By Bobby R. Williams, Jr.
I admit it. I like puzzles. It’s probably why I enjoy helping people solve problems. During my career, I have seen problems disguised as solutions. Unintended consequences can turn a simple procedure into a puzzle that needs to be solved. Security is one of those items. Data encryption to be more specific.
Organizations want to keep their data safe. So, they encrypt files, folders and hard disks. I have seen very effective encryption protocols deployed with several tools. The data is safe, but what does this mean if the data needs to be collected for investigation?
Often, the security protocol designed to protect your data can prevent you from accessing it when you need to complete a defensible collection.
Why is this significant?
Encryption is great. I am always in favor of more security, balanced with an efficient user experience. Often organizations deploy decryption without considering methods to decrypt the data should it become necessary. Stored keys are disorganized. Key generators are not successfully used. Systems deploy layers of security without understanding how one layer impacts the other. Inevitably, a legal matter or an internal investigation arises. Then the skilled IT professionals who have done a phenomenal job protecting the company’s data cannot provide the necessary information to decrypt and/or provide a third-party expert access to that data. As a result, data collections are often delayed. Otherwise, an expert may need to deploy an expensive workaround or use a defensible but less optimal collection method.
What’s my takeaway?
When I am scoping out a case, I ask these questions early in the process:
- Is there encryption used? If so, where and on which devices?
- What type or tool are you using to encrypt?
- What is your protocol for decrypting data if needed?
- Has it been tested and validated?
Your organization should make sure these questions can be quickly answered on a scoping call. The answers can impact the speed at which an investigation begins. Not having those answers can completely stall the process. Take the time to test and document the recovery procedure. This will help ensure you are familiar with the process.
Know which keys unlock which doors. It may save you from having to solve a puzzle you didn’t know you made.