding of the company’s environment, which often entails developing and maintaining accurate network diagrams, device inventories and data maps. Companies that lack this understanding lose precious time and resources developing it during the incident response. The forensic plan should also address the organization’s internal procedures and tools for collecting forensic evidence, to ensure that valuable forensic data is preserved before a system is remediated and put back into production. Among the most important steps in developing a forensic plan are identifying an external forensic firm, negotiating the terms of a master service agreement, and meeting with that firm to discuss how it will investigate and what data is needed to facilitate a faster response, investigation, containment and final analysis. Meeting with the forensic firm and conducting tabletop exercises together can help ensure that the company is maintaining appropriate logs, collecting and preservice evidence in a forensically sound manner, and able to deploy the forensic tools throughout its environment. Companies that create a forensic plan and work with their external forensic firm in advance are in a far better position to respond quickly and effectively to a data security incident.