Article:

Digital evidence and your investigations - how forensic technology can help

13 November 2020

James Vickers, Manager, Advisory - Forensic Services |

Do you know that the majority of criminal investigations now rely on digital evidence? This evidence can be hard to find, deliberately hidden, destroyed or overwhelmingly complex to interpret.

Take for example the Enron scandal, which caused investors to lose a large amount of money, employees to lose their jobs, and retirement funds and is considered one of the most complex financial crimes in the history of corporate fraud. The investigation lasted almost five years due to the vast amount of digital evidence that was discovered - 31 terabytes.

Even small business investigations can uncover a wealth of complex digital data. It may be a human resources issue you are looking into. Or maybe you have a confidentiality breach. You could even have a potential criminal matter on your hands such as fraud or misconduct. Where do you start?

Evidence comes in many different forms. It can be a physical item, it can be an eyewitness account of events, it can be a document - and it can be digital. How is it that something that does not materially exist in a physical sense, is highly volatile and can be easily manipulated can carry such weight in legal proceedings?

Information systems and communication technologies provide a range of benefits, which enhance our professional and personal lives. Conversely, they can also provide malicious actors such as disgruntled employees with opportunities for wrongdoing.

Despite its prevalence, digital evidence is often overlooked in investigations.

So why is digital evidence under-utilised?

The sheer quantity and complexity of data available can be challenging and overwhelming, in terms of both identification and analysis.

Let us consider an example of a small to medium business. Data is likely to be present on all of these sources:

  • Computers - laptops and workstations
  • Mobile devices - mobile phones and tablets
  • Servers - network storage and file shares such as “home” drive
  • Cloud services - email accounts, file shares, online storage
  • Portable storage devices - USB flash drives, USB hard drives, CDs, DVDs
  • Multi-functional devices - printers, scanners, faxes
  • Networking equipment - firewalls, email gateways

Each one of these sources can store amounts of data that are not humanly searchable should the need arise, yet this data could provide the critical evidence needed for an investigation.

What are the risks associated with Digital Evidence?

The identification, extraction analysis and review digital evidence require a range of specialist technical skills and tools, which are not commonly found in most Information Technology teams. Using the wrong tools or approach can lead to loss, overlooking or misinterpretation of evidence. Any of these can be detrimental and a combination can be catastrophic to the investigation.

Loss of evidence

Improper processes in the initial preservation of highly volatile electronic data could inadvertently destroy evidence. It is critical to understand the underlying actions of the operating system as simply turning on a computer can change the underlying data. Something as simple as opening a document and saving a copy of it will change the document metadata and may make it even more difficult to attribute to a user. It could also overwrite critical recoverable deleted data that may otherwise have been valuable.

Overlooking of evidence

When undertaking investigations, you need to have an open mind as to where data may be identified. This could include email attachments, hidden files and folders, log files and backups, swipe card logs, Internet of Things devices (such as smart cameras, televisions and ‘home assistant’ type remote devices).

In the case of files contained within other files or folders, one item can become multiple items to review, significantly increasing the risk of human error.

Misinterpretation of evidence

This is probably the greatest risk you can be exposed to, yet few people question. Action taken against subjects based on digital evidence can lead to:

  • Loss of reputation
  • Disciplinary measures
  • Loss of employment
  • Criminal charges

Should the interpretation be incorrect, these same consequences may then be reflected on the investigator and their organisation. Investigators need to understand the extent of their expertise and when they should seek specialist assistance. 

Even if it seems obvious that a particular computer was used or electronic evidence is identified, it remains that the investigation needs to link the user to the activity. Negating a defence of “Someone else used my UserID and password” requires careful consideration. To the computer, the UserID and password is the identification of the user and it will not in itself differentiate further. Careful consideration and analysis of user activity can make all the difference and should not be taken for granted.

It is essential that electronic evidence is interpreted correctly to ensure procedural fairness to all concerned and that a fair and proper outcome is realised, whilst minimising risks to the organisation and indeed the investigator.

Common questions

Why can’t my IT department to do it?

  • IT teams make sure IT resources are configured appropriately and available, their approach is not about satisfying legal requirements, as they are not trained to do so.
  • Forensic technology professionals work in conjunction with IT teams in order to reduce the likelihood of accidental deletion/alteration of data or a negative impact on the admissibility or integrity of any evidence that may exist. It is strongly recommended that management liaise with forensic experts before accessing any potentially relevant information.
  • The term forensic denotes the application of scientific techniques to criminal and civil laws during investigations or inquiries. In other words, it is suitable for use in courts and other judicial settings such as tribunals. IT professionals may not have the experience or be comfortable in providing testimony to support their actions and activities.
  • Accurate documentation must be maintained relating to the handling and analysis of the evidence. Processes undertaken must be properly recorded and fully repeatable, other parties can be entitled to disclosure of the evidence and the methods used to identify, extract and analyse the evidence. IT professionals may not be familiar with the requirements to consider their methodology and document procedures they undertake.
  • Engaging an independent expert brings a level of objectivity to proceedings, offering a defensible position to investigators should accusations later arise relating to the fabrication of electronic evidence or other bias in its interpretation.

Can I retrieve deleted data?

  • Large volumes of deleted data can be recoverable, however ultimately it depends on a variety of factors. Forensic Technology professionals work with you to identify whether deleted data exists and to ascertain if it has any evidential weight.

I don’t know what I need to look for now; can the data be examined in the future?

  • Yes, but you must take steps to preserve the data. Proper preservation is independently verifiable subsequently and can allow you to re-purpose the device and continue using it in the meantime. Seek advice before doing anything else.

Can I review emails?

  • Yes, but you must take steps to properly preserve the emails first. Like any other form of electronic evidence, email data is volatile. Typically, there are thousands of emails associated with one email address and the review process can be daunting. Forensic Technology tools ease this burden through intelligence search and filter processes to expedite the process significantly.

Where can I find evidence that might help my investigation?

  • Every organisation is different. Often investigators will not have detailed knowledge of the organisations IT systems or where potential evidence may be located outside of a user’s computer, mobile phone and email. Forensic Technology professionals work with IT teams, whether they be internal or external to the organisation, to identify and preserve sources of data. 
  • Depending on the nature of the investigation, they can advise investigators as to where the electronic evidence may be located and the best means of identifying, triaging, preserving and analysing it.

So how do I deal with Digital Evidence?

Consult a qualified Forensic Technology professional as part of the initial investigation planning process. Getting forensic experts involved early in your investigation can identify critical evidence whilst also providing significant cost and time savings. Digital sources of evidence can be quickly identified, triaged, and specialist actions subsequently are taken to get you the answers you need

BDO’s forensic team is highly experienced in all elements of forensic investigations. We can fully manage the overhead of digital evidence handling, from identifying and preserving sources of evidence, through to analysing data and presenting it in a user-friendly format so that it can be incorporated into investigations, and ultimately present that evidence in court or tribunal settings should it be required.

Contact your local BDO adviser for a confidential discussion.