Data and the law - How digital forensics supports litigation

The amount of electronic data in use and stored globally has grown to stratospheric levels, with no sign of slowing down. Current predictions are that the amount of data stored worldwide by 2025 will exceed 175 zettabytes. Or, in more sensible terms, a data volume that would take you 1.8 billion years to download via a standard internet connection.

It naturally follows that digital forensics and efficient, targeted e-discovery are increasingly critical to cases across the breadth of the legal spectrum. The ability to secure, extract, process and analyse large volumes of digital data can make the difference between success and failure in the court room.This is especially true in litigation, where the sheer volume of electronically stored information, or ESI, can present some unique and formidable challenges.

But how do digital forensics professionals work with law firms to support litigation?

Firstly, it’s worth taking a moment to consider the types of data that can be collected. Broadly, data can be categorised as: active data, cloud data, mobile data, offline data, backup data and hidden data.

Active data comprises the sort of information with which a typical user might interact daily, such as e-mails and working files. Active data is usually stored on the local hard drives of individual computers or on shared storage, which can be accessed via a personal or corporate network.

Cloud data resides on servers and is usually accessed via a public network, such as the internet. Cloud data might be stored on a private cloud – owned and operated by the company that owns the data – or on systems operated by a commercial cloud storage provider, such as Microsoft, Amazon or Google. Cloud data also encompasses the data held by providers of professional hosted services, as well as consumer services, such as social networking.

Offline data is that data which is no longer in active use but which is archived, either on local devices (such as removable media) or in a data centre.

Backup data typically comprises a snapshot of an organisation’s active data and is designed for disaster recovery use. This data is often stored in a compressed and sometimes proprietary format and must first be restored before it can be accessed. Backup data often comprises a series of periodic or incremental backups. This can allow for the recovery of historic material, which may have subsequently been deleted from both active and offline data sources.

Hidden data includes data that has previously been deleted from computer systems and which can be recovered using specialist forensics tools. The fact that hidden data is relatively inaccessible means that it is typically spared from any destructive efforts on the part of a user, although the nature and recoverability of hidden data can be unpredictable.

The first step is to identify those types of data which are relevant, both to the current issues in a case and those which might arise over the potentially lengthy period leading up to settlement or judgement.

Careful consideration should then be given to the potential volumes of data that might be involved, the sources of that data and accessibility and time constraints. Whether a case falls wholly within the civil arena, or whether it might have a parallel criminal track, will also inform decisions around the most proportionate approach to data collection and preservation. For example, there is significant variation in the complexity and cost associated with preserving a physical image of data (i.e. the entire content of a data storage device, including deleted files and other artefacts) vs a logical image (just the active data) or even performing a targeted collection (selectively preserving just a specific set of files or documents).

Once the initial scoping phase is complete, a data collection and preservation plan can be formulated. It is important at this stage for the forensic professional to work closely with legal representatives and, potentially, data custodians. Detailed technical information is often required at this stage in order to set out a plan which is proportionate, comprehensively documented and forensically defensible.

At this stage, care must be taken to ensure that evidence handling considerations are properly satisfied. Conventional techniques, such as comprehensive chain of evidence documentation, audit trailing and so forth have a role to play, alongside methods specifically designed to preserve the integrity of potentially volatile digital evidence.For example, the use of recognised and validated forensic techniques, specialist methods for encapsulating digital evidence in tamper-proof electronic packages and hashing – which generates a digital fingerprint of source data – all help to both preserve and demonstrate evidential integrity.

Once collected, the digital evidence must be processed and analysed in a manner which addresses the practical issues identified in the legal case. This can range from a detailed forensic examination of narrow aspect of a subset of the digital evidence at one end of the spectrum, through to a broad e-discovery exercise at the other.

In any event, specialist tools and techniques have a further role to play in ensuring that the collected evidence is analysed efficiently and with the greatest possible focus.

In cases where there is a need to pick out specific material from huge volumes of data, highly sophisticated e-discovery tools can allow for near-instant searches to be run over millions of e-mails and other documents, and their associated metadata. Optical character recognition, machine learning and intelligent classification can help to save thousands of reviewer hours.

What’s more, these review tools can be made directly accessible to legal teams, allowing for a greater degree of agility and responsiveness in analysing digital material. At the end of this e-discovery phase, documents identified as relevant can be checked, redacted and produced as bundles, ready for disclosure in standardised formats.

Working with a qualified digital forensics professional brings more than just specialist technical knowledge. It allows for a legal team to identify relevant sources of digital evidence, ensure that it is comprehensively collected and examined, and leverage the information it contains to provide insight in relation to specific legal issues. Done well, this can save a great deal of time and cost, as well as impacting enormously on the outcome of a case.

ABOUT US

Recruited from the UK Intelligence and Security Services, our people offer a unique insight into global cyber risks coupled with the knowledge and tools to effectively deal with and mitigate threats.

We understand that every situation is unique, including the impact it can have on individuals and organisations. Whether you are dealing with an incident in progress or simply need to turn to someone for confidential advice, contact us for a no-obligation conversation.

SOME OF OUR SPECIALISTS

Jake Hockley

CEO
James Tamblin

CTO
John Downham

Penetration Testing Director
Lewis Anderton

Consultant

Jake is a cyber investigations professional with extensive experience of working with government and private clients at the highest level. He began his career working for the UK Government against threats to National security before founding Marclay and using his expertise to assist commercial clients. Jake is the company CEO and works closely with senior legal contacts in the UK and abroad.
James is former military intelligence officer with experience of leadership in technical defensive environments. He is an expert in risk and security with a background in management and crisis response across several security disciplines. Since leaving the military he has worked in advisory roles in the security and intelligence sector - delivering projects for global banks, consumer businesses, multinational technology giants and family offices across Europe, the Middle East and the Americas.
John is a cyber security specialist who began his career working for the Ministry of Defence in the area of information exploitation. He progressed to work for the UK government conducting penetration testing at specialist and sensitive sites throughout the UK. Using his extensive expertise, John now leads the technical department at Marclay, delivering security audits, security testing, penetration testing and intelligence gathering.
Lewis is a cyber security investigator specialising in digital forensics, data recovery and preservation of legal evidence. After a successful career in the Royal Air Force and the Metropolitan Police as an Intelligence Analyst, Lewis uses his experience and knowledge to handle the most complex cases – presenting information and options to a variety of stakeholders. His experience in a variety of sensitive environments enables Lewis to provide timely, practical and actionable advice in a crisis situation.

CONSULTANCY SERVICES

We are there when you need us. With the expertise and gravitas to handle the most challenging technical and political situations, we can help you eliminate threats and restore confidence. As a trusted advisor, we provide clarity and assurance for your key stakeholders.

Issues our Crisis response team typically deal with:
- Internal and external cyber attacks
- Data breaches
- Digital extortion
- Social media attacks and reputation harm
- Advisory services
The chances are that whatever situation you’re facing, we’ve dealt with it before.

Simply contact us for a no-obligation conversation to discuss options.
Our Cyber Investigations capability is unrivalled. Conducted by security vetted consultants with UK Government and Police backgrounds, we use a variety of tools and techniques to uncover the truth.

Whether you need to quickly gather intelligence, or you require evidential-standard investigations, we can provide a responsive and dependable service.

Examples of investigative activity:
- Post-incident investigations to establish cause, extent of breach and to advise on mitigation
- Digital forensics and discovery of key data from devices and storage media to support legal cases or investigations
- Cloud forensics
- Establishing the identity of hostile parties
- Assisting law enforcement and judicial agencies with intelligence
Threats can materialise in a variety of ways – often unanticipated and from unknown sources.

With our Threat Management and Alerting services, we provide unique insights into your global systems using artificial intelligence - identifying threats in real-time rather than after the event.

We monitor a variety of sources for threat intelligence including the public Internet, internal networks, social media, and the dark web.

Simply contact us for a confidential, no-obligation discussion.
We offer a variety of services to provide reassurance or highlight vulnerabilities that need to be addressed. From network-level assurance to application-specific testing of servers and systems, we will tailor a service to your needs.
- Network | Cloud Infrastructure and Application testing
- Phishing Excercises
- Vulnerability Analysis and Monitoring
- Social Engineering and Physical Penetration Testing
- Open Source Intelligence Discovery - What are you exposing to the internet?
Simply contact us for a confidential, no-obligation discussion.
Whether you are seeking assurance or need to address known problems, our Cyber Security Audits will provide the information you require and advise on areas for improvement.

As your trusted advisors, our pragmatic approach is tailored to your organisation’s operating environment and can be aligned to global standards such as ISO27001 and SOC2.

Simply contact us for a confidential, no-obligation discussion.
Our advisory and support services have proved invaluable to many global, high-profile organisations.

To augment your team on an ongoing basis, we offer a Virtual or Outsourced Information Security Officer (ISO). Whether you need the assurance of having someone to turn to for advice or need a fully embedded ISO to enable a transformation programme – we can help.

Simply contact us for a confidential, no-obligation discussion.

SECURE MANAGED COMMUNICATIONS

Designed by Cyber Security Specialists who were active members of the UK Military and Intelligence Services, Marclay One™ is a secure communications platform that provides everything needed to conduct business in a private, secure environment with the highest levels of discretion. The system is particularly suitable for high-risk and high-profile teams where elevated levels of privacy and protection are required.

Marclay One™ can be rapidly deployed globally and is backed up by a security-vetted team providing world-class service, support and advice.

For more information on Marclay One™

CLICK HERE