2025年07月25日
2023年07月13日配信
Cyber attacks, unauthorized access, information leaks, and data tampering ...... are among the many incidents and accidents involving digital data that any company can become involved in. Digital forensics is a process that is necessary to counter and respond to such crimes and fraudulent activities. In this article, we will explain the basics of digital forensics, provide case studies, and show you how to choose the best investigation vendor.
What is Digital Forensics?
Digital forensics (or computer forensics) is a field of forensic science that refers to investigations that collect and analyze data stored on digital devices to reveal evidence of criminal or fraudulent activity. It is used as an umbrella concept that covers all digital devices, including not only computers but also smartphones and tablets.
What is the purpose of digital forensics and when is it necessary?
Digital data is the key to not only cybercrime victims such as unauthorized access, data falsification, and remote control, which are rapidly increasing due to the shift to IT in society, but also internal crimes such as information leakage and accounting fraud. Digital forensics," which investigates causes and evidence by recovering traces of access to digital data and deleted data, is becoming increasingly important.
Whether it is an attack from outside the company or an internal fraud, it is important to determine where vulnerabilities existed in the company's systems, how the damage occurred, and the causes so that measures can be taken to prevent recurrence. This is also beneficial in terms of clarifying where the responsibility lies.
→ [Related Article] What is forensics? Explaining the Meaning, Necessary Situations, Investigation Methods, and Cautions
Duration and general flow of digital forensics implementation
The time required for a digital forensic investigation ranges from a few hours to several months, and varies greatly depending on the number of devices to be investigated, the items to be investigated, and the purpose of the investigation.
The investigation begins with a hearing. After clarifying the purpose of the investigation, data preservation and collection begins. Next, the collected data is analyzed using specialized analysis tools to clarify the circumstances and routes of damage. We then create a report from the information obtained.
Process of Digital Forensic Investigation
Hearing
First, we hear the details of the incident. We confirm the investigation target, investigation items, and investigation deadline.
∙ Preservation of evidence
If data is changed after the damage is discovered, accurate investigation results will not be obtained, so it is essential to promptly preserve and collect data. Duplicate the entire data of the equipment to be surveyed. In doing so, a value called a "hash value" is generated to prove the identity of the original data and the duplicated data. We proceed to ensure that there is no data tampering or missing data.
Investigation and Restoration
We analyze and analyze the preserved and collected data using appropriate procedures to extract information that could be the cause or evidence of the problem. If data has been encrypted or erased, techniques for decryption and data recovery are also required.
Reporting
We will organize all the results of the investigation and prepare a report that can be submitted to a third-party organization.
→ What is a forensic investigation? Explanation of Necessary Cases, Cautions, and Examples
Examples of Digital Forensic Subjects
Digital forensics (computer forensics) is sometimes referred to as the following depending on the subject of the investigation.
Mobile forensics
Digital forensics on mobile devices, such as cell phones and smartphones, is sometimes referred to as mobile forensics. Smartphones, in particular, are equipped with functions similar to those of PCs and have become indispensable devices for business operations, often storing important evidence in fraud cases. It is easy to let one's guard down because of the familiarity of these devices, but care must be taken not to inadvertently touch the data and damage the evidentiary capacity.
Network Forensics
Digital forensics targets network logs and communication data. Network logs are examined to determine how information leaks and attacks occurred. By checking daily data behavior, it is also expected to deter information leaks and fraud by insider criminals.
→ Click here for consultation and inquiry about forensic investigation
The Importance of Digital Forensics and the Risks of Failure to Take Countermeasures
You never know when you might be involved in a digital data crime, whether inside or outside your company. Conscious companies are always prepared. What are the risks if your digital forensic measures are inadequate?
Secondary damage
Naturally, if data and evidence of fraudulent activity is not quickly identified and acted upon, the damage will continue to escalate. It is also important to note that careless handling can cause secondary damage, such as overwriting important data that serves as evidence, or unintentionally executing a malicious program.
Increased response costs
In some cases, digital forensics requires an enormous amount of work time due to the large amount of data to be processed. If work is started without foresight, the same work may be repeated, secondary damage may increase, and response costs will also increase.
Damage to corporate value
The biggest risk of all is damage to corporate value. As a company that engages in economic activities, whether the cause is internal or external, incidents involving digital data entail social responsibility. Appropriate countermeasures and responses are essential.
What Digital Forensics can do
The following are examples of cases where digital forensics is effective and typical purposes of investigation.
Investigation of unauthorized access or information leakage
When there is a cyber attack such as unauthorized access or malware infection, digital forensics is used to determine the cause. What was the type of cyber attack, where were the vulnerabilities, and how and where was the infection transmitted? Not only will this help prevent recurrence, but in some cases, it will also enable action to be taken in legal actions such as lawsuits.
Gathering evidence in litigation
In the event of a security incident, digital forensics not only helps preserve and analyze evidence, but also helps to assign blame. By examining the details of the incident to determine whose negligence caused the accident, you can prepare for a lawsuit if you are held liable.
Assessing the organization's security posture
Network forensics can also be used to investigate whether there are problems with the security system. If network and system vulnerabilities can be identified, security measures can be strengthened, such as upgrading outdated software and changing firewall settings, to counter unauthorized access and data leaks.
Preventing Internal Fraud
Digital forensics can also be effective in preventing internal fraud. If a company is willing to conduct a digital forensic investigation to determine the cause of fraud when it occurs, it can serve as a deterrent to future attempts to commit fraud.
Typical cases where digital forensics has been conducted
The following is a list of specific cases in which digital forensics was actually used to solve problems.
Third-party committee response
When an organization or company is involved in a large-scale scandal that causes a stir, such as quality fraud by falsifying inspection data, it is becoming essential to promptly establish a "third-party committee" and proceed with an investigation of the scandal. Since the investigation of a third-party committee requires analysis of electronic data such as e-mails, SNS, and texts, forensic vendors are increasingly joining the investigation either as a member of the third-party committee or as a support to the third-party committee. Forensic vendors with experience working with third-party committees can be considered to have a certain reputation for forensic accuracy and speed.
Antitrust Law Investigation Support
Cartels are prohibited by the Antimonopoly Law (Antimonopoly Law) because buyers are disadvantaged when a business operator with a large market share engages in cartel behavior. When a company is suspected of a cartel by the Fair Trade Commission, it must immediately proceed with a cartel investigation, in which digital forensics can also play an important role. By preserving and recovering the emails and texts of the employees involved, the evidence can of course be suppressed to clarify the facts and prevent recurrence of the cartel. The surcharge may be exempted or significantly reduced.
Response to Accounting Fraud Investigations
Digital forensics is also indispensable in investigations of accounting irregularities such as sales falsification, manipulation of the timing of cost accounting, and fictitious sales. It is necessary to promptly analyze the emails and texts of the employees involved in order to reveal the true nature of the accounting irregularities. In the case of serious accounting irregularities, third-party committees are increasingly being formed, and as mentioned above, digital forensics is also deeply involved in such cases. In addition, there are many cases of accounting irregularities committed by overseas subsidiaries. In such cases, it is ideal to outsource to a forensic vendor that has overseas branches, where the risk of information leakage is minimal.
Impact Investigation Response on Information Leakage
Digital forensics is essential to investigate the impact of information leakage due to unauthorized intrusion by cyber-attacks, employees taking information out of the company, human error, etc. Was the information taken out via USB or other externally connected devices, or was it sent to a third party via e-mail? Forensics will identify the route and scope of the information leakage to determine the cause of the information leakage and design measures to prevent recurrence.
Examples of Digital Forensics
The following are specific examples of cases in which digital forensics is required.
Case 1: Internal investigation of unauthorized removal of confidential information
Two years after former employee A moved to a competing company, it was discovered that products similar to the company's own products were being manufactured without permission and sold overseas. An internal investigation was conducted, and although the logs of the computer used by employee A showed that a large amount of data had been copied a few days prior to his resignation, the data volume was too large to determine whether it was related to the removal of the information in question.
According to the court's opinion, "it is necessary to identify the person and the operation of the trade secret" in order to identify the crime. In addition, it was difficult for in-house personnel to accurately extract unauthorized copies and deletions from a large volume of record information exceeding one million records, and the lack of a third-party nature was also a concern. To ensure the third-party nature of the data, we asked a specialized support service company to conduct a survey. By building its own database, the company investigated a large volume of log data.
As a result, we found that former employee A copied approximately 300,000 items of data onto a USB memory stick, and a few days later deleted the external HDD after unplugging the network cable. Furthermore, we confirmed that he repeatedly wrote and deleted unrelated program files several times for approximately 120 hours.
Case 2: Investigation of personal information leakage due to malware infection
A company's PCs were found to be infected with malware. Since personal information was suspected to have been leaked, we requested a support service company to identify the infection route and conduct an investigation to trace the traces of information leaked from the infected terminal. Since the source of the infection was unknown, the number of terminals to be investigated was several hundred.
Analysis was conducted using analysis tools to visualize the attack route and identify the affected terminals. In addition, we investigated less than 30 cyber black markets to see if the leaked information was being traded on the dark web. As a result, we were not only able to identify the PCs on which the information leak had occurred, but also that the information had been leaked to the Dark Web.
Digital Forensics Costs, Rates, and Investigation Duration
As in the case studies introduced here, the following is a sense of the cost and the market price for the period of time required for the investigation when requesting a professional support service company.
How much does it cost to hire an investigation company?
The cost of a forensic investigation is generally several hundred thousand yen per device as a general rule of thumb. However, since the cost varies depending on various factors such as the nature and scale of the investigation, it may cost only a few tens of thousands of yen, or it may cost several million yen.
How long does it take for a digital forensic investigation?
Forensic investigations can take anywhere from a few hours to several months. It varies depending on the number of devices to be investigated, the items to be investigated, and the purpose of the investigation. If you have a fixed trial date or a deadline for publication of the investigation results, consult with us as soon as possible.
We recommend hiring an investigation company for digital forensics. How to choose one
In digital forensics, we recommend hiring a professional support service company. Here are the reasons why.
Four reasons why you should consult an investigation company
Reason #1: Requires a high level of expertise and know-how.
Simply copying data not only does not guarantee the maintenance of evidentiary integrity, but also makes it impossible to recover deleted data. In order to provide effective evidence in a lawsuit, reliable data extraction and record management are essential, so it is effective to use an investigation company with expertise and know-how. This is especially true in cases that require a large amount of processing and resources, such as when the number of terminals to be investigated is several hundred to identify the infection route of an information leak.
Reason #2] Preservation of evidence and neutrality can be ensured.
When data needs to be not only collected but also restored, if only the IT department of the company conducts digital forensics, there is a possibility that data that could have been preserved or collected will be damaged. In addition, in cases where information leakage by internal personnel is suspected to be intentional, it is better to use outside professional services to ensure neutrality, which will ultimately reduce the elements that could be used against you in a lawsuit.
Reason #3] Investigations can be conducted using the latest tools.
Investigating cyber attacks requires the use of the latest tools. Malware is increasing every day. A professional support service company can provide such up-to-date knowledge and updates to the corresponding tools.
Reason #4: Investigation can be done at optimal cost.
If you need specialized knowledge and tools, you may think that you can hire new staff and purchase the necessary tools in-house, but you never know when an incident may occur or how large it may be. With professional support services, you can investigate at a cost that is appropriate to the scale of your project. As a result, it is more economical to hire a service vendor.
What to look for when choosing a digital forensics investigation company
-Experience and expertise of the investigation company.
A company with a large number of investigation results will be able to select the appropriate method for each case and at a reasonable cost, since they have accumulated a high level of technical skills and know-how regarding data recovery. Since the number of companies that can handle large-scale or special surveys is limited, whether or not the company has a track record of being commissioned by publicly listed companies, police, or government agencies is an important factor in determining reliability.
Tools and technology of the survey company
The results of an investigation will vary depending on the company's equipment and the skill of its engineers. Please check the company's track record carefully. In particular, data recovery requires specialized tools and advanced technical skills. Be sure to select a vendor with expertise in the recovery process.
Pricing of investigation companies
The cost of digital forensics varies greatly depending on the amount of engineers working on the investigation, the amount of data, and other factors. It is recommended that you choose a vendor that clearly specifies cost items and how additional fees will be incurred in such cases.
・Reputation of the survey company
We can confirm the reputation of a potential research firm by obtaining references from companies that have used the firm. Contact the firms and attorneys to whom the firms provide references, and ask the firms and attorneys about the firm's actual reputation. Although this is time-consuming, it is a recommended method for selecting the best firm that matches your company and case.
Use of AI in Digital Forensics
In today's digital forensics, which deals with huge amounts of data, the use of AI (artificial intelligence) can dramatically increase accuracy and speed. By having a small number of experts look through a small number of sample files and having AI learn the criteria, it is possible to extract only the relevant items from a large amount of data. The simple data sorting work that must be done at the beginning of a survey can be done by a small number of people in a short period of time, which not only improves the efficiency of the survey, but also increases accuracy by allowing experts to focus their resources.
Why FRONTEO, the pioneering digital forensics vendor?
As a pioneer in forensic support services, FRONTEO has been working on fraud investigations since its establishment in 2003, and in 2004, it held Japan's first seminar on digital forensics for the police. As a leading forensics company in Japan, FRONTEO also contributed to the establishment of the "Digital Forensics Study Group.
In 2006, digital forensics gained a great deal of publicity when it was used in the investigation of the "Livedoor Incident," but FRONTEO had been conducting forensic investigations for three years before that. 20 years of history and more than 2,000 fraud investigations have allowed us to be involved in a wide range of cases, from public-relations scandals to "third-party committees" for fraud investigations. FRONTEO's digital forensics has also been used by many "third-party committees" in high-profile cases. FRONTEO's high reliability has helped many companies solve their problems.
Since FRONTEO has branches in the U.S., Korea, and Taiwan, we have been doing business with many enterprise companies that have overseas subsidiaries. FRONTEO's digital forensic technology is heavily used to protect the interests of Japanese companies in cases such as accounting fraud by subsidiaries and forensic investigations when they are involved in overseas lawsuits. Recently, FRONTEO has also been involved in many cartel investigations of large companies, and has earned a high reputation for its response to the surcharge reduction and exemption system (leniency system).
Another feature of FRONTEO's services is its nonstop provision of services ranging from data preservation and collection to analysis and reporting. Our self-developed AI engine "KIBIT" is a simple and high-performance algorithm, and unlike other products, it can be implemented quickly due to its features of small amount of teacher data, short implementation time, and light computational processing. KIBIT can be flexibly customized to meet the needs of proprietary systems and special data.
FRONTEO's digital forensics is a fusion of 20 years of responsibility and experience as a leading company and the technology of our self-developed AI engine. If your company is considering forensic investigation, please contact FRONTEO.
→ Click here for consultation and inquiries about forensic investigation.
→ FRONTEO's Forensic Investigation Service page
関連コンテンツ
