A multinational organisation, represented by its legal counsel and forensic investigators located in various countries, was investigating certain employees based on a whistleblowing letter received last month. During the investigation, data in one country needed to be reviewed by the legal counsels located in another part of the world. Traditionally, the forensic investigator would arrive at the location where the data was stored in its original electronic format, unplug the device, and create a forensically sound clone of the data for analysis. This traditional solution would be unsuitable in the current situation given the geographical spread of evidence. In addition, it would not account for the loss of temporary data (also termed as volatile data) stored in the device’s memory (RAM, cache, registries, etc.) that would be purged when the device is unplugged or switched off.
What should legal professionals facing such an issue do?
They can consider using remote forensic acquisition, an alternative to the traditional method of gathering evidence. Remote forensic acquisition would involve remotely routing into network-connected devices and enabling data collection from one geography to another (without using any incremental hardware). Besides being efficient and economical, this solution would enable collecting volatile data without unplugging the device, and can provide additional insights on device use to investigators.
In the past, low network transmission speed made this remote forensic acquisition slow and time-consuming. This process was prone to disconnections due to weak networks and connectivity. The shift from dial-up to broadband to fibre cable networks has led to an increase in bandwidth, making the process more durable and less prone to interruptions.
Remote forensic acquisition can be useful in various scenarios, including divestitures, claims management in bankruptcy proceedings, and mergers and acquisitions when electronic devices/data sets need to be preserved, reviewed, or analysed without physical access to the device. During discreet investigations, remote collections can be carried out when the organisation requires that company-owned data be collected, preserved, and analysed with minimal disruption to operations.
Further, the imminent personal data protection regulation in India will require that the traditional forensic acquisition process builds in the added task of segregating personal data from company data. With remote forensic acquisition, targeted data collections can be managed effectively after soliciting the consent of the employee whose data is being collected. This reduces any liabilities arising from data mismanagement.
Is such a process defensible?
Large amounts of data is electronic and stored remotely on cloud[1], ensuring that data management does not leave any room for manipulations (when data is being transmitted over a network) becomes important. The can be done by putting in place a chain of custody[2] and ensuring that remote access forensic tools generate hash values for data that is forensically preserved. This means the path, size, and other attributes of data (metadata) are also captured for every individual file and folder that is imaged and acquired. Further, the tool provides a report alongside the evidence gathered that includes details on the chain of custody, screenshots of the process followed, and consent details to enable defensibility.
How can legal professionals derive the most from remote forensics?
Legal professionals can work with forensic practitioners to ensure the following aspects while gathering evidence:
- People: Only users with approval should be able to access the admin console of the forensic tool used to carry out live forensics. General Counsel may review the organisational chart at regular intervals to exert control over the team members with access to sensitive data.
- Process: Legal teams should provide a defined and documented work plan and procedure. Authorised people should follow the process while collecting evidence. Any deviation from the process may impact user data on endpoint devices and employee behaviour if discreet investigation operations are disclosed.
- Technology: Using commercially licenced tools, which provide tracing and audit trails for the tasks completed, is advisable for data collection. Remote forensic acquisition is not simply copy-pasting information over internet and evidence of the process carried out is important to make the process defensible.
Personal data protection regulations, chain of custody, network bandwidth, and unintentional spoilage of electronic evidence are critical factors for legal professionals and cyber forensic experts to watch out for. After taking these factors into account, cyber forensic investigators can connect to a remote computer using remote desktop applications and acquire electronically stored information. They need to follow the standard data integrity checks conducted at the time of acquiring electronic evidence with physical access. Integrity and security aspects can be documented to bring some consistency into the mix. A decrease in dependencies and turnaround time for collections is a positive impact of using this technique for investigations. This technique has significant potential in law enforcement, government, and other investigative agencies.
References
[1] https://stratixsystems.com/three-benefits-using-live-forensic-imaging-next-case/
2 FORENSIC COLLECTION OF ELECTRONIC EVIDENCE FROM INFRASTRUCTURE-AS-A-SERVICE CLOUD COMPUTING
Josiah Dykstra, Damien Riehl, 2012
https://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1370&context=jolt
3 Live Forensic Acquisition as Alternative to Traditional Forensic Processes, Marthie Grobler, 2008
4 https://www.trendmicro.com/vinfo/in/security/definition/hash-values