Our Views:
This month’s theme is “Remote Forensic Investigations”.
Remote working is now, and will be for some time, business as usual. This recent change to the way we operate has increased certain risks, whilst also posing new challenges when needing to conduct an investigation.
These risks should prompt businesses to think about how they would respond to any incidents requiring a forensic investigation.
Finding a balance between dependable investigative techniques and innovative new technology
Traditional forensic investigative techniques ensure the robustness of any case, and are critical to preserving evidence so that it can be presented in a court of law. However, new tools and technologies are required to remotely investigate incidents while ensuring compliance with “social distancing” and satisfying the greater need to search and collect evidence from remote devices. Visibility of the corporate network, which has now thoroughly expanded into employee’s homes, has become critical.
Some of the specific challenges posed by the current environment include:
- How can appropriate evidential standards for withstanding legal proceedings be maintained?
- How will you obtain sufficient evidence of who committed an offence?
- How can you balance a “thorough” investigation with the constraints imposed by remote working and lockdown?
- How can you securely share data with lawyers, investigators and subject matter experts while maintaining physical distance?
- How can you expedite investigations to save money?
We recommend a combination of a web based review platform that offers the latest document prioritisation tools. We summarise these below, and please feel free to contact us if you require further information.
Web based review platforms
There are number of reasons to shift your investigations into a web based review platform.
Not only does it provide physical and financial flexibility, but it also offers the latest review technologies.
Where possible, data can be neatly transferred from the source, e.g. web based email systems, into the review platform. This avoids the need to physically hand over electronic devices, whilst still maintaining the necessary chain of custody requirements.
Access to the review dataset (and subsets thereof) can be centrally managed allowing timely access to the appropriate people.
Certain tools also offer access via mobile devices, reducing the requirement to extract documents from the review platform when needing to share.
Continuous Active Learning
An investigation often begins with a small set of filters comprising keywords, individual and date ranges. This task becomes more difficult when there is a large dataset.
Consider the use of the latest review technology, ‘Continuous Active Learning’ (CAL).
CAL constantly reprioritises your review queue within the dataset based on your ongoing review decisions, therefore presenting you with documents that are most likely to be relevant within the context of your investigation. With CAL you can potentially identify 90% of the most relevant documents, by reviewing only 20% of them.
When considering current physical and financial constraints, it is possible that investigations may be comparatively scaled back. We therefore recommend that consideration be given to adopting advanced technologies that can help you focus on what is important, whilst still applying the principles of natural justice.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 