S-RM’s Septimus Knox and Amy Francis recently spoke with Financier Worldwide about digital investigations in disputes.
This article first appeared in the August 2021 issue of Financier Worldwide magazine.
Financier worldwide: Could you provide an overview of recent trends in digital investigations conducted in connection with a dispute? What kinds of disputes typically trigger the need for a digital investigation? |
Amy Francis: Any dispute has a potential requirement for a digital investigation element, however the most common cases are internal corporate investigations into leaked confidential information, theft of intellectual property and fraud. Other examples include disputes over government contractors losing work or private client disputes, such as defamation investigations. Given the proliferation of digital devices, there has been a ramp-up in the use of digital forensics in legal cases and internal investigations. Two areas stand out as the most common reasons a digital investigator is engaged. First, to piece together a trail of evidence relating to sensitive documents, for example who accessed, downloaded, printed or shared the documents. And second, to preserve and analyse communications data, from typical day-to-day communications that we might use, such as email, phone, social media and chat apps on phones, through to more illicit activities like chat forums on the dark web.
Septimus Knox: We mostly commonly come into contact with digital evidence when it has either been turned over by its owner, collected in the context of an internal investigation, or provided in the wake of successful disclosure applications in the courts. Any investigation in the context of a dispute can greatly benefit from a workstream focused on digital artefacts. There are two core reasons for this. First, almost every individual or entity we investigate will have used mobile phones, computers, cloud storage, hard drives and flash drives. Even smart televisions and refrigerators can contain valuable digital evidence. Second, this information – when it is available to access – usually provides the surest evidence of wrongdoing. For example, the familiar features of an email, such as the sender, recipient, date and time of a communication, in addition to the actual content of the message, when forensically preserved provide indisputable evidence.
Though the details will change depending on the disputE, what should be the aim of a digital investigation? What steps should investigators take to outline the scope and process involved? |
Knox: In general terms, the ultimate aim of a digital investigation should not be different to a ‘conventional’ investigation. It is to establish the facts relevant to allegations of wrongdoing, and to locate and preserve the underlying evidence. There are special considerations with respect to digital investigations relating to the handling, preservation and searching of digital artefacts that are crucial steps in the investigative process and require the attention of trained professionals. Digital investigations can easily run up costs due to the often extensive nature of the source material. It is generally the case that only a portion of that material can be reviewed in an investigation, and the process of filtering and refining the data set to a manageable size lays the foundations for a successful investigation. A good provider should be clear with its client about the number of artefacts included in the scope of the investigation, the size of the data sets being reviewed and any fees relating to data hosting on an e-discovery platform, if applicable.
“DIGITAL AND 'TRADITIONAL' INVESTIGATIONS ARE HIGHLY COMPLEMENTARY AND COMBINING THE TWO IS OFTEN THE MOST EFFECTIVE WAY TO CONDUCT AN INVESTIGATION."
— Septimus Knox
Francis: The goal of digital forensics is to conduct a structured, legally defensible investigation to uncover and validate digital information that reconstructs past events. In terms of the steps taken to outline the scope and process, investigators should sit down with the potential client and discuss the case in detail to understand the objective of the investigation, all relevant parties involved and any analysis conducted so far. You should then create a defined scope based on the client’s needs, which includes mapping out the relevant evidence sources that should be preserved, outlining the legal and practical access requirements for these, and constructing a basic timeline of the events known to date. Following scoping and evidence identification, the next steps are evidence preservation, extraction and analysis, ending with reporting.
HOW SHOULD INVESTIGATORS GO ABOUT DEPLOYING BOTH DIGITAL AND TRADITIONAL METHODOLOGIES IN TANDEM? TO WHAT EXTENT ARE THESE SKILLSETS COMPLEMENTARY? |
Francis: Traditional interviews often form part of an investigation as human sources provide valuable context, which is often required to fully understand the significance of the digital evidence. Investigations that only focus on digital methodologies potentially miss out on understanding the motivations behind human actions. For example, an individual may be suspected of making fraudulent payments to himself from a large organisation. In that case, traditional investigative methodologies looking at open-source information uncovered that the suspected individual had personal financial difficulties and consequently a personal motive for stealing money from the company. This human context was and is invaluable for corporates that have to decide whether to take legal action. Overall, finding the right balance between digital and traditional methodologies typically leads to deeper and more conclusive investigations.
Knox: Digital and ‘traditional’ investigations are highly complementary and combining the two is often the most effective way to conduct an investigation. For example, a review of devices and digital evidence will give you a strong indication of events that took place within a company’s perimeter, but may leave you blind to the context and conclusions of your findings. Public record research and human intelligence is crucial if you need to understand what happened outside the company’s borders. If a mystery offshore company is receiving payments, for example, the only way to establish the beneficiary behind it, and whether there is a conflict of interest, might be through ‘traditional’ investigative means. Often it is the interplay of digital and traditional methodologies which can lead to a breakthrough in an investigation. While it is usually in the digital data set that conclusive evidence is to be found, it might well go undiscovered unless guided by a lead from more traditional open-source intelligence (OSINT) investigations or even human intelligence. That lead, be it a key date or the name of an individual or company, is often crucial to unlocking a digital investigation. Where possible, it is important to combine all the tools at an investigator’s disposal to reach the best outcome and develop a holistic picture of an event.
How has the shift towards remote working practices driven by the covid-19 pandemic reshaped the digital investigation process? |
Knox: Remote working created a series of new challenges for digital investigations. Anecdotally, it seems as though there was an uptick in data thefts and confidentially breaches as employees, disgruntled or otherwise, were working from home without any supervision. Employees could easily write down confidential information or record it on their personal devices without any fear of being detected. Secondly, especially in the case of junior employees – who might be living in multi-person households – the opportunity for confidential information to be overheard and subsequently misused is a new consideration. The issue with both these examples is that although data may have been exfiltrated, there is no digital evidence trail for this, making it very hard to spot and later prove. The most obvious area in which COVID-19 has affected the digital investigation process is the collection and preservation of digital evidence while following social distancing guidelines and other government protocols. Even if collection can take place in person, custodians might well be working from home, meaning that collection has to happen at multiple locations rather than a single site. This creates an additional strain on a forensic team. Fortunately, the remote collection of evidence is something that has become much more widely accepted during the COVID-19 pandemic, and this is likely to remain in place in the future.
“INVESTIGATIONS THAT ONLY FOCUS ON DIGITAL METHODOLOGIES POTENTIALLY MISS OUT ON UNDERSTANDING THE MOTIVATIONS BEHIND HUMAN ACTIONS."
— Amy Francis
Francis: The most obvious change, which has affected everyone, is that many meetings are now conducted on Zoom. Rather than being in a briefing room with a team of lawyers and the board, Zoom has made it easier for all key stakeholders to be in the same ‘room’ at once, which has sped up response times and enabled all parties to be kept up to date. The main challenge faced by investigators has been related to the preservation of digital evidence. Pre-COVID-19, employees had their laptops and phones with them in the office every day, so the majority of digital evidence was stored centrally during office hours. However, with the shift to remote working, devices are now located in numerous different locations and even overseas as individuals have moved abroad to take advantage of flexible working arrangements. This has presented a challenge to more traditional evidence preservation methods, as it is not always possible to obtain every device physically. Digital investigators have adapted and developed new techniques, such as remote acquisition agents, to enable the remote preservation of digital evidence in a forensically sound manner.
HOW SHOULD INVESTIGATORS APPROACH THE TASK OF IDENTIFYING, COLLECTING AND PRESERVING DATA WHICH MAY BE CRUCIAL EVIDENCE IN BUILDING OR DEFENDING A CASE? |
Francis: In any investigation that may result in litigation, it is essential to identify the primary evidence sources as early as possible by conducting an in-depth scoping exercise. Collection and preservation must then happen as swiftly and smoothly as possible, to avoid the deliberate or accidental destruction of evidence. Careful thought must also be given to how the individuals involved are informed, if at all, about the investigation. As individuals learn about a potential investigation, there is the possibility that evidence may be altered or destroyed, unintentionally or otherwise. For example, a delay in the preservation of an iPhone may result in the custodian tampering with or destroying crucial evidence on the phone. Additionally, a lot of cloud accounts have retention policies that only store the last 30 days of log data and evidence can be very quickly overwritten on devices that are continually used. Finally, it is important to maintain strict chain of custody and follow industry standard preservation techniques to ensure the evidence holds up in court and is not subject to claims of spoliation.
Knox: In the first instance, only a certified forensic expert should be tasked with the collection and preservation of data. A crucial part of collecting and preserving data is the chain of custody. This is the ‘paper trail’ by which digital evidence is accounted for, from the day of collection to the day it is submitted in a court of law. Chain of custody, and secure storage and analysis, is crucial to maintaining the integrity of any evidence and making sure it can be deployed in a legal context. On a more basic level, it is important to have a conversation with the client to understand clearly the nature of the issue and, therefore, the range of possible devices and data sources which might hold relevant digital artefacts. It might well be prudent to bring in external counsel at this stage to advise on the legitimate scope of data collection.
Could you outline the key challenges involved for those conducting digital investigations, in terms of both the investigative process itself and the proliferation of companies' data sources? |
Knox: A particular challenge is presented by secure messaging apps like Signal, which have the functionality to automatically erase messages after a period of time. As a digital investigator, you are unable to exert technical control over that process. From an offensive position, it means you cannot trust the fact that ‘no data’ equals ‘no communication’, and from a defensive perspective it means you have to rely on policy and procedure to prevent people from erasing information that you might be required to preserve. Encrypted messaging apps are constantly evolving, and look set to continue doing so throughout the coming years. Technological and political developments around encrypted messaging will create fresh challenges for the digital investigator.
Francis: When leading an investigation, you must be aware that the digital aspect, while often the highest priority, is not the only factor in the direction of the investigation. You often need to balance compliance and regulatory concerns, the financial and reputational impact, employment-related issues and often internal pressure from senior stakeholders within the company. Balancing these priorities to ensure the best outcome for your client can be a challenge when the different aspects collide. The proliferation of companies’ data sources has changed the way investigators approach an investigation. It is no longer feasible to collect all possible data sources that may be relevant, and this has made the scoping of an investigation more critical. Conducting an effective scoping exercise at the kick-off of an investigation will save a lot of time and effort, as this allows for a more targeted and focused approach, while still keeping an open mind to other potential lines of enquiry.
When handling and analysing digital evidence, what human factors need to be taken into account? |
Francis: When piecing together past events, considering human nature plays a big part. Humans are rarely unpredictable, even though they try to be. Daily habits can be noted in digital activity – for example logging in to check emails at the same time each day, using the same password for multiple social media accounts, or storing suspicious contacts under the names of superheroes. Taking the time to identify these patterns in human behaviour and understand the individual’s habits enables investigators to understand what the base level of ‘usual’ activity is for the individual in question. This is important as it then becomes easier to identify the anomalous ‘suspicious’ activity in among the ‘normal’.
Knox: There is an understandable human desire to act quickly and decisively in a crisis. However, hasty action by untrained parties presents a real risk in the handling of digital evidence. Logs can be destroyed or overwritten, and valuable evidence destroyed. Even evidence that survives and appears sound might have been rendered inadmissible by some seemingly minor error or oversight. It is critical that the experts are brought in as early as possible in order to ensure evidence is handled correctly. This also includes implementing proper chain of custody processes and secure storage for digital evidence.
What privacy concerns do investigators need to consider and address, particularly in light of home working and bring your own device (BYOD) trends? |
Knox: Home working and bring your own device (BYOD) inevitably blurs the line between professional and personal life. Under a BYOD policy, it is likely a device will be filled with personal data that will have to be ring-fenced from any forensic exercise. This is typically managed by running keyword searches that are agreed with legal counsel. Another consideration is that a BYOD device might be used by multiple individuals, which creates further privacy issues when carrying out a digital investigation. Finally, depending on the policy in place, it might be necessary to get the custodian’s consent before you examine their device.
Francis: Following the pandemic, the increased popularity of BYOD policies brings potential complications as it blurs the line between personal and corporate information. When conducting an investigation, authorisation to analyse the data stored on a BYOD device is often dependant on the conditions laid out in the policy. This can be further complicated by the additional access requirements for connected cloud accounts, for example a corporate iPhone syncing confidential data to a personal iCloud account. Individuals are understandably reluctant to give employers unrestricted access to their personal photos, text messages and internet browsing history. Investigators need to work with clients to ensure there is a plan in place to quickly obtain authorised access to the digital evidence for forensic preservation and examination. Engaging an external independent investigator can be an effective solution as individuals are often more comfortable allowing an investigator access to their data under strict confidentiality agreements. Digital forensic investigators are commonly engaged through external legal counsel so that the analysis and findings are covered by privilege to the greatest extent possible.
Looking ahead, how do you expect the digital investigation process to evolve? what methods introduced in response to covid-19 are likely to persist post-pandemic? |
Francis: As remote working is likely to be a permanent shift in working culture, the requirement to be able to remotely acquire evidence is unlikely to fade away. During the pandemic, investigators have developed remote acquisition tools and processes which are likely to continue to be used in a lot of cases. This has additional benefits such as the increased speed of collecting critical evidence, however care must be given to ensure chain of custody is preserved and the collection is forensically sound. The standards of practice around this are not yet well defined and are likely to continue to develop over the next few years as flexible working becomes the norm. Additionally, the proliferation of data sources has been fast tracked by COVID-19 as previously rare data sources such as Teams, SharePoint and corporate instant messaging applications become common in every workplace. Consequently, the development of forensic methodologies for preserving and analysing data from these cloud platforms is more important than ever and is likely to be a key part of investigations for the foreseeable future.
Knox: The pandemic has led to an explosion in the use of instant messaging, both on mobile devices and computers, and using programmes such as a Microsoft Teams or Slack. In addition, web-based document management systems, such as Microsoft SharePoint, and software-as-a-service enterprise solutions, such as Google Workspace, are becoming increasingly prevalent in the corporate context. This means that digital investigators are having to become increasingly skilled at forensically analysing an ever-growing range of digital technologies.
Septimus Knox is the Deputy Head of S-RM’s Disputes & Investigations practice and oversees all the firm’s disputes work in Russia & CIS. His clients include international law firms as well as leading regional corporations and business figures. He has particular expertise in leading cross-border asset traces, litigation support and strategic intelligence assignments. He has previously lived in Russia, Italy and South East Asia. Septimus has a BA in Russian Studies from University College London and speaks Russian.
Amy Francis heads up S-RM’s Digital Forensics practice. She brings eight years of industry experience of leading complex digital forensics cases, including high-profile investigations into fraud, IP theft, whistleblowing allegations, misconduct and compliance concerns and other litigation. Amy has a wealth of expertise working with corporate and private clients both domestically and internationally.