Envista Named to Inc 5000 List of Fastest-Growing Private Companies. Read More.

×
Digital Forensics, Litigation

Data Collections: Critical Link in Protecting Organizations Before and During Litigation

16 October 2020

If a situation arises where litigation is even a remote possibility, it is in an organization's best interest to ensure that the collection of digital data is done in such a way that it is above reproach. Digital forensics tools and methodologies allow for data to be collected in a forensically sound manner that meet industry standards, best practices and have been tested in the court of law. As defined by the National Institute for Standards in Technology, digital forensics is the "…application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data."1

As part of a forensic examination, there is a chain of events that occur.

1. Consultation

During a thorough consultation, a digital forensics expert will work with counsel and the information technology team at an organization to ascertain the location of relevant data and explain the various methods by which this data can be collected.

2. Acquisition

During the acquisition phase, digital forensics experts utilize forensic tools and methodologies to collect data from various electronic sources. This includes on-site collections, where our experts go on location to make forensic images, or copies of computers, servers, cell phones, cloud data, social media accounts, and other electronic media. All efforts in this process are made to limit the impact on an organization. In many instances, remote collections can also be performed, allowing our experts to collect data from anywhere in the world with minimal impact on a business.

Acquisitions of electronic data can also be done pro-actively. When an employee leaves a business, it is becoming increasingly common for the organization to work with digital forensics specialists to forensically image the employee's computer, phone, or other electronic data. This prepares an employer for potential litigation if this evidence is needed as evidence in court.

3. Analysis

Using specialized forensic technology and methods, our experts examine the data, including the recovery of deleted data, throughout this phase. During our in-depth analysis process, we seek to accurately determine what occurred, how it occurred, and the responsible parties. In order to discover this, we must look to answer questions, such as:

  • Did the employee engage in bad faith, providing sensitive information to outside parties?
  • Was a documented altered, forged, or otherwise manipulated electronically?
  • What actions did a user perform on specific dates and time frames?
  • Did the user attempt to delete electronic data?
  • Did the user use anti-forensic tools to try and cover their tracks?
  • Was company policy broken concerning acceptable computer usage?
  • Did an employee steal customer lists on the way out the door?

4. Reporting

If requested by the client, the reporting phase begins. A technical roadmap is created detailing what happened. For example, if there was concern that a former employee stole intellectual property, this report would include the explanation and analysis of forensic artifacts that point toward evidence of user attribution. In other words, what files were accessed, how these files were exfiltrated from the organization, who took the data, when the data was stolen and how it is potentially being used.

5. Expert Testimony

To provide expert testimony in court, that expert needs to be able to qualify first. If the expertise of the expert is challenged, the attorney calling the expert must make a showing that the expert has the necessary background experience. This includes questions related to the expert's education, certifications, case experience, training, and special knowledge. While in information technology professional is certainly an expert in their field, they are rarely an expert in digital forensics, which require specialized knowledge in niche technical domains. There is a distinct probability that an information technology expert will not be able to qualify as a digital forensic expert, and therefore would be unable to render an expert opinion or at best would have their testimony severely limited by the court.

The Critical Link

The acquisition, or forensic collection phase, is the critical link in the chain of events between consultation and expert testimony that protects a client from accusations of data manipulation, incomplete collections, or spoliation. The forensic process of collecting data utilizes algorithms and checksums that guarantee that collected data is a perfect snapshot in time of what existed on an electronic device.

Using information technology tools in lieu of forensic tools to collect data does not offer this protection and has led to unfavorable outcomes for organizations countless times. Further, if expert testimony is needed by a digital forensics expert, the only way they can attest to the authenticity and completeness of the data is if it was collected in a forensically sound manner and if they have the proven information to back it up. This information comes in the form of forensic software audit logs and the aforementioned checksums and algorithms.

There is also a benefit to utilizing a neutral third party to collect data from an organization. This in many ways invalidates the claim that could be brought by opposing parties of bias in the collection process if employees of the organization self-collect or if the data is collected by internal information technology staff.

 

Source: 1https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Has a recent catastrophe affected you?

Our experts are ready to help.

About The Author
Lars Daniel
Lars Daniel
Practice Leader

Lars Daniel is a Practice Leader in the Digital Forensics Division, and holds 7 different certifications. He has provided forensic services to more than 600 criminal and civil cases, and appeared as an expert court witness for nearly 30 of those. He has co-authored two books: Digital Forensics for Legal Professionals, and Digital Forensics Trial Graphics: Teaching the Jury through Effective Use of Visuals, spoken at numerous industry conferences, and provides training throughout the U.S.

How Can We Help You?

We have experts in multiple disciplines all around the world. Talk to us and we'll help you find the right expert for the job.

 Envista Forensics Logo
Explore Our Site

Our job is to solve complex problems for our clients, in the face of a disaster. We serve business owners, small and large, no matter where they are in the world, and no matter what problem they are facing.