Digital forensics investigation helps business partners resolve alleged breach event

Notion Digital Forensics was engaged by a multinational technology company to investigate an alleged breach of their systems, in which a private key from a server certificate was publicly shared by unknown parties. The government department they were working with believed that the technology company could have disclosed the key (either by accident or cyber breach), and they requested an investigation. The breach had the potential to compromise the confidentiality and integrity of messages for a major government department.

Objectives

The objectives of the project were to investigate the events, determine how they occurred, and provide an analysis of an Australian government’s forensics report. Then we would report to the business partners to help them resume their work together.

Approach

Notion Digital Forensics conducted a thorough investigation into the breach events by interviewing technical personnel, collecting and analysing digital evidence, and studying relevant standards (including the Australian Cyber Security Centre’s Information Security Manual). The Notion team delivered an Expert’s Report that addressed the concerns raised in the government’s forensics report and provided recommendations to the business partners.

Results

We provided recommendations for all parties, but we also found that certain actions made it a non-issue. That’s because a key employee protected the private key with a strong password. Our team attempted to crack the password of the disclosed file and found that we could not. We concluded that – even if the file was disclosed – it would be of little benefit since the password was probably too strong to crack (it would cost millions of dollars of computer time to brute force).

Conclusion

Notion Digital Forensics provided an analysis of the breach events that helped the business partners get back to work. Our investigation and report provided assurance to the parties involved that even if the private key had been disclosed, it would be of little benefit, as the password protection was strong. Our recommendations also helped the parties improve their procedures to prevent similar breaches in the future.