Cutting Us Some Slack

By Joseph Pochron who shows us how to use Onna to acquire data from Cloud Collaboration tools like Jira, Confluence, and Slack.

e-discovery provider

Are you ready for it? The Slack revolution is upon us. In 2015, an article was posted on titled "How E-Mail Killer Slack Will Change the Future of Work." The good news is, Slack has yet to replace email; the bad news is if you haven't heard of or dealt with Slack, you need to read this article and get up to speed because it's going to show its face in your investigations or legal discovery. For context, Slack's usage by a global workforce is staggering the interoffice chat app boasts 8 million users, and is valued at $7 billion. On February 4, 2019, Slack confidentially filed for IPO, with the hope of reaching a $10 billion valuation. 

Slack, at its core is a highly organized instant messaging platform that allows users to create channels or message other users. Channels can be public, private, and can be named to the user's liking. Similarly, users can send private messages to a single or group of Slack users. Additionally, a user has the option to add file attachments to channels or messages, introducing another item of evidentiary value. There's also a historical component to Slack; many instant messaging platforms are ephemeral by design. Slack channels retain their posts and any user that can access the channel can read historical posts. As I mentioned prior, Slack's popularity has dubbed it the "email killer" and a driver of changing how we communicate in the workplace, but the data retention component also makes it attractive to replacing certain elements of file/network shares.  

Who Needs to be Concerned About Slack? E-Discovery refers to the discovery process of electronic data as it relates to litigation or government investigations. It's estimated that the global e-discovery market will jump from a $.924 billion industry to $18.9 billion by the year 2020. What some readers may not know, is that the first step in e-discovery is the need for a proper and legally sound collection of data. For this reason, digital forensic professionals are often used to ensure data integrity and minimize arguments of metadata or data spoliation. Digital forensic professionals working in e-discovery have been faced with a significant challenge over the last few years collecting data from cloud-based platforms. 

These platforms, commonly referred to as "P.a.a.S. (aka Platform as a Service) or "S.a.a.S (aka Software as a Service)", have grown increasingly popular in businesses due to their ability to connect a global workforce. In fact, cloud adoption continues to grow worldwide on average organizations have 730 cloud apps, with 25% utilizing over 1000 cloud apps. Additionally, these applications can be run from a web browser, computer, or a mobile device, elevating the Examiner's need to be knowledgeable on where data collection can and should take place. 

The implementation of these applications in the business world have changed how teams communicate and interact, but present real challenges in the world of digital forensics and e-discovery. Although there's a litany of these application currently in the marketplace, I'm going to focus on Slack due to the immense popularity and the volume of users. It's also worth noting the need for a digital forensic examiner to acquire and analyse data from Slack, or similar applications for corporate investigations is not only needed but will be vital in coming years. Digital Forensic professionals dealing with corporate investigations or e-discovery will need to understand the best practices, and limitations on acquiring Slack for forensic analysis. 

From an e-discovery and digital forensic perspective, it's important to understand a vital characteristic of the "cloud-based" era that impacts our ability to acquire data. Even if it hasn't been explicitly stated, it's clear that, philosophically, most companies are not in the market of building e-discovery products, or mechanisms that export data to the same standard that industry professional have grown accustomed to obtaining and reviewing. Aside from Microsoft's Security and Compliance or Google's Vault for GSuite products, the ability to acquire, search, refine, and isolate data will vary greatly per platform. 

So how does the forensic examiner obtain Slack data? The answer really depends on the organization, their retention plan, and current plan in place. Let's look at a few options.  

Originally published in Digital Forensics Magazine | Read the full article here.