•   If successful, the volume, type and scope of data to   Adhering to data preservation standards is essential.
             which the actor gained access                      Tools that can assist with this process include digital
           •   Source of the intrusion                          forensics platforms, forensic toolkits, protocol analysis
                                                                toolkits, and browser analysis software. Preserving
           •  How to bring the system back to its prior status
                                                                evidence in anticipation of litigation is critical.
           •   How to enhance cybersecurity to prepare for
             future attacks                                     Many of these tools can be purchased online directly
                                                                through the vendor. However, using them to their full
           System and network audit logs are key to both        capacity often requires an expert. Practitioners and
           investigation and restoration of systems and data. They   teams without sufficient expertise should consider
           contain digital fingerprints essential to forensic analysis.   bringing in an independent specialist and consulting
           This data must be expeditiously and securely acquired   counsel.
           by forensic image of the system or data extraction. As
           the investigation unfolds, chain of custody and specific   A few examples of where these tools can be of value,
           processes implemented should be documented.          how they are used, and the result of expert analysis
                                                                are provided as follows:


             Fraud type                        Type of analysis                  Use case example

             Corporate embezzlement            Email analysis correlated with    Bernie Madoff investigation 43
                                               financial transaction analysis

             Business email compromise         Tracing the emails from outside   “Toyota Parts Supplier Hit
             (BEC)                             attack to recipient and the release   by $37 Million Email Scam”
                                                                                                        44
                                               of funds; tracing flow of funds
                                               through the banking system

             Theft of intellectual property (IP)  Analysis of customer lists and   “Court Imposes Maximum Fine
                                               source code                       on Sinovel Wind Group for Theft
                                                                                 of Trade Secrets”
                                                                                                45



















            43   5 Years Ago Bernie Madoff Was Sentenced to 150 Years in Prison — Here’s How His Scheme Worked, Business Insider, businessinsider.com/how-bernie-madoffs-ponzi-scheme-
             worked-2014-7, accessed March 9, 2020
            44   Toyota Parts Supplier Hit by $37 Million Email Scam, Forbes, forbes.com/sites/leemathews/2019/09/06/toyota-parts-supplier-hit-by-37-million-email-scam/#7a08f8a35856, accessed
             March 9, 2020
            45   Court Imposes Maximum Fine on Sinovel Wind Group for Theft of Trade Secrets, U.S. Department of Justice, justice.gov/opa/pr/court-imposes-maximum-fine-sinovel-wind-group-theft-
             trade-secrets, accessed March 9, 2020



                                                                  Understanding the forensic technology landscape | 37