Top Tips In Digital Investigations

For most organisations, digital investigations are now a fact of life and it is increasingly the IT Department which must take on the task of managing data collection. Whether it is a case of IP theft, a data breach or fraud there is a clear advantage in acting swiftly and having the right policies and technology in place can make all the difference minimise disruption and reduce the time taken to conduct any investigation.

The biggest challenge is that of data discovery, and the burgeoning volumes of digital information, due to the proliferation of different devices that abound in the workplace. The challenge of e-discovery is also complicated by the capabilities of mobile devices such as Apple iPhones and iPads. These devices offer the ability to remotely wipe data plus have the added complexity of data encryption within certain devices.
With so many factors affecting the outcome of one investigation here we provide some key tips on how best to manage the process.

Understand the scope of the data

The first stage in any digital investigation is to understand the vast amount of data which could be accessed in an investigation. To put this into some context; IDC predicts that ‘In 2012 the volume of digital content will grow to 2.7 zettabytes (ZB) globally, up 48% from 2011.’

This is indicative of the global trend of exploding data volumes. Furthermore additional factors such as DVDs, Webmail, USB and even third party cloud services like Dropbox make it difficult to get a comprehensive map of all the relating data. Knowing where your data is located – data landscaping – is therefore the first rule of e-discovery.

Know the boundaries – implement policies

Ensuring that your company has clearly defined policies regarding the rights of the employer over access to all work-related data wherever it resides is also vitally important. Yet here, too, situations can arise in multinational organisations as national legislation regarding the permitted access to individual data varies between countries.

For instance, in certain countries the user’s permission is required to access their data at the time of the investigation, regardless of corporate policies in place at the time. Nonetheless effort expended to map your data landscape and maintain updated records regarding the location of data not only pays dividends and shortens the time required for e-discovery at the time of an investigation, but also frequently helps identify instances of sensitive data being stored in unsecured locations enabling the data to be purged and pre-empting the likelihood of data breaches.

It is also imperative that your organisation puts in place a data retention policy that establishes clear parameters around what data needs to be retained and for what length of time, this not only limits the amount of information that would need to be searched in a digital investigation, but also reduces storage costs. This policy needs to be clearly communicated and enforced to all your employees.

Prioritise your data collection

A crucial element of any e-discovery process is the time it takes to complete the investigation and in some cases present the findings in court. It is important to note, in competitive cases with multiple parties implicated, such as a case of share fixing, being first to present your evidence will generally result in more leniency being shown by the courts.

To save time, take the logical step and prioritise your data. Many companies make the mistake of compiling each and every conceivable piece of evidence before assessing the situation. In order to have the upper hand; prioritise the data collection to focus initially on those individuals most likely to be implicated in the case. This can provide a clearer indication of the best course of action and allow you to negotiate from a position of strength.

Use the appropriate technology

The foundations of any digital investigation must be strong enough to support the mountains of data that must be factored in. It is important to use the correct technology as it can help to minimise the quantity of data that needs to be reviewed with its ability to triage information against keywords and criteria like date and time, to narrow down the data search to manageable dimensions, limiting the time required by legal representatives to sift through vast quantities of data.

Furthermore, having the appropriate technology means that you can access data remotely removing the need to travel to different countries or regions to extricate the data, which can be time and cost intensive.

The old saying, ‘being forewarned is being forearmed,’ is an important mantra to stick by when running the course of a digital investigation. Plan and make sure policies are in place, conduct a full investigation using the correct technology and remain focused on likely indicators to save time. It is after all not just time and money you are trying to save, it is also your reputation.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Leonora Placks has a long background in digital forensics, having worked as a Senior Investigator for KPMG South Africa, and as a Consultant and Forensic Technology Manager at Ernst and Young in the UK and abroad before joining Guidance Software. She would be happy to discuss her career as a digital investigator, what training she had and what made her chose this career path, as well as what day to day life is like as a forensic investigator.