All posts tagged BYOD

Mobile Forensics – What should companies be doing?

Mobile Forensics

Mobile Forensics

Anyone who’s tempted by the ‘There’s an app for that’ message from Apple eventually succumbs to the lure of an iPad® or iPhone®, believing (usually correctly) that their home and work lives will be transformed forever.  But as the newer versions of Apple’s ubiquitous devices continue to take the personal and business worlds by storm, it becomes increasingly important to understand the unique way in which they retain and share information.  Companies need to be aware of the security risks they present and to keep in mind the evidence trails they create.  According to the Kroll Fraud Report information theft is one of the most widespread categories of fraud currently facing companies and it’s not just customer data being stolen but also internal strategic company data and internal financial plans or data.

What information can you get off these devices?

Most mobile devices use technology similar to that used on a personal computer. As a result, nearly any kind of file or program that can be saved and run on a computer can also be saved and run on a mobile device.  iPhones and iPads (and more generally, devices that use Apple’s iOS operating system) are capable of being forensically analysed.  Exactly what you can get out of them varies depending on the particular version of iOS, how the device is set up with regard to encryption and other factors. There are, however, specific technical approaches and forensic protocols applicable to the IOS (and Android and Windows mobile) environments and companies like ours have made investments in the specific hardware and software needed to keep up with the evolution of these operating environments.

The challenges presented by mobile forensics

The iPad features solid-state device (SSD) memory and, similar to the iPhone, manages data within SQL database files. This storage process makes it difficult to forensically retrieve deleted information from an iPad, because the data is essentially locked down, requiring forensic investigators to gain access to raw data in order to retrieve the deleted information.  For the iPhone and iPad, tools to carry out this process have only recently become available to forensic investigators. The majority of commercially available forensic tools for the iPhone and iPad perform a backup of selected data contained on the device. This results in the partial extraction of user data, but does not allow forensic investigators to recover the majority of the deleted data.  Forensic tools that do allow for the recovery of deleted data have only recently appeared on the market.

Of the many “apps” these devices run, some are harmless, fun and useful, and others are poised to turn traditional forensic investigation on its head.   For example Dropbox® allows users to upload files into the Dropbox app from their mobile device. From there, the app automatically copies the files onto the user’s online Dropbox account, which is accessible from any device with internet access, anywhere in the world. In the corporate world, individuals could use this technology to capture and transfer confidential information. Even if the activity is suspected and the device can be seized for forensic examination, data transfer methods like Dropbox are often easily overlooked and instead investigators turn to email and the use of removable media.  Furthermore, iPads are equipped with the same remote wipe function found on the iPhone. If a seized device is not properly isolated from its network, this highly effective function allows users to send their device a command to permanently erase its contents – stopping any forensic investigation in its tracks.

And all of the signs are that Apple will continue to improve the safety and security aspects of the iPad as it competes for market share with other vendors such as Samsung. Mobile forensics experts are already anticipating new challenges from the introduction of next generation devices and iOS 6.

What should companies be doing?

Powerful tools such as the iPad emphasise the need for companies to fully understand the capabilities of the technology they choose to implement. If misconduct is suspected within a company (whether that be the theft of information or the involvement of employees in fraud, anti-competitive behaviour or corruption) it is important to determine quickly whether the subject of the investigation is using a tablet or smartphone device such as an iPad or iPhone.  If so, and the company has the ability to seize or access the device it should be handled by an expert in mobile forensics.  These devices provide additional ways in which individuals can take proprietary information with little to no trace left behind and also new evidence trails that forensic experts can tap into to work out what has been going on. As the usage of iPads in the BYOD corporate environment continues to grow, they will continue to present challenges to information security and opportunities to forensic investigators that companies cannot ignore.

About Graham Jackson

As a Legal Consultant at Kroll Ontrack, I promote our computer forensic and ediscovery services to both corporate companies and law firms. This is to support any form of their electronic evidence needs, whether that is advising our clients to help prepare in advance of an electronic incident occurring, a real time incident such as data theft, or advise on the best course of action in dealing with post incident response to better protect against future occurrence.

The Bring Your Own Device (BYOD) Phenomenon

Bring Your Own Device (BYOD)

I wondered recently whether or not the BYOD phenomenon was old news; whether companies were surviving the influx of devices into their businesses and had found ways of addressing the security risks that can result,  or if they have simply acquiesced and allowed it to happen, turning a blind eye to the consequences.  Slightly closer to home for those involved in evidence management, I wondered whether computer forensic experts were keeping up to date with the explosion of devices and managing to extract valuable evidence from  iPads and smartphones.  Here are some of the answers I found as I set out to check on the latest information about BYOD.

A quick look at recent surveys shows that the BYOD trend continues to grow and that the majority of companies  now allow employee owned devices to be used – mine does.  On the question of how many have policies and procedures in place to handle the security and legal risks, the last survey I saw said only 8% of UK companies do and that’s probably because the technical, legal and ethical issues around BYOD are so complex.

The benefits are clear – allowing personally owned software and devices into the workplace can unlock a wealth of potential.  Let’s face it, when we are allowed to use our own devices we can often work more creatively and productively and we can take the office home in our pocket, to the coffee shop or wherever.   At the forefront of companies embracing the change stands a CIO like Oliver Bussman, CIO of SAP who has deployed over 18,000 iPads to SAP’s global workforce, and who maintains an app store of authorized apps and IT repair centre modeled on Apples Genius Bars.

Despite all of this, BYOD remains a minefield when it comes to data security. Allowing personally owned devices full access to a secure company network is risky. Any data on these devices can potentially fall into the wrong hands, confidential company information can be stolen or might be extracted after the device is lost, stolen, sold or thrown away.  Employee owned electronic devices often use older versions of systems and software, which may be less secure than modern systems. They may be infected with viruses and spyware that can infect the employer’s systems. If employee-owned devices are allowed full access to a secure network, there’s no guarantee that company data will not be passed on to insecure systems and networks later on.

So how do companies protect their data on these devices?   In short, they are deploying Mobile Device Management software. This software allows the company to manage security policies, content and privileges associated with devices, whether the device is owned by the business or employees.  This ensures that only authorised devices access the network, that the company’s information is secured, and that the device can be wiped clean if it is stolen or lost.  Data can be protected by using a virtual desktop infrastructure (VDI) and a hosted virtual desktop where all the user sees is a virtual image on their mobile device. VDI is used widely in the finance and healthcare sectors because it allows users to access the required data but never stores it on a device.

Unfortunately, as with all technological evolutions, there are people who exploit the changes. As of late 2012, Trend Micro estimated that the number of applications written for Android tablets and smartphones that could be characterized as either high risk or outright malicious at 350,000 with that number expected to triple in the following twelve months.

When it comes to evidence, the ‘lifestyle imprint’ now available on devices and the evidence trail they store and create might be highly relevant in an internal or regulatory investigation or in litigation. Smartphones yield much more evidence than their predecessors and skilled forensic investigators can extract evidence from these devices.  It is also possible now to view all the contents from an iPad by plugging it into specialist software.

The social trends that have made BYOD into common practice show no signs of reversing. Apparently the UK leads the world in terms of mobile data usage and a fairly large chunk of that (40%) is created on social networks.  Clearly, businesses cannot afford to be lackadaisical about BYOD.