Rejil Kumar Rajan analyses how changing technology is challenging traditional investigation methodology. He offers practical considerations organisations should focus on to apply and integrate technology more effectively in corporate investigations.
In this digital era, rapidly evolving technology has disrupted traditional approaches to investigations. Technological advancements frequently outpace legal reforms, regulations, and industry knowledge, so investigators must develop and update their methods to keep up with the breakneck pace of digital transformation.
Changing data sources
While investigators in bygone eras focused on collecting hard copy documents from an organisation or custodian, in recent years, changing user habits have prompted investigators to shift their attention to digital sources such as emails, company servers and computer files. Investigators often first turn to a custodian’s mobile phone, as it is typically an individual’s most frequently used device and often contains all the relevant applications and data required for an investigation.
But it is not just user habits that are changing data sources – it is also the technology in the devices themselves, which means conducting investigations will only become more complex. Take, for example, Solid State Drives (SSDs) in computers, which can typically immediately remove every trace of a deleted file far more effectively, unlike older devices, which retain the file until newer files overwrite it. Prior to the introduction of SSDs, investigators recovered deleted files to understand the deletion pattern of the suspect and look for efforts to hide or remove evidence. The change has forced investigators to rethink their methodology, use technology teams from the start of an investigation, and ensure that the custodians are not given the time to delete any files.
Meanwhile, applications on mobile devices are introduced and updated constantly. Many applications come with built-in encryption technology, making it difficult for investigators to decrypt data without specialist tools. An ideal example is WhatsApp’s introduction of end-to-end encryption in 2016. After encryption was introduced, data could only be extracted from the WhatsApp cloud through a complex exercise requiring custodians’ authentication credentials at multiple levels. Luckily for investigators, in recent years, forensic vendors have worked with various application owners and mobile phone companies to improve their software to support the decryption of WhatsApp messages; such software has become vital to keeping organisations' forensic toolkits up to date.
In the financial space, it is ever harder for investigators to extract data owing to emerging technology used to conduct financial transactions, such as blockchain and cryptocurrencies. The anonymity that cryptocurrencies offer makes it convoluted for an investigator to identify who has carried out a transaction. Couple this with the burgeoning data volumes in the cloud that has ensued since the world went predominantly online owing to the COVID-19 pandemic, and the need for investigators to offer fresh thinking and technology enabled-methods has never been more urgent.
Exploding data volumes
Organisations using cloud solutions can easily increase their storage space, thereby creating a new challenge for investigations: a proliferation in the volume of data captured and stored. Data volumes will continue to increase exponentially due to the introduction of various sources generating this demand, such as mobile devices, the Internet of Things, and social media platforms.
Historically, when data volumes were small, simple analytical skills and tools such as Microsoft Excel were sufficient to analyse data. Now, the amount of data mushrooms into the terabyte range for even the simplest investigation. Analysis requires the right technology, advanced analytics, and specialised forensic skills. Law firms and investigators need to develop these skills in house or rely on trusted partners with these skills and tools.
Case in point
Control Risks recently helped a large global technology client after they were crippled overnight by a cyber attack that encrypted multiple critical systems. Control Risks worked with various stakeholders to immediately contain the environment, manage the crisis, and restore the business to a fully functioning state. In tandem, Control Risks and the client's external legal counsel were busy enacting data preservation and determining:
- What systems had been accessed by the attackers and to what degree
- The digital location of any personally identifiable information (PII) that had been taken and which individuals at the client company had potentially been affected
- Commercially sensitive materials relating to business partners or clients that the attackers could use as blackmail or for espionage
Control Risks identified 185 compromised devices across the client's global network and determined that approximately 450 terabytes of data (265 million individual files) had been affected. Given the regulatory reporting requirements in multiple jurisdictions and the time-sensitivity of the matter, our team had to work closely with the client's external legal counsel to devise an approach that would massively scale down the amount of data for the lawyers' review to only what was necessary and manageable, and to assist them in conducting targeted interviews.
We devised an approach bespoke to the situation, incorporating digital forensics, data analytics and eDiscovery techniques. Our solution helped us understand the contents stored on the compromised servers and assign risk scores to the servers. Control Risks developed an automated and supervised solution to collect information from each affected server and converted them into an interactive dashboard to identify high-risk pockets of files likely to contain PII. This analysis allowed counsel to reduce the servers to be analysed by 53 per cent before any data collection was considered. The remaining 47 per cent was still an enormous undertaking, so we needed to decrease this volume further. Control Risks took the dashboards and targeted user-generated files to reduce the volume collected by a further 34 per cent (90 million documents). The volume was further reduced to 60,000 files by applying advanced but defensible Machine Learning and Artificial Intelligence techniques. The reduced volume of data and application of the appropriate technology solutions allowed counsel to complete the review in the required time frame and provide an extensive report to the regulators.
Users are changing
As technology advances, the way users interact with these tools is also evolving. Data privacy concerns and the increase in cyber attacks have made users more vigilant, and users have adopted techniques and technology to keep their data encrypted. Fearing a potential leak of their personal information, many users have begun migrating from older, commonly used applications to more contemporary, secure applications designed with these concerns in mind. We saw a high-profile example of this recently, when Facebook acquired WhatsApp and announced a change in their terms and conditions regarding the sharing of users' personal information. The change provoked an uproar on social media and prompted many WhatsApp users to migrate to Signal, another encrypted messaging service. According to a research firm Apptopia, Signal had 2 million downloads per day in January 2021, compared with relatively few downloads in December 2020.
Forensic vendors are still working on updating their software to decrypt messages acquired from the Signal application. Privacy concerns will continue to influence users' behaviour, and so investigators too must adapt to ensure their organisations to have the right tools and approaches to handle the everchanging digital landscape.
Pragmatic solutions
Although there is no silver bullet to address the myriad of challenges facing corporate investigators, we suggest organisations focus on three key points.
Involve forensic technology professionals from the onset of an investigation
When scoping an investigation, organisations should involve forensic technology professionals from the onset. These experts can develop innovative and customised solutions to narrow the volume of devices and documents to only those relevant for the investigation. It is best practice in an investigation to understand and identify all possible data sources that will require preservation. If data sources are encrypted or use novel technology that is not supported by the forensic tools being used for data preservation, this can be identified early on, and a methodology can be devised to handle the situation.
Keep abreast of emerging technologies and applications
Investigators and forensic technology professionals must stay up to date with technological advancements in the digital world. Only when we are well-informed about new data sources can we ask clients the appropriate questions about their technological capabilities and limitations during an investigation.
Ensure your organisation's toolkit and skillsets evolve with the technology
Forensic technology professionals must ensure they have the latest stable version of the available tools and have innovative and customised processes that can be scaled up to handle ever increasing data volumes and new data sources. For those organisations that do not have the required budget or in-house capabilities to do this, it is vital to develop a trusted partner relationship with a consulting firm with the appropriate skills and technological solutions. Waiting until a moment of crisis to negotiate arrangements adds unnecessary complications to all involved.