37 JUN 2022 | WWW.LAWYER-MONTHLY.COM THE IMPACT OF DIGITAL FORENSICS ON LEGAL PROCEEDINGS is a suspicion of wrongdoing and instead call in qualified professionals to conduct an investigation. How does the accidental destruction of evidence impact proceedings? As with physical evidence, preventing the destruction of evidence is key to ensuring that legal teams have as much evidence as possible on which to build their case. Accidental destruction of evidence can occur when unqualified individuals attempt to conduct their own investigation without taking proper steps to protect the evidence from changes. For example, non-digital forensic professionals may not realise that by accessing a file they will erase artifacts and crucial timestamps associated with the file which show who has previously accessed it. Malicious intent should also not be ruled out and must be guarded against. For instance, in contentious matters where a court order is obtained to seize devices, it is important that the device owner has no of the matter to a subset of our team, ensure that data is securely wiped after a specified time, and ensure that data is securely stored on encrypted drives in our evidence safe. Digital forensics experts are also familiar with working under NDAs or other data privacy requirements which protect anonymity. Are there any common misconceptions about digital forensics that you would like to dispel? One of the most common misconceptions is that most of our work focuses on computer hard drives, mobile phones and USBs. The scope of digital forensics is much broader than this, having evolved significantly in the past ten years. Some of the devices our investigators have recently worked on include smart TVs and Bluetooth speakers, wearable fitness devices, and drones. Nowadays, entertainment systems, home appliances and wearable devices are all connected to the Internet of Things (IOT), and as such may contain digital evidence, so we count all of this within our remit. On top of that there is the digital world based in the cloud; from personal email and cloud accounts such as iCloud, Dropbox and Mega; social media such as Facebook, Instagram and Twitter; chat platforms such as WhatsApp, Signal and Telegram; and corporate cloud infrastructure such as Microsoft 365, AWS, and Azure. Around 50% of the evidence collected in most cases originates from a cloud environment. Another misconception about digital forensic experts is the failure to realise that, despite the highly technical and expert nature of our work, digital forensics professionals are investigators first and foremost. Asking questions, following leads, making connections, and uncovering all the relevant evidence is key to being a successful forensic investigator. Digital forensics experts should act as a key member of the core team for any notice or forewarning of the seizure. It can take only seconds to wipe a device, which would mean a loss of almost all evidence on it. Even if a device to be analysed is already in our custody, we will only switch it on in a specialist digital forensics lab where it cannot connect to a network, because a command to wipe or reset a device can also be done remotely (think of your Google or iCloud account, which can be used to wipe ‘lost’ devices). How do data privacy laws and data jurisdictions affect your methodologies? The overall methodologies will remain the same; the difference is whether the work needs to be done remotely or on site. It may be more appropriate to gather and analyse evidence on site if the data is sensitive, to avoid its being moved or shared outside of the jurisdiction. We can ensure that the data remains on a secure company site or even in one room if need be. When we are conducting a remote investigation, we can use a secure cloud in the same country to store the evidence to ensure that we comply with rules that state certain data must remain within its country of origin. We also include statements in our service agreements to guarantee our clients’ privacy and confidentiality. For highly sensitive cases, we may restrict knowledge Around 50% of the evidence collected in most cases originates from a cloud environment.
RkJQdWJsaXNoZXIy Mjk3Mzkz