Q&A With Forensic Investigator Douglas Brush
Last year, Kraft Kennedy launched an Information Security and Governance (ISG) practice, which includes digital forensics, cyber investigation, litigation support and planning, and expert witness testimony among its management and technology consulting services. To support the work, Kraft Kennedy has built a forensic lab in its New York office. Douglas Brush, ISG Director and lead forensic investigator, answers some questions about the practice group and its lab below.
Q: Can you give us a brief introduction to the lab and its purpose?
Douglas Brush: The Forensic Lab is the room designated for the digital forensic and cyber investigation work we do. I’m very excited about the lab—it gives us the ability to operate at the professional standards required of a digital forensic practice. In the forensic lab is where we do our core work of handling and extracting computer evidence. It is like an operating room, but our patients are mostly computers, cellphones, and other digital devices.
Q: What kind of work does the ISG do? How does the lab support it?
DB: The work we do in the lab falls under the heading of digital forensics, which is basically the practice of inspecting digital devices like thumb drives, laptops, and desktop computers for evidence that can shed light on a case. We handle evidence in a way that does not alter it—the lab is important for this—and gives our clients a story or timeline that adds background or attribution to an incident.
Typically, we are engaged by a law firm or an attorney, or a judge appoints us to serve as a neutral third-party on a case. We support these legal cases and investigations by adding context to technical events. I have also served as a Special Master, or neutral party, on cases that need someone to be an unbiased expert on technical or discovery issues.
Q: What kind of information do you find that can help a case?
DB: It depends on the case. We can confirm or deny certain timelines, whether someone was doing something at a certain time as they claim, for example, or whether someone exported a large batch of files at an opportune moment in a data breach. We can also help to determine motives, or find any other kind of incriminating or exonerating information to support a case.
Q: Why do you need a special, tightly-controlled room for this?
DB: We handle hundreds of unique pieces of evidence, and it is of the utmost important during an investigation to preserve the integrity of the evidence. If the evidence or the chain of custody is compromised, this could jeopardize a whole investigation or lawsuit, so we take this very seriously. You probably know this if you watch any crime dramas on TV. The confidentiality of the evidence is also extremely important, and having a designated room for it helps us to maintain it. We are often asked, early on in matters, at the time of the initial discovery of an incident—before there is even a lawsuit—to come in and preserve data in a forensically sound manner. The biggest challenge we see in all types of cases is the loss of valuable evidence over time due to the volatile manner in which computers and technology maintain data. It’s always a race to get the data needed for analysis before someone or some system overwrites data on purpose or by accident.
Q: What are some of the types of cases your team has worked on?
DB: My team and I have conducted investigations involving a huge variety of matters. We’ve worked with cases involving hacking, data breaches, trade secret theft, trademarks, intellectual property, employee malfeasance, embezzlement, social media, and fraud. Even homicide.
Q: What would one find in the lab?
DB: That is top secret. No, I’m just kidding (sort of). I can tell you some of what you can find in there. Lockers, storage cabinets—not very exciting at first glance. Organizing the evidence neatly, especially for chain of custody purposes (which I just mentioned) is really important, and so much of the lab is dedicated to that. If you go in there you will also probably see some evidence for an in-progress project. Maybe someone is taking a hard drive out of a computer or trying to read an encrypted one. We also keep our forensic equipment and high powered workstations in there.
Q: What kind of equipment do you use?
We have a variety of tools that we use in the lab and in the field. Really common devices that are used at the start of an investigation are forensic “write block” and disk duplication devices. These let us gather read-only data so that we can maintain its integrity. We also have computers and equipment that allows us to process large volumes of data very quickly so the information is searchable. We also have specialized software and equipment to capture and analyze data from cellphones, tablets, and mobile devices.
Q: How is security of the lab maintained?
DB: The door to the room and the evidence storage inside are equipped with locks. Entrance to the lab requires a key card, which only a few consultants hold as needed. We also keep close track of the movement of evidence—we document whenever it is accessed or moved from one place to another so that we can always account for it.