When IT goes looking for Windows artifacts on a laptop, it’s usually after a negative event has happened in the organization: a ransomware strike, malicious activity or critical lost data. Searching for clues costs an organization time and expense at the worst possible time. Here’s a better approach to conducting forensics on laptops.
Given the entrenchment of Microsoft Windows in large enterprise organizations, much desktop traffic inside a large company network comes from devices with Windows as the desktop operating systems. As users go about their business, they leave footprints in the form of Windows artifacts in files such as registry hives, system logs, search history, browsing history, event logs, prefetch, LNK shortcuts, and more stored on their systems.
These recordings or archives are mostly untouched and unexplored by IT; that is, until something goes wrong that requires investigation by a legal team or internal audit team. At these times, these files become invaluable to an IT team under pressure to find out what went wrong and to collect evidence for legal.
In one real-world example, a large tech company in the course of an acquisition experienced a Cryptolocker attack that led to severe data loss. The IT team was not able to understand how it happened, and needed to go back in time to understand what files were opened and downloaded. The digital forensics team was asking IT these kinds of questions:
- Where did these threats come from?
- Can we track who or where it initiated from?
- Did the user forward that file to anyone else?
- Was the infected data copied to a USB drive, or, did it originate from one?
Answers to these questions can come from analyzing these ‘Windows artifacts’ files that store user behavior. The problem is, by the time IT is Googling ‘how to find ‘Windows Artifacts’’ in search of answers, it is usually after the event has occurred. By then, everyone is under pressure to get the legal team the information that’s needed to address the problem, and the clock is ticking when it finally reaches the legal or forensics teams paid to solve the problem.
Without knowing another way to answer these questions, other than seizing the user’s laptop, the IT team, as in the case above, turns to expensive solutions that require shipping the hard drive or disc image to a third-party firm for analysis. These legal firms charge a hefty price for file analysis and the time it takes to handle devices. In the end, the company likely pays a ransom fee to unlock the damaged files and restore lost data.
To address these pain points, modern endpoint backup solutions have evolved to enable organizations to collect Windows artifacts data in a forensically sound manner. These solutions can ensure that data on laptops, mobile devices and cloud apps, across OS and device types, is backed up and available, providing IT teams a data archive to pull from when they most need it. Not only does this help in everyday situations like a lost laptop, but also during larger events like ransomware or malicious activity such as insider theft. By having the data backed up over time, IT can remotely retrieve data off any device, in any part of the world, without needing to obtain the hardware, ship out data, or find a vendor in that region.
inSync is one of these modern solutions and ensures the proper handling of this type of data for forensic purposes. Should you need to place a legal hold on data on an endpoint, inSync ensures that the original metadata attributes are retained so that the data remains legally admissible. In addition, inSync seamlessly integrates with eDiscovery solutions through a web connector and this allows for data to be exposed along with the EDRM recommended metadata attributes for any forensic investigation.
In the event of a ransomware attack or breach, Druva inSync is designed to recover your business by providing multiple capabilities to remediate and reverse the damage. inSync data protection empowers IT teams to restore data across laptops, mobile devices and cloud apps, looking inside checksums in the data archive to remove any buggy files for correction action, and to revert to an earlier version that is not corrupted.
Not only does this aid IT teams in collecting files in a forensically sound manner, but will also provide organizations a quick way to proactively capture this information. In a future release of inSync, IT will be able to create a predefined lists and select that list to capture files such as registry hives, search history, browsing history, event logs, prefetch, LNK shortcuts, and more, using a customized a template that enables IT to simply select a checkbox.
Does your IT team experience any of these challenges? Are you interested in hearing more about how Druva can partner with you to help? Contact us to explore becoming one of our Druva Design Partners.
Interested in this topic? We suggest these related articles:
5 Ways IT Can Give Legal What It Needs for eDiscovery (Before They Ask)
Chain of Custody: What IT Needs to Know for Legal Holds
Not the type to wait around for bad things to happen? Check out the executive brief below: