How can we help? Contact us
You can use digital forensics in a wide variety of issues, including:
Digital forensics is a branch of forensic science. It encompasses the process of identification, preservation, and collection of digital sources, such as physical data carriers and cloud storage services. From these, we extract and analyze relevant data to produce a report of factual findings. Throughout this process, we follow ethical codes, standards of professional conduct, and best practices to ensure that digital evidence is forensically sound and legally defensible.
In the early 90s, the first cell phone hit the market and an increasing number of households began to own digital devices. During that time, digital forensics grew rapidly. Its subdisciplines include computer, mobile, and email forensics as well as more recent technological developments such as blockchain, where cryptocurrencies and NFTs (non-fungible tokens) are traced through public ledgers.
The advancement of technology and the growth in digitization ensure that digital forensics is here to stay and will continue to evolve for years to come.
Before starting the investigation, we establish the cause and purpose. This is how we determine the scope and feasibility. To this end, we identify all relevant digital sources. Primary information is gathered through interviews with key stakeholders to identify where the digital sources are located and how we can access them.
We exchange the necessary information with those directly involved, often including IT personnel. They have access to relevant digital sources, including physical data carriers as well as cloud storage services. Based on that information, our forensic investigators determine the required methods, techniques, equipment, and software in preparation for follow-up activities.
Implementing a litigation/forensic readiness plan prepares organizations to respond quickly and effectively to an incident involving electronic or paper records. This avoids losing valuable time identifying and processing that data, which reduces risks associated with an incident.
Once we have determined which digital sources are relevant, we must preserve them to prevent data from being altered or deleted before collection. This may include putting a litigation/legal hold on mailboxes to prevent something or someone from deleting relevant emails or backups, such as an automated retention policy.
Preservation may also involve seizing digital sources as evidence, for example, in cases of suspected intentional destruction or misappropriation of data once an opposing party becomes aware of possible legal proceedings.
The Sedona Conference, a very well-known and respected source for electronic discovery, mentions in its publication "Commentary on Legal Holds" that one of the factors in determining the scope of information to be preserved are the relative costs and burdens of preservation efforts.
We process evidence from start to finish in a forensically sound manner so that the factual findings of our investigation are legally admissible and defensible. This begins with obtaining data through specialized software and equipment to ensure that we only read the data on a storage medium when we make a forensic copy and that no one can write to it. This allows for a bit-by-bit copy and prevents us from corrupting or altering the source of evidence.
We maintain the integrity of copies through the use of forensic protocols such as cryptographic hash functions. With every processing of digital evidence, we accurately document all actions to ensure that a valid chain of custody and chain of evidence is upheld. To prevent loss or (electrostatic) damage to physical data carriers, we pack, seal, and label each storage medium securely, both in transit and storage. We secure copies of digital evidence through strong encryption and by storing them in a secure environment.
The parties involved are sometimes forced to cooperate with the investigation due to contractual obligations. Based on factual information shared during adversarial proceedings, the scope of digital sources containing relevant data may change. This could result in an increase or decrease in the amount of data that has to be obtained.
Depending on the type of investigation and the digital evidence involved, we use different methods, techniques, and software to perform a thorough analysis. Only experienced forensic investigators are allowed to process and use digital evidence for analysis in a secure and isolated environment. The purpose of the analysis is to identify structured and unstructured data related to the investigation which is then transformed into usable and relevant information.
In addition to conventional analysis (eDiscovery) of the allocated space on a storage medium where we look primarily at the content of documents and communications generated by users, we also recover fragments of hidden (meta)data, usually entire files, that were previously deleted. We do this through a file carving process that reassembles the remaining bits and bytes. During the analysis, findings may lead to the identification of other digital sources that contain relevant data. As a result, we may repeat earlier phases.
Investigators must conduct analyses in accordance with the principles of proportionality and subsidiarity. In the context of a forensic investigation, this means avoiding unnecessary invasion of privacy in every possible way and using the least intrusive means to achieve the purpose of our investigation, within the pre-agreed frameworks.
Once the investigation is completed, we adequately formulate all conclusions based on factual findings and report this as legally admissible evidence. How we report the results varies by the type of investigation and is dependent on the user(s) of a report. Because digital forensics involves many technical aspects, we prefer to use layman's terms (plain language) as much as possible in non-technical reporting. This way everything is clear and understandable for all parties involved.
The investigation and its factual findings must be legally defensible. We consider reproducibility an important factor in this regard. To this end, we document and report the actions taken at every stage of a digital forensic investigation, including the methods, techniques, and tools that were used, accurately and in sufficient detail.
Grant Thornton's network gives us access to subject matter experts worldwide, allowing us to successfully conduct our investigations regardless of (un)expected twists and turns, such as technical challenges like circumventing encryption, or complex analyses of financial data and transactions where we rely on our forensic accountants.
Do you have an ongoing, or prospective, matter in which you are seeking to bring in digital forensics? Please get in touch with us for a free consultation. We will go to great lengths in assisting you and exceeding your expectations. Our team is looking forward to hearing from you!