Data Collections: Critical Link in Protecting Organizations Before and During Litigation
If a situation arises where litigation is even a remote possibility, it is in an organization’s best interest to ensure that the collection of digital data is done in such a way that it is above reproach. Digital forensics tools and methodologies allow for data to be collected in a forensically sound manner that meet industry standards, best practices and have been tested in the court of law. As defined by the National Institute for Standards in Technology, digital forensics is the “…application of science to the identification, collection, examination and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.”
As part of a forensic examination, there is a chain of events that occur.
During a thorough consultation, a digital forensics expert will work with counsel and the information technology team at an organization to ascertain the location of relevant data and explain the various methods by which this data can be collected.
During the acquisition phase, digital forensics experts utilize forensic tools and methodologies to collect data from various electronic sources. This includes on-site collections, where our experts go on location to make forensic images, or copies of computers, servers, cell phones, cloud data, social media accounts and other electronic media. All efforts in this process are made to limit the impact on an organization. In many instances, remote collections can also be performed, allowing our experts to collect data from anywhere in the world with minimal impact on a business.
Acquisitions of electronic data can also be done pro-actively. When an employee leaves a business, it is becoming increasingly common for the organization to work with digital forensics specialists to forensically image the employee’s computer, phone or other electronic data. This prepares an employer for potential litigation if this evidence is needed as evidence in court.
Using specialized forensic technology and methods, our experts examine the data, including the recovery of deleted data, throughout this phase. During our in-depth analysis process, we seek to accurately determine what occurred, how it occurred and the responsible parties. In order to discover this, we must look to answer questions, such as:
- Did the employee engage in bad faith, providing sensitive information to outside parties?
- Was a document altered, forged or otherwise manipulated electronically?
- What actions did a user perform on specific dates and time frames?
- Did the user attempt to delete electronic data?
- Did the user use anti-forensic tools to try and cover their tracks?
- Was company policy broken concerning acceptable computer usage?
- Did an employee steal customer lists on the way out the door?
If requested by the client, the reporting phase begins. A technical roadmap is created detailing what happened. For example, if there was concern that a former employee stole intellectual property, this report would include the explanation and analysis of forensic artifacts that point toward evidence of user attribution. In other words, what files were accessed, how these files were exfiltrated from the organization, who took the data, when the data was stolen and how it is potentially being used.
- Expert Testimony
To provide expert testimony in court, that expert needs to be able to qualify first. If the expertise of the expert is challenged, the attorney calling the expert must make a showing that the expert has the necessary background experience. This includes questions related to the expert’s education, certifications, case experience, training, and special knowledge. While an information technology professional is certainly an expert in their field, they are rarely an expert in digital forensics, which require specialized knowledge in niche technical domains. There is a distinct probability that an information technology expert will not be able to qualify as a digital forensic expert, and therefore would be unable to render an expert opinion or at best would have their testimony severely limited by the court.
The Critical Link
The acquisition, or forensic collection phase, is the critical link in the chain of events between consultation and expert testimony that protects a client from accusations of data manipulation, incomplete collections or spoliation. The forensic process of collecting data utilizes algorithms and checksums that guarantee that collected data is a perfect snapshot in time of what existed on an electronic device.
Using information technology tools in lieu of forensic tools to collect data does not offer this protection and has led to unfavorable outcomes for organizations countless times. Further, if expert testimony is needed by a digital forensics expert, the only way they can attest to the authenticity and completeness of the data is if it was collected in a forensically sound manner, and if they have the proven information to back it up. This information comes in the form of forensic software audit logs and the aforementioned checksums and algorithms.
There is also a benefit to utilizing a neutral third-party to collect data from an organization. This in many ways invalidates the claim that could be brought by opposing parties of bias in the collection process if employees of the organization self-collect or if the data is collected by internal information technology staff.
Jason Conley is a Digital Forensics Examiner for Envista Forensics. Since 2003, Jason has been providing computer forensic services and cyber-investigation support to a wide array of clients including corporate directors & security management, legal departments & law firms, government agencies, private investigation firms, forensic accountants, and business owners & managers in the Greater Toronto Area and across Canada.