CYFOR Blog

During certain digital forensic investigations, there are circumstances where clients require a forensically sound collection via remote data recovery or on-site collection.

The retrieval of digital evidence through remote and on-site investigations is crucial when involving the forensic imaging of computers and associated media. This is especially important in cases where further investigation or disclosure may be required. Capturing this data using a forensically sound methodology is vital if the integrity of any subsequent investigation is to be maintained.

When is remote data recovery required?

• The device is still being used by a currently serving employee and the data needs to be collected covertly.
• The device is located in another country and the logistics make it easier for a remote collection.
• In instances where remote collections are required, CYFOR provides a pre-programmed data scanning device (Pulsebox) which can be simply plugged into the client’s IT system. Once connected to the client’s system the proprietary device acquires the data from the targeted devices.

 Remote Data Recovery Case Study

Detailed in this case study, remote data recovery proved exceptionally useful during an investigation of a financial institution firm. The institution suspected a senior employee (who was apparently very tech-savvy) of remotely accessing and downloading large amounts of client data to his own devices, then attempting to delete the evidence. During the investigation, the login activity identified that this was occurring outside office hours, specifically in the early hours of the morning in an attempt to hide their malicious activity in system updates.

With the Pulsebox connected to the IT system, CYFOR’s experts were able to collect the digital evidence and identify what was being downloaded. From this, they then produced a court-admissible report which was used by the firm’s lawyers to make sure the individual was unable to use the data in their new business venture.

When are collections through on-site investigations more suitable?

• There are multiple devices to be forensically imaged and there would be too much interruption to the business if they were to be imaged off-site.
• It is a requirement under a search order, where the devices cannot be removed from the site.
• Simply, the client needs to reduce the potential downtime as the device needs to be reissued to another employee.

As digital forensic experts, CYFOR would identify the specific make and model of devices to be forensically imaged, and therefore bring the required equipment to image on-site. The length of time it takes to forensically image a device usually comes down to the amount of data on each specific device. The forensic examiner would attend on-site and forensically image the devices, acquiring the data whilst adhering to the ACPO Principles. The collected data is then transferred from an exhibited external media i.e., USBs or Hard Drives to an in-house secure server. The digital forensic team then process and analyse the acquired data through forensic software.

On-site Collection Case Study 1

A recent enquiry revolving around a company under a potential Serious Financial Fraud (SFO) investigation. They were pre-empting a request for data. For business reasons, the two custodians of the devices could not be without their devices for any length of time. CYFOR sent two forensic examiners on-site to acquire all the data from multiple devices. The data is safely stored on our secure servers should it be required in any future investigation.

On-site Collection Case Study 2

CYFOR were instructed under a serve and collect order as part of a major fraud investigation for a global company. Upon attending the individual’s home address, our experts forensically imaged all their personal devices. The acquired data was then uploaded onto an eDiscovery platform. The data was indexed to review client documents and is filtered for further analysis and identification.

CYFOR’s Digital Forensic Expertise

CYFOR are specialists in capturing and collecting data from all types of media. Our team operates globally, often travelling at short notice to ensure that a complete set of onsite data is recovered, and have provided data collection services to assist clients in a variety of circumstances;

• Investigating suspicion of fraud.
• Extracting data to comply with regulatory disclosure.
• Investigating collusion or corruption.
• Preserving data during litigation or electronic disclosure.
• Securing information for insolvency or business recovery.