If a thief tries to break into a house he’s going to leave broken windows, explains digital forensic expert Jonathan Grier. But someone on the inside doesn’t leave broken glass; he’s already in.

The same goes with insider theft in digital forensics. And research shows that the data that insiders steal is usually the data they are working on. The data stolen is no different from the data a thief uses every day, making it impossible to detect. 

DFI News spoke with Jonathan Grier, principal of Grier Forensic, before he left Las Vegas after attending this year’s Computer and Enterprise Investigations Conference (CEIC). Although, due to a scheduling conflict, he was not able to give his presentation “How to Catch an Insider Data Thief,” Grier gave DFI News an exclusive look into the world of insider theft and his thoughts on CEIC this year. Grier said many conference attendees were looking forward to his talk (we believe him), but they will have to see the online version available in the near future. 

Talking with Jonathan
Grier said that insider theft is much less common than outside attacks, but they are far more damaging. One only needs to think of Edward Snowden and the effect his actions have had.

Grier mentioned that when forensic expert Harlan Carvey is asked, “Are you able to forensically identify when people copy data?” Carvey responds that there are no artifacts, and thus identification isn’t possible. If someone copies data there are no footprints of their actions beyond copying the data, Grier explained.

Also read, "Grier Forensics Sifts Through the Data."

DFI News also asked Grier his thoughts on CEIC this year and in general. We think of CEIC as a conference for digital forensics practitioners, not just another cybersecurity conference.

“You’re hitting the nail on the head,” Grier answered. “There are a lot of cybersecurity conferences out there, and there are a lot of research conferences for forensics. This is the conference for digital forensic practitioners.”

“You get a conference full of people who do the in-the-trenches, day-to-day forensic operations,” Grier added. “Most people there aren’t even interested in security.”

He pointed out the hands-on, practical nature of the conference. One presentation took apart USB flash drives. Another took apart the Apple Watch and the latest Apple Macbooks. Since Apple now makes its own flash drives getting into them is a forensic nightmare, Grier explained.

This year, vendors emphasized speeding up forensic acquisition, Grier said. He also mentioned how many of the digital forensic vendors are trying to get into cybersecurity.

“The market is probably 30 times as big,” he said. “Security has the headline factor.”

Forensics is a very important niche even when it is not involved with security, Grier added. He sees digital forensic investigation as quieter -- but even high-profile cases need the work of digital forensic practitioners to find out what happened.

Jonathan Grier is principal of Grier Forensics.