When we talk about 'artifacts' in the digital world, we are referring to evidence that is unintentionally left behind by a suspect, much like footprints, fingerprints, and DNA in the physical world. These artifacts can provide us with valuable information to corroborate and validate our investigations. They help us create a timeline of events, locations, and habits associated with the suspect, and ultimately, help us tell the story.
Here is a generic example of how artifacts can corroborate suspected activity in an employment matter:
In an employment matter, artifacts play a crucial role in corroborating suspected activity. For instance, a text message recovered from an employee's device to a future employer/competitor before leaving the company can be used as evidence. Moreover, internet history artifacts reveal the searches conducted by the employee on the day of departure, such as "Connecting a thumb drive without alerting IT" and "Export data from Salesforce to Excel."
Additionally, the file system transaction history shows a spreadsheet named "Salesforce.XLS" saved to the 'Downloads' folder, and recent file history indicates the file was opened on the day of departure. Furthermore, Windows system log files indicate the connection of a USB thumb drive on the same day. The file system transaction history also indicates that the file name was changed from "Salesforce.XLS" to "PersonalContacts.XLS," and the recent file history shows the opening of there named file externally.
Thus, when investigating digital sources, it is important to thoroughly analyze all artifacts, files, and communications found on the hard drive. This can be an overwhelming task as there may be tens of millions of artifacts to review. To simplify the process, we use specialized software to categorize and normalize the data for review. Working closely with counsel, we prioritize which artifacts are relevant to the matter and create timelines for search by keyword or manual review. To further streamline the analysis, we collaborate with clients to establish a timeline of interest. This ensures that the review process is more focused and reduces the amount of data that needs to be analyzed. It is important to note that depending on the investigation details, digital artifacts such as those discussed above can be used as evidence to substantiate claims.
It isimportant, however, that companies or employees do not undertakecomplex preservationexercises with limited or inadequate tools themselves. Collecting data is notas simple as just copying and pasting files. It requires a defensible andforensic collection, a process that ensures the data collected is reliable andcan be used as evidence in a court of law.
Forensic collection involves collecting data in a way that preserves its original state, ensuring it is not modified or destroyed in any way. This is important because any modification or destruction of data can significantly impact the reliability of evidence. For example, if a file is deleted or modified, it may no longer be admissible in court.
Defensibility is also a crucial aspect of the collection process. It involves documenting every step of the collection process to ensure it can withstand legal challenges. This documentation includes the tools and processes used, the individuals involved, and any deviations from standard practices.
The importance of defensible and forensic collections cannot be overstated. Without it, data can be easily manipulated or destroyed, making it unreliable and inadmissible in court. This can have significant consequences for legal proceedings, potentially leading to wrongful convictions or acquittals.
In addition to legal implications, defensible and forensic collections can also help companies protect themselves from data breaches and cyber-attacks. By collecting data in a way that preserves its original state, companies can identify the source of the breach and take appropriate action to prevent future incidents.
Overall, defensible, and forensic collections are essential in ensuring the reliability of data and evidence. It is important for companies to understand the importance of this process and to work with experienced professionals to ensure they are collecting data in a defensible and forensically sound manner.