Below, we hear more on the subject from Amy Francis, Global Head of Digital Forensics at S-RM.
In brief, what is digital forensics? What sorts of activities and techniques does it encompass?
Digital forensics is a branch of forensic science that deals with the tools and methods used to recover and investigate digital artifacts. Artifacts are digital ‘footprints’ that get left behind by the activities of the device user. Users are generally not aware that these artifacts exist, and they are, by design, difficult to access and manipulate without specialist technical knowledge. Digital artifacts can reveal a wealth of information that is not presented to the user, which means they often contain valuable evidence in an investigation.
The primary goal of digital forensics is to identify and preserve these artifacts as evidence, along with user content, in a forensically sound manner for use in legal proceedings.
Any device, physical or in the cloud, that stores data is potentially in scope for digital forensics. Given the hugely digital world we now live in, and the proliferation of digital devices, digital forensics plays a key part in litigation and investigations.
What kinds of professionals are qualified to carry out digital forensics?
As with physical evidence, digital evidence needs to be handled by someone with the right skills and expertise. This means someone who is trained in forensic evidence preservation, analysis and expert witness reporting. Their title should be ‘digital forensics expert’ – not just IT or cyber specialist. There is no one dominant qualification for digital forensics, but most industry-recognised courses and certifications will ensure the expert has honed the right skills.
Qualified digital forensics teams are also independent, which can be a significant benefit in making sure evidence gathering goes smoothly. For example, if two parties are adversarial, then the independence of the investigators can reassure both parties that the gathering and reporting of evidence is all above board. Likewise, in a corporate setting where there may be insider threats or internal politics to consider, dealing with an independent investigator can make individuals more comfortable complying with disclosure.
Any device, physical or in the cloud, that stores data is potentially in scope for digital forensics.
In what kinds of cases is digital forensics most often used?
In today’s world, it is rare to find a case which does not include some component of digital evidence and digital forensics work. Digital forensics is commonly used in internal investigations at companies to investigate issues such as intellectual property theft, fraud, employee misconduct, bribery, corruption and whistleblower allegations. Digital forensics is also commonly used to uncover evidence for civil and criminal litigation, including cases such as defamation, blackmail and extortion, fraud or other financial crime, and a large range of criminal defence cases.
At S-RM, we do a range of work for both corporate and private high-net-worth clients, which is usually brought to us by their legal representatives, whether the general counsel or outside counsel. We are also sometimes called on as a joint expert, in which case both the prosecution and defence agree to accept our findings as those of an independent expert.
When do digital forensics teams typically become involved in proceedings?
In most cases, when there is suspicion of wrongdoing, the first thing a client does is call their lawyer, who will then identify the need for our team to be brought in. Typically, when an investigation starts there is an immediate need to preserve all evidence which may be relevant to the case. This is the ideal time to bring in a digital forensics team, as it will mitigate the accidental, or deliberate, destruction or loss of evidence.
Additional digital evidence can also come to light midway through legal proceedings. At this point, digital forensics specialists may be brought in to investigate additional data or new devices which could be entered into evidence. On occasions such as these, a digital forensics team can act quickly to analyse and advise on the impact of new evidence on a legal strategy.
How does your team work with legal counsel?
We act as an expert partner to legal counsel, which is a collaborative process. Legal counsel will often have questions they would like us to investigate and present the evidence for – for example, which individuals accessed a certain file on a certain day and through which devices. But we can also provide direction as to where relevant evidence might be discovered, as well as its investigative value and limitations. Our team can also then advise on how this might impact the legal strategy. This is a collaboration that tends to continue throughout legal proceedings, as new arguments and questions need to be investigated.
Typically, when an investigation starts there is an immediate need to preserve all evidence which may be relevant to the case.
Why is it vitally important that electronic data be preserved by a forensic expert?
A forensic expert will preserve the integrity of the evidence. Correct preservation of evidence can be the difference between winning and losing a case. Every action an individual takes when handling the original evidence can make changes to the evidence state; it is therefore important that they are properly trained on how to handle the evidence to ensure data is not destroyed and any findings are admissible in court. In the same way that physical evidence must be stored in evidence bags and have a documented chain of custody, there is a parallel for digital evidence. S-RM’s experts are trained to adhere to the ACPO guidelines throughout the investigative lifecycle. We ensure best practice is followed to mitigate the accidental or malicious destruction of evidence and ensure the correct procedures are followed to preserve the integrity of the evidence.
In contentious matters, the impartiality an external forensic expert provides can also be valuable. An independent third-party forensic provider will provide an impartial examination of the evidence and consequently can be relied upon as an expert in court proceedings.
What implications can the quality of this data’s preservation have on subsequent legal proceedings?
The integrity and continuity of the evidence will be closely examined in court proceedings and the most subtle changes made by a user, deliberately or otherwise, can bring the full evidential submission into question. If the court finds that it was not handled correctly, the evidence can be ruled inadmissible. As all legal teams know, this can have a drastic impact on case strategy and the chances of winning a case. For this reason, we advise all our clients not to ‘touch’ digital evidence once there is a suspicion of wrongdoing and instead call in qualified professionals to conduct an investigation.
How does the accidental destruction of evidence impact proceedings?
As with physical evidence, preventing the destruction of evidence is key to ensuring that legal teams have as much evidence as possible on which to build their case. Accidental destruction of evidence can occur when unqualified individuals attempt to conduct their own investigation without taking proper steps to protect the evidence from changes. For example, non-digital forensic professionals may not realise that by accessing a file they will erase artifacts and crucial timestamps associated with the file which show who has previously accessed it.
As with physical evidence, preventing the destruction of evidence is key to ensuring that legal teams have as much evidence as possible on which to build their case.
Malicious intent should also not be ruled out and must be guarded against. For instance, in contentious matters where a court order is obtained to seize devices, it is important that the device owner has no notice or forewarning of the seizure. It can take only seconds to wipe a device, which would mean a loss of almost all evidence on it. Even if a device to be analysed is already in our custody, we will only switch it on in a specialist digital forensics lab where it cannot connect to a network, because a command to wipe or reset a device can also be done remotely (think of your Google or iCloud account, which can be used to wipe ‘lost’ devices).
How do data privacy laws and data jurisdictions affect your methodologies?
The overall methodologies will remain the same; the difference is whether the work needs to be done remotely or on site. It may be more appropriate to gather and analyse evidence on site if the data is sensitive, to avoid its being moved or shared outside of the jurisdiction. We can ensure that the data remains on a secure company site or even in one room if need be. When we are conducting a remote investigation, we can use a secure cloud in the same country to store the evidence to ensure that we comply with rules that state certain data must remain within its country of origin.
We also include statements in our service agreements to guarantee our clients’ privacy and confidentiality. For highly sensitive cases, we may restrict knowledge of the matter to a subset of our team, ensure that data is securely wiped after a specified time, and ensure that data is securely stored on encrypted drives in our evidence safe. Digital forensics experts are also familiar with working under NDAs or other data privacy requirements which protect anonymity.
Are there any common misconceptions about digital forensics that you would like to dispel?
One of the most common misconceptions is that most of our work focuses on computer hard drives, mobile phones and USBs. The scope of digital forensics is much broader than this, having evolved significantly in the past ten years.
Some of the devices our investigators have recently worked on include smart TVs and Bluetooth speakers, wearable fitness devices, and drones. Nowadays, entertainment systems, home appliances and wearable devices are all connected to the Internet of Things (IOT), and as such may contain digital evidence, so we count all of this within our remit. On top of that there is the digital world based in the cloud; from personal email and cloud accounts such as iCloud, Dropbox and Mega; social media such as Facebook, Instagram and Twitter; chat platforms such as WhatsApp, Signal and Telegram; and corporate cloud infrastructure such as Microsoft 365, AWS, and Azure. Around 50% of the evidence collected in most cases originates from a cloud environment.
Another misconception about digital forensic experts is the failure to realise that, despite the highly technical and expert nature of our work, digital forensics professionals are investigators first and foremost. Asking questions, following leads, making connections, and uncovering all the relevant evidence is key to being a successful forensic investigator. Digital forensics experts should act as a key member of the core team for any investigation, as they are able to translate the technical findings into presentable evidence and understand the significance of their findings on case strategy.
How do you think digital forensics might evolve in the next ten years?
There are two main trends that come to mind. Firstly, the sheer volume of data created in our day-to-day lives is increasing exponentially. If we imagine digital forensics experts looking for a needle in a haystack, that haystack is rapidly growing and burying the needle deeper. This makes using data analytics technology more important, to reduce manual burden and ensure that investigators’ time can be focused on the areas of an investigation most likely to bear fruit whilst still ensuring no key evidence is missed.
Secondly, the shift to the cloud means the diversity of data is greater. It also offers a certain level of anonymity and makes it more difficult to attribute actions to specific users – for example, a cloud account might be signed into four or five devices at once, all syncing data across each other. This also makes data more interconnected, meaning that accidental interference with digital evidence can have a domino effect on other digital evidence in a case.
As a result of this, it is already rare to come across a legal case with no digital forensic evidence. By 2030 this is likely to drop to almost no cases at all.
What complementary skills and techniques are needed to support a digital forensic investigation?
Sometimes the digital picture will only tell us so much while there are questions unanswered or leads undiscovered which could prove critical to the case. It is then that we turn to other investigative techniques for answers: open-source research, human intelligence, or even surveillance. Ideally this would all be done ‘in-house’ as a single holistic investigation, where the strengths of each practice complement and amplify the others. It can also be done as a collaboration between multiple intelligence providers in the investigation team, but this tends to be less efficient.
Forensic experts understand the importance that attention to detail can have throughout an investigation. It is not just important for them to identify artifacts which are available, but also artifacts that are potentially missing due to anti-forensic methods being used, such as destruction and tampering of data. It is also important that they not draw conclusions based on the presence of a single artifact and instead seek corroboration to validate or strengthen their findings. This can require patience, replication of sometimes repetitive tasks, and often the need to manage expectations until the facts can be established and validated where possible.
How does a digital forensic investigation tie into a wider internal investigation?
The digital forensics investigation is – in most cases – an inherent part of a wider investigation. In corporate investigations, the digital forensics expert should be one of the core investigation team along with the general counsel, external lawyers and sometimes representatives from the risk or compliance functions.
There may also be a reason to bring in digital forensics experts before an investigation is officially opened. For example, if an investigation is instigated by a whistleblower complaint, the compliance or legal team need to assess its credibility before deciding how to proceed. A covert digital forensic investigation is often the quickest and – crucially – the most discreet way of testing the credibility of the allegation while preserving any digital evidence that may exist. It also arms the team with contextual information before they start interviewing key employees. If there is good reason to suspect an employee might be guilty, then email and social media analysis and investigations into their lifestyle, assets or any conflicts of interest can also help make these interviews more targeted and effective.
Amy Francis, Global Head of Digital Forensics
Beaufort House, 15 St Botolph St, London EC3A 7DT
Tel: +44 020-3763-9595
Amy Francis is the Global Head of Digital Forensics at S-RM. Her experience focuses on leading complex digital forensics cases, including high-profile investigations into intellectual property theft, fraud, whistleblowing allegations and corruption, as well as a range of internal investigations and other litigation support. Amy works with both corporate and private clients across all industries and jurisdictions and has specialised expertise in mobile device and Apple Mac forensics.
S-RM is a global intelligence and cyber security consultancy that provides intelligence, resilience and response solutions. Our client portfolio includes leading organisations spanning all regions and major sectors. S-RM’s Digital Forensics team identify, preserve and analyse digital evidence to uncover the facts and piece together the truth for our clients’ most complex and sensitive investigations and litigation.