Digital Forensic and anti-forensic examination ~ advisory, investigation, examination, execution.
Digital Forensic Master capabilities:
we actively help our clients: recover, extract and analyze case-critical data capabilities:
We work closely with our financial, government, business and legal sector clients to identify the location and scale of key data sources.
We then advise the best method of acquiring and preserving relevant information in a forensically robust manner. Sources can include email accounts, devices, document management systems, obfuscated meta data, and cloud storage systems. Our industry standard plus custom-built digital forensic tools enable us to access archived or deleted data as well as live information, across many platforms and systems.
Our digital forensics masters with renowned expertise and credentials carry out targeted analysis to uncover a wealth of information that can be vital to a case. This might include web and user activity, access and modification dates, hidden or obscured link files, thumb drive or external data storage activity, email chronology and printing, copying and deletion history. Our findings, signed off by a trained qualified digital forensic expert, can then be used in the form of an Expert Report to support a formal case.
Actions: ~
Every action on a PC or digital device leaves a trail, which are termed ‘artefacts’, or ‘assets’, depending on their class. Artefacts within a forensic investigation form part of the jigsaw enabling an investigator to piece together the happenings around a specific event.
For example, suspicious activity, proprietary data theft, malformation of customer or client specific apps or data.
When intellectual property or data theft is suspected by an employee, it is often hard for stakeholders to resist the temptation of involving their in-house or outsourced IT department. However, this should be avoided at all costs.
Each time the suspect device is utilized by anyone after suspected infringement, the evidential trail is muddied in terms of artefact characteristics. If the IT support personnel are not forensically trained then their actions could result in the evidential trail becoming so muddied, such that any recoverable evidence of wrongdoing is inadmissible in a Case.
Potential issues that inadvertent ‘investigation’ could result in modification:
Time Stamps and Metadata
Each time a file is accessed, its metadata [underlying, hidden information about the file or structure or system processes], changes. So for example, if there is a file entitled “Confidential Financial Data” that you suspect an employee may have opened up to copy the contents of, prior to your IT support investigation, the metadata will log the last time the file was modified or accessed. This could give valuable insight into a suspected employee’s actions. If the file is recorded as accessed the hour before they leave employment for example, then alongside other potential artefacts this could be an indicator of transgression.
However, if your IT support were to open or access files to check contents etc. then their actions become the last recorded action against the file’s timestamp and therefore any evidence has been overwritten, at least in part.
User Credentials
Previously, eExpertWitness has investigated Intellectual Property theft claims, where upon investigation, it has been identified that IT support personnel have not only logged onto the suspect machine to investigate transgression but also used the suspected employees’ own credentials to do so. The implications and repercussions of this should need no explanation. Our investigations uncovered this in one instance where artefacts identified that confidential material had been accessed on premises three months after the suspected employee had left the company and had no remote access nor been physically present at the times the artefacts displayed. Therefore, the question posed was whether our investigations could isolate the confidential material potentially accessed by the suspected employee prior to their termination aside from the artefacts altered by the in-house IT personnel.
The legal argument becomes diluted if there is or was evidence of potential wrongdoing but where an individual’s credentials have been utilized by another. How does an investigation prove it was performed by a specific single person or team? This is why eExpertWitness guidance are never to let in house support personnel perform investigations. If you suspect any employee of wrong-doing, then we advise you to do the following:
Isolate or switch-off equipment if possible such that no further activity takes place that might overwrite or obfuscate crucial evidence;
Document any details surrounding the suspicion without accessing the suspected employee’s computer equipment to provide to the investigative expert as background. Particularly, dates and times when suspicious activity may have taken place, in a chronological order. These could be dates and times an employee was visually observed utilizing unrecognized or non-standard removable media and/or staying late for reasons unknown, or had conversations with other employees about their employment and future plans of progression;
Contact a digital forensic specialist such as eExpertWitness who will make forensically sound copies of any digital material that should be investigated. If fraud or financial irregularities are suspected then contact Law Enforcement;
Ensure limited personnel are involved or made aware of the suspected infringement so as not to arouse any activity by the suspected employee or their colleagues, which might encourage deletion of any evidence where wrongdoing has occurred.
Whilst eExpertWitness group can investigate company owned equipment in respect of investigating potential infringement activity upon instruction from an authorised company stakeholder, we cannot investigate employee personal devices without their consent or the required legal instruction. If you suspect an employee has utilized personal media to copy data, then you should seek legal assistance from an Intellectual Property Law specialist.
eExpertWitness work with a variety of legal specialists.