4 things to consider when working with digital investigators

Here at Hexigent, we’re driven by our passion for digital forensics and investigations. We love providing services that allow our clients to make truly informed decisions. With that in mind we wanted to give you an idea of what happens when you contact us and are looking for some support. The subject matter may differ, however the 4 key elements that drive effort estimates and timelines are listed below:

1. What’s the story?

What’s the background to the situation? We want to be efficient and understanding the bigger picture usually allows experienced investigators to provide some guidance and suggestions. Our goal is to meet your objectives as soon as realistically possible, and so we’ll probably ask you specific questions and guide you through the aspects of the situation that are most relevant to us.

You should remember that digital forensic examinations can only be done on systems, devices and data that you have authorized access to. If you don’t, then there must be legitimate legal reason (such as a court order) that would allow for its examination. For example, while we appreciate that you might want to know who is behind an anonymous email account, a majority of the time it may take also take court order to get that information.  

2. What are you trying to find out?

Everything listed here is important, however this is really is the key question. What is being investigated and what do you need to know? Did person ‘X’ access certain folders and files? Why was a breach attempt successful? Who took the data from your company and shared it with a competitor? These are just some common examples of what we get asked.

Your needs are varied and most examiners are used to dealing with an array of requests. Give this some thought, ideally work with your legal counsel as, typically, they are the ones who would ultimately use our findings so it’s best to work them directly.

3. What have we got to work with?

All of the scenarios that require our services have common elements, namely digital evidence exists and needs to be reviewed. Sometimes data recovery has to occur before anything can be examined but all cases will need a starting point; usually that’s a system, device (like a phone or tablet), or a data set. We understand you may not have all the facts to start with, but here’s some guidance as to what we would ideally want to know:

The potential sources of information

Mobile device? Computer system? Large set of data? Knowing the make, model, operating system (and version) and what type of data and access rights users had on/to it dictates broadly what’s possible.

The amount of data in scope

The size of the physical storage media (typically a ‘hard’ or ‘solid state’ drive) can dictate how long it will take to make an exact ‘image’ of everything. An image is an exact copy of the original media, taken in a way that preserves its structure and content. Typically there is a need to create identical ‘images’ of the physical media, so that lost data or deleted artifacts can be recovered prior to any examination. If data sets from, say, a network storage facility, are being reviewed then telling us the overall amount of data involved (usually measured in gigabytes or terabytes) will be ideal.

Who’s involved?

There are two sides to any digital activity; both the source and target. For example, if you need to identify who accessed certain data, then both the location that stored it, and the system or device that accessed would normally have traces of the activity.

Would there be an opportunity to examine both? How many people or applications had authorized access through common channels and how many were, e.g. administrators that may have been able to circumvent normal protocols as part of their role. The goal is to simplify the approach and take the most direct investigative route, but sometimes the obvious systems and devices may not be available so its best to consider all options. 

4. How long does it take?

There are two points to consider when trying to estimate timelines. Firstly, when did the event or incident take place? Can the investigation get focused down to a point in time such as an hour, day, week or month? A slimmer timeline would normally result in more focused investigative work. In turn, that would result in more efficient and timely results for you.

Secondly, when do you need this? Is there a court date set? Are you a company and need something in place before a compliance deadline? If we know how urgent the matter we can  prioritize the investigative activities and let you set everyone’s expectation on your side. We know that sometimes when you call us, it may be extremely urgent. We’re used to those situations and can respond quickly. Sometimes we can begin work on the same day.

Every investigation is different and the background, data, infrastructure, systems and device purposes and types are diverse, If you keep the above elements in mind before you start your quest for digital forensic support, it should result in a more efficient overall experience.  If you’re not sure how to start, or what ask, call us anyway. We’re transparent in everything we do and are always happy to discuss a case and give you our opinion on the best approach.