CYFOR Blog

Chris Dale from the eDisclosure Information Project interviews CYFOR Managing Director Joel Tobias, who talks about CYFOR, digital forensics and eDisclosure.  

About CYFOR…

CYFOR is a leading digital investigations company, operating from 5 offices across the UK and Ireland (Manchester, London, Aylesbury, Edinburgh and Dublin). Computer forensics was our original discipline and over the last five years, we have transformed into a digital forensics and eDisclosure business.

Our main client base is centred on both law enforcement clients, which is typically on the forensics side and leading law firms who are operating in the whole plethora of dispute resolution of some form. We have been trading now for 13 years and we have grown from a single-man business, which was myself, through to where we are now, which is just shy of about 40 people.

Could you elaborate on the difference between forensics and eDisclosure, where the one blurs into the other?

Well I believe now, there is a merging of the two disciplines, certainly at the beginning of the EDRM model and a cross over at the beginning of the forensics stages. We are positioning ourselves now as less of a forensics company on its own and more of an eDisclosure/ eDiscovery business. We will liaise with the client to determine what we think is the best methodology and often the cases we’re involved in will require both of the disciplines, which is why I believe that they are merging and will merge as we go forward.

There have been a lot of developments recently in the software used both for forensic collection and for eDisclosure. Perhaps you could talk us through what those differences are.

Yes that’s right and there is no ‘find evidence’ button, although people would like to think there is but the beginning part is obviously the data, which we know is growing exponentially on a daily basis, so that is critical, it is the critical starting phase of either a digital forensics investigation or an eDisclosure investigation.

And the tools – the tools have changed a lot over the years?

The tools do seem to be changing quite considerably, certainly on the eDisclosure side. In terms of digital forensics there are arguably two core products, which are Encase and Forensic Toolkit. Clearly there are other utilities that are on the market and obviously on the eDisclosure side, where companies are merging, buying each other out but there are half a dozen, maybe ten or twelve.

Depending on who you consider to be a brand leader, they are all doing similar things and all claiming that one will do better than the other, but effectively, I think they’re all doing pretty much the same thing.

Can you describe a typical project in which you might get involved on behalf of a client, perhaps to do with an employee?

From that particular perspective, I would see that typically being more of a forensic investigation if we’re concerned that the employee is breaching one of the computer policies that the company has or the individual is taking data – theft of intellectual property.

Traditionally we have to start with some evidence. That would be, where possible, a forensic image of the local workstation belonging to the employee, perhaps taking a snapshot of any profiles they have on any servers and then we’ll be using forensic methodology to basically identify an audit trail of what that computer has been used for depending on the nature of the enquiry. Have they been looking at inappropriate material online or have they been taking data? That will decide how we steer the investigation itself and typically we will start with a forensic image and then we will look at items of interest such as internet history, any deleted material, whether any data has been taken off the computer or been transferred onto external media. So again it depends on the nature of the enquiry and the starting point is again the initial evidence.

What about the situation where an employee is leaving or is about to leave the company?

I would still consider that to be digital forensics, depending of course on the nature of the alleged infringement. It may cross over into disclosure if it transpired to be a senior level director, and they had moved from one company to another. What may begin as a forensics enquiry may very rapidly turn into a requirement for eDisclosure. If litigation is certainly going to be apparent I would imagine that there is no doubt that the data we find will move from below the surface, which is the forensics side of it, to above the surface, which would be the full disclosure of material, such as emails, documentation etc.

If we move onto eDisclosure, where perhaps the norm is a firm of solicitors is instructing you to collect data, how do you take them through the process?

The first thing that we advocate is the preservation of the evidence, the data itself. We would discuss the appropriate collection methodology. With CYFOR being a computer forensics company traditionally, we again advocate where absolutely possible continuing with a forensic image. Traditionally it doesn’t take that much longer but it allows us to revert back to other areas, such as forensics if we have to. Using the tools that we have at CYFOR, we’re able to take data out of forensic images and go through the correct disclosure process. The starting point for us would be to collect data, preferably forensically. If that weren’t possible then we would be considering either midway between a logical acquisition or if we had to a live acquisition of data in native format.

There is an assumption that a forensic collection of data costs a great deal more than any other method of doing it.

Is that an assumption that is grounded in fact?

I don’t think it’s grounded in fact at all. I don’t believe that there is any greater time frame associated with taking a forensic image at all. Once we’re able to gain access to the equipment and start our imaging process, it might take longer in terms of time but not necessarily in terms of billing time. We will always try and provide a fixed quotation to our client base but we strongly recommend that the forensic image is taken because once we are part way through an investigation or enquiry we often find things that would be useful if we could reverse back to the forensic image. The net result is that it might take longer, marginally, but it’s not necessarily more expensive.

One of the things that we do try and get across to our client base is that if they invest that little bit of time we are saving in the long run because it is very common for the investigation to mushroom outside of the original focus points. If we need to go back, we’ve actually already collected the data in the appropriate format.

The principle point, I think for the benefit of those who might want to use your services is that you give them quotations.

Absolutely, I would say that in most cases we are able to give a very fixed quotation as to what each stage is going to cost and we are also very explicit in ensuring that where we are unable to do that, we explain the parameters in advance so that they have the information to hand. The one thing that we don’t advocate is a dripping tap kind of bill and we have many clients who come back to us on that basis.

That I think, just as a concept is something worth getting across because I think a lot of clients assume that they’re stepping into a pool who’s depth they can’t measure. You’re saying that’s not so at all?

Yes, we’re very much trying to work on a fixed quotation basis and yes clearly there are some parameters we have to caveat but again our background is that our client base traditionally needed, for their approvals process (particularly from public sector) a final price. We are trying very hard and have succeeded quite considerably in giving a very accurate fixed price quotation with very few variables and that allows the client to know their exposure right at the offset.

CYFOR has relationships with both Clearwell and with Relativity, perhaps you could take us through the software, which CYFOR uses for eDisclosure exercises.

We continue to use one particular product, which is Relativity. We chose Relativity because again the kind of client base we deal with were not au fait with the eDisclosure process at all. What we wanted to do was introduce them to an end to end solution, where their data was presented into one product and came out of exactly the same product. We felt that it was better to do that with a software platform such as Relativity.

What is the chief benefit that your clients will get from Relativity?

We believe that the processing will be considerably faster for some of the large volumes that we have going through our systems. We can also see that Relativity has some investigative capabilities that other vendors don’t have and Relativity is one of the products that is blurring the lines between forensic investigation software platforms and eDisclosure platforms as some of the capabilities are excellent. We have identified that it is a very quick processing tool and we believe that, that will allow us to turn around cases extremely quickly.