Forensic Technology: Considerations for Information Governance ARMA Twin Cities Presentation April 6, 2016
Forensic Technology: Considerations for Information Governance Information Governance and Records Management uses Forensic Technology, specifically Computer Forensic Technology. In this session we will review the types of forensic technology, examples of how it is being used today and the associated benefits. We will look at the use of technology in the record life cycle, including the identification of records and information during the disposition process. To conclude we will discuss how these technologies are aiding records management and what they can do for us in the future. Greta Krapac Manager, Advisory Forensic Technology, Records and Information Management 10 S. Broadway, Suite 900, St. Louis, MO, 63102 Tel: 314-244-4270 Cell: 312-560-0506 gkrapac@kpmg.com 1
What is Computer Forensic Technology? Computer Forensics A branch of digital forensic science where evidence recovered from digital media and devices is examined in a forensically sound manner. The goal of computer forensics is to investigate evidence from digital data in order to find who was responsible for that particular incident. Computer Forensic Technology Technology used to enable computer forensics. These tools analyze the hardware, software, associated networks, personal devices and the enterprise. 2
Types of Computer Forensic Technology For better research and investigation, developers have created many computer forensics tools. These computer forensics tools can also be classified into various categories: Disk and data capture tools File viewers File analysis tools Registry analysis tools Internet analysis tools Email analysis tools Mobile devices analysis tools Mac OS analysis tools Network forensics tools Database forensics tools Focus of today s discussion are the tools looking at files, specifically the unstructured files found in multiple locations within an organization. 3
Gaining Insight Into Your Data These tools are used to gain better insight into your data/files to enable information governance and records management decisions. Information about the files as a group: Date ranges (created, modified) Regions/locations represented File types represented File authors/departments Information about the individuals files: Date created Date modified Last viewed File type Content (by search term) 4
How Organizations are using Forensic Technology Information Governance and Records Management professionals are using these analysis tools to understand the data/files they have and implementing this information in all aspects of the record life cycle. Gaining an understanding of where staff and employees are creating records. Regulating the creation of records through on-going monitoring. Creation Maintenance Understanding what data/files the organization is maintaining. Dealing with legacy records. Monitoring the use of current records. Identifying records and files that are eligible for disposition. Identifying records that are on legal hold. Disposing of records. Destruction 5
How can I use Forensic Technology for Information Governance? When and Why Computer forensic tools are used to gain an understanding of an organization s records. For information governance and records management purposes they can be used to: Deal with legacy records and conduct a clean-up Monitor information governance and records management practices Conduct audits, testing controls using business data 6
Conducting a Clean-Up A Clean Up is often the first step in dealing with legacy data/files. Organizations find that servers, files shares, personal drive and desktops are filled with information they can easily identify and associate with their retention schedule and information that is not easily identifiable. There are two types of Clean-Ups : Manual Clean Up Instruct staff/employees and personnel to apply retention and holds to their files regardless of their location Retention acted upon by staff/employees Automated Clean Up Analyze files using software Apply retention and holds based on information gathered during analysis Retention acted upon by software controlled by RM/IG staff 7
Monitoring Records Management and Information Governance Processes and Current Practices IG and RM professionals use the same tools they use for disposition decisions to gain insight into the process and current practices. Analysis includes: Creation and storage of files Location Files names File Authors Access to records Logs Restrictions Copies of files Example Report: HR File Locations Files Shares Local Drives Personal Drives SharePoint This insight can be used to see how staff/employees are adhering to policy and identify any trends. For example, a department with staff/employees that are offline often might be storing files to their hard drive. With these tools, the organization is able to identify the trend and find a solution. 8
Conducting a RM and IG Audit These tools can also be used to conduct a formal audit of the records management and information governance program, testing controls. Activities associated with an audit include: Reviewing content of specific locations (e.g. shared drives) to check for over-retention Reviewing content of specific locations for files (e.g. hard drives which per policy should not contain any files Testing access to files Testing content management ability to apply retention to files 9
Steps for Using Tools To use these tools effectively there are a number of steps required to prepare, execute and monitor their use. These include: Planning and Building the RM/IG Program Securing Management Support Communicating with the Masses Refining the Details Inventorying and Classifying Content Making RM/IG Decision Based On Analysis Measuring Success Green Prepare Blue Execute Orange Monitor 10
Prepare: Planning and Building the RM/IG Program This is a basic step that is often overlooked. Software tools offer solutions with impressive results. These results cannot be achieved with only the software. These tools require: Records Management/Information Governance Policy Record Retention Schedule List of all current legal, and investigative holds, including custodian information Records management/information governance professionals to provide oversight for the use of these tools assist with the use of these tools, including developing the decision matrix and rules for the application of retention 11
Prepare: Securing Management Support Using these tools, especially for a clean-up will impact the entire organization. Management support is critical. Steps to securing management support: Educate your audience Describe your process and plan Define your timeline Define what you need from the participants/key stakeholders Describe your planned results 12
Prepare: Communicating with the Masses This effort has the potential to impact the entire organization. It requires a detailed communication plan. This plan should include: Timeline Description of the communication event Audience Type of communication Message Timing 13
Prepare: Refining the Details The use of these tools requires extensive planning. The RM/IG team must develop a detailed methodology. This methodology should include: Goals and objectives Detailed plan to execute Process flow for decision points e.g. what makes a record eligible for disposition Approval documentation 14
Execute: Inventorying and Classifying Content Using the developed methodology and software, files can be inventoried and classified. During this step, the tools are used to analyze the files. 15
Execute: Making RM/IG Decision Based On Analysis The next step is to use the information collected and act upon it. This includes: For a clean-up this means purging information past retention and not on hold For a monitoring project this means making changes and updating your program to better meet the needs of the business For an audit this mean documenting your findings and setting out specific plans to address gaps in your established controls 16
Monitor: Measuring Success The last step is to document and measure your success. This includes: For a clean-up this may include number of files purged or moved to a more appropriate location for retention For a monitoring project this may include process changes to improve efficiency For an audit this may include information about how the RM/IG program addresses gaps in controls 17
Thank You!