Digital Data Forensics
Data Eliminate are experts in digital data forensic investigations. If you have a case that involves analysing digital media – We Can Assist!
Our digital forensic investigation team have the experience to handle computer corporate misuse, IP Theft, Fraud, GDPR data audits & data investigation for private clients.
Data Eliminate’s background in secure destruction and logistics handling some of the UK’s most sensitive data mean that methodical, orderly and secure approach to forensic investigations come as second nature.
All investigations are handled from inception to completion through our Integrated Management System which incorporates:
We follow a strict data handling ethos and we are industry leaders in the ‘Secure Chain of Custody’ method where multiple layers of skin security is used plus an audit trail is transparent and signed off by all concerning parties to ensure a safe and secure service.
We locate where the device is, how to access it, using our forensic skills to understand what it shows and then process the next step of what to do with it after we locate the information.
Remember – once a digital device or equipment is operated, there is a potential source of electronic evidence and a trail to highlight misuse or illegal conduct.
If a potential suspect has taken steps to cover their tracks, we help recover any data that has been erased, or hidden including key data buried in documents or Memoranda and we are able to retrieve fragmented data from numerous sources into an organised data format.
Data Eliminate’s digital data forensics services cover four main areas:
- Corporate Computer Misuse
- IP Theft
- GDPR Data Audit
Data Eliminate has considerable experience of working in high security environments with private and public sector customers for whom data security is of paramount importance.
In such situations, successful projects require a data security approach which enables the customer organisation to function efficiently, security to be maintained at appropriate levels and in-built flexibility to enable agile responses to changing circumstances and events.
The 5 Steps of a Typical Data Forensic Investigation
- Specification of Scope
- Seizure of Evidence
Step1 – Specification of Scope
The quantity and variety of data and multiple locations in which evidence can be found mean that is important to begin any forensic investigation with a defined focus and clear objectives in mind & a clear understanding of the details of the case at hand. Data Eliminate experts will advise on determining an appropriate scope for the investigation. Factors to be considered will include but not be limited to:
- What is one setting out to find? E.g. the types of evidence sought (including specific platforms and data formats)
- Investigation with knowledge of without raising awareness of suspect
- Priority Area of investigation
- What level of ‘proof’ is required or in what arena will any evidence be presented
- What is the value of the matter at hand – this is key to determining budget
- How evidence should be presented
Step 2 – Seizure of Evidence
Data Eliminate engineers will analyse customer organisation or suspect’s operational processes and system in order to identify and prioritize the places where evidence is located and determine the manner and source(s) from which it would be seized.
When evidence is seized steps are taken to protect it from physical damage and arrange for the transportation of it. A comprehensive chain of custody records evidence values, any special notes, details the handover of the evidence from an individual to another entity.
Evidence must be preserved in order to ensure that the integrity of the digital evidence is not manipulated in any way. Preservation may include shielding the evidence from any interference such as a mobile data network, Wi-Fi, Bluetooth, or magnetic fields or other electronic equipment. Special protective cases and/or Faraday Bags may be used for this purpose.
Pictures may also be taken to record the circumstances of the seizure capturing the original state of any assets holding evidence, as well as their make, model, serial numbers, IMEI number or operating system versions.
Step 3 – Acquisition
Acquiring evidence must be accomplished in a manner both deliberate and legal. Detailed information must be recorded and preserved, including all hardware and software specifications, any systems used in the investigation process, and the systems being investigated
Any forensic examination must be conducted on a certified copy or image which is captured from the original evidence to preserve the integrity of the latter. The examiner looks to collect as much information as he or she can, and builds up the evidence. This will include the recovery of as much deleted information as possible using applications that can detect and retrieve deleted data; discovery of the contents of all hidden files with programs designed to detect the presence of hidden data, the decryption of encrypted and access protected files and analyse special areas of the computer’s disks, including parts that are normally inaccessible such as unallocated space.
Step 4 – Analysis
In the analysis phase, the analyst looks for the correlation between the relevant data (revealed during the examination phase) and sets priorities to this data set based on the proceeding investigation.
Relevant and irrelevant data is segregated by the forensic analyst based on the case background.
Some of the common types of evidence are the contacts, call logs, SMS, Audio and Video files, emails, and any saved notes (this might contain passwords for other accounts), saved geographic location, web activity, and social media updates and chats. It also consists of data which is deleted or hidden on the mobile device.
Step 5 – Reporting
Reporting of a data forensics investigation depends on the requirements of the task a hand including the audience who will read the report (e.g. a Court of Law or Industrial Tribunal Staff Disciplinary Hearing) and the level of proof required. It is important to document such features as each step of the procedure, why it was taken and what method was obtained as a result. A report may also feature a physical layout of the system(s), the encryption status of files to prove that investigations have preserved all the information on the computer system without changing or damaging it. There may be long delays between investigation and a trial, and without proper documentation, evidence may not be admissible. The report could be used as the basis of expert evidence testimony in Court.
If you require further information or guidance then please contact us on Tel: 0345-1234400 or use the Enquiry Form.