Digital Forensic in DLP 

How to do Digital Forensic in DLP 

Post credit: Ricoh Danielson

Today’s data landscape is vastly different than it was just several years ago. The proliferation of public cloud platforms, mobile devices, and new applications such as Dropbox have changed the way organizations store, transfer, and share their data. 

Digital forensics is an evidence-gathering process used to collect digital artifacts from computers, storage devices, and networks. Computer Forensics is a subset of Digital Detective and involves using specialized tools to acquire and analyze data to reconstruct or prove a certain set of events. Because of the highly confidential nature of digital assets in corporate data centers, it is important for Data Loss Prevention (DLP) solutions to integrate robust digital forensic analysis capabilities. 

How to conduct DLP Forensics: Understanding its importance

When it comes to data loss, some people say they have an invisible firewall. Nobody likes things that could disrupt their day and cause stress. What usually causes a stir is when you don’t know what’s missing until it’s gone. To understand what has left your environment, what the threat actors have stolen, and what data you will be responsible for, you must understand Data Loss Prevention and Data categories. Whether it’s earnings potential, client records, employee data, medical history or more – losing sensitive information can have lasting negative consequences. For this article, we will focus on data loss and what items to look for when it comes to DLP. 

Something to consider during the DLP investigation is data exfil. Exfiltration of data is the unauthorized transfer of information out of an organization. In a legal setting, investigators will want to identify the source of data, who had access to it, what their motives were and where the data went. Tracking information is an important part of the security process. Organizations must be able to determine when information may have been stolen, or evidence that a computer has been compromised. 

The details collected about the activity of users and computers help paint a more complete picture of what and when data may have been transmitted from a company’s network. The most effective way to track user activity is by using audit logs. 

These log entries provide crucial information about what files are being accessed when they are accessed and by whom. They also identify attempts to break into a system, such as logins where passwords are entered incorrectly. Knowing and capturing these data points will help show legal and investigator how to find data that may have been exfiltrated.  

What technical requirements will you need to begin your DLP Forensics or discovery?

First, you should understand the difference between DLP Discovery and Forensics. Discovery is the setup phase of a DLP implementation and includes gathering information that is already in the environment in an unstructured state. Forensics on the other hand, deals with a complete investigation of historical data that has already been processed through an existing Information Protection Platform. An example of this would be analyzing historical data exfiltrated when an employee’s machine has been compromised — malicious or unintentional. 

There will be some technical requirements needed when it comes to conducting DLP forensics or discovery. Some incident responses will require a manual process and others will require using tools. Both will demonstrate a few ways to conduct this, either manually or with tools, and it should provide a point of guidance. Techniques and skills are useful tools to gain the meditation needed for the Manual way. As we can see below in the power shell excerpts there are different command lines that can be used. 

PowerShell is our friend when it comes to manual discovery. However, let’s keep in mind that not all organizations have the funds, time or labor so they might turn towards a tool. 

Example of manual DLP discovery using PowerShell

If we do not have tools then we will have to conduct DLP forensics a manual way. 

The excerpt below will provide information on what the data file type was, the encodement, the extension and the pathway. These will be all critical elements when it comes to conducting further analysis.  

Power shell excerpt
PowerShell Excerpt

The above command line allows us to see that there are files in the local directories that can be extracted and reviewed. The above demonstrates that there was a plane text which allows us to gather much more metadata for Investigation. 

Extracting all these data points can point in the right direction of not only where, when and how these data points were used for data exfil but also it can provide direction of where the threat actor might be going next. 

Let’s dive into this one a little more. We will need to mix in a little network forensics as well to ensure we know where the source came from along with where the destination is going to. These are needed network points to ensure we are blocking and tackling.  

Example of using a tool – Splunk’s Security Content for DLP discovery:

There are three types of DLP solutions: network DLP, cloud DLP and host-based DLP. 

As we can see from the tool screenshot, Splunk’s security content journey below there can be a few ways to understand how data was let out. These use cases such as the amount of traffic, USB usage and our web browsing can provide great content on how and when data may have left the network. 

Splunk’s Security Content Journey
Splunk’s security content journey

The section above is a dashboard for use cases. Use cases are developed to profile a user’s behavior. As we can see there are fundamental things that might flag nefarious activity. It will take an example such as “large web uploading” this might give us an indication that there is a date of being exfiltrated at a very large amount at one time. Another use case would be for the first time USB device activity. This gives us the indication that the user is mounting a USB device either physically or logically to acquire data. This is a signature trait for threat actors for data exfiltration. 

Some of these exfil tactic map back to the MITER Attack framework of exfil.  

Using a tool can provide a lot of information. We can further dive into the locations of what attribute are contributing to the factors of the DLP event.  


This section of attributes will show the users’ names, emails and category of data that was hit along with time and date. Now that we have a timeline we can work backwards and find more information to further our investigations.

Analyzing findings and data elements

As we are conducting the analysis of this discovery, it is important to capture all these small yet important data points. With these data elements, we can get a clear idea of what kind and where sensitive data is stored by running rich SQL analytics. Also, we can create reports that show where sensitive data is stored in our infrastructure for future forensics.  

We can pull out the main data points such as Exe, time, data, users, user groups and privileges. We can then tie these to a predesigned alert/ rules and automate them. Further adjustment of these rules/alerts can be improved to be more aggressive and stricter.  


Ultimately, the security of your data and your organization should be of utmost importance. Take proactive measures like educating staff members or implementing administrative controls to keep your data safe, but never overlook other viable solutions. 

Implementing manual DLP could be for those who feel existing tools aren’t strong enough, or sometimes even necessary. Your mileage may vary depending on your policies and goals, but it’s always a good idea to have more than one method in place to safeguard sensitive data. 

With that said, the most appropriate time to implement manual DLP measures is when the technology simply doesn’t catch it. This could be either because you aren’t using a technology that catches it, or if there is no detection mechanism for it at all. The goal is to improve your existing technology, not to replace it. 

Despite DLP’s many benefits, some information might still be lost. However, if you are faced with a data leak that goes through your existing technologies but cannot be caught automatically, then manual DLP may be a viable option. 

In short, if you do manual DLP forensics or use a tool, there can be great data that is revealed. It is what you do with the data that helps tell the story of when what and how the Data Loss happens. As a first responder, you are in charge of how this data’s story is told. Furthermore, the perseveration of the data is going to be a critical part of what is needed for action. The reactive measures are just as important as the proactive measure. 

The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.