Digital forensics and eDiscovery: An introduction for beginners

• ‘Digital forensics’ is a broad term that covers specialist areas, such as memory forensics, network forensics, mobile forensics, and internet of things (IoT) forensics. 
• Electronic discovery (eDiscovery) and digital forensic investigations are both processes that deal with electronically stored information (ESI) in legal matters or investigations. However, they differ in their focus and the tools they require. 

A detective at the keyboard 

It is not just cyber criminals who leave behind trails of digital evidence. From the killer who Googles “how to clean a crime scene”, to a disgruntled employee who steals their company’s sensitive IP, a digital forensic investigator will be called on to help solve a range of civil and criminal cases. 

The Forensics Science Regulator defines digital forensics as, “the process by which information is extracted from data storage media, rendered into a useable form, processed and interpreted for the purpose of obtaining intelligence for use in investigations, or evidence for use in criminal proceedings.” 

This a broad definition, but it encompasses the varied field of digital forensics and the range of devices that can be investigated. Investigators can be tasked with extracting WhatsApp voice notes from a victim’s phone to piece together a timeline, analysing a Fitbit to disprove the version of events in a serious crime, and analysing an Amazon Firestick, a hotel room TV, and a mobile phone to prove that a teenager on bail had hacked Rockstar games.   

Like traditional forensic science the Locard principle that “every contact leaves a trace” also applies to digital forensics. Investigators must seek to answer four fundamental questions:

1. Who? 
2. What? 
3. Where?
4. When? 

The first question (who?) is hardest to answer, as it is not always possible to place a person ‘in front of the device’.

Many jurisdictions prescribe how this evidence should be collected and presented. In the UK and Ireland, for example, digital forensic experts must follow the National Police Chiefs’ Council (NPCC) guidelines and the ten principles set out in the College of Policing’s Authorised Professional Practice: Extraction of materials from digital devices. (The NPCC guidelines were created in 2015, when the NPCC was known as the Association of Chief Police Officers (ACPO), so the NPCC guidelines are still often referred to as ‘the ACPO guidelines’.) 

Digital forensics: The growing weight of digital evidence 

Digital forensics is a fast-changing growth area that’s not just of interest to law enforcement. Its traditional roots have been in offline analysis of computers and laptops, but it has grown to become an umbrella term that covers a range of expert areas, including:

• IoT forensics – “internet of things” (IoT) is a broad term that can cover everything from a smart fridge to a complex network of traffic lights. The use of drones to smuggle contraband over prison walls is well documented, but that is at the more modest end of the scale. Cyber criminals can target entire countries through their critical infrastructure (such as their power grids or air traffic control systems). IoT forensics can therefore be especially difficult, both because of the sophisticated technologies often in use and the legacy or proprietary systems that are often still used in manufacturing and other similar industries. 
• Memory forensics – analysing RAM (Random Access Memory) is a specialist area that focuses on analysing a computer’s volatile memory. This focus is on data that is temporarily ‘resident in memory’ and may be lost during a computer shutdown or crash. This data can prove invaluable during incident response by revealing information on running processes, open network connections, and malicious code which never touches ‘the disk’.  
• Mobile forensics – the recovery of digital evidence from mobile phones, tablets and other mobile devices is an increasingly critical aspect of investigations because of the growing reliance on mobile devices for every aspect of people’s lives. This complex specialism not only has to handle yearly changes in device hardware and core operating systems, regular updates to the application of interest, but also work around the increasing security measures applied by mobile device vendors. 
• Network forensics – a specialism that focuses on the process of monitoring, capturing, and analysing network traffic. This can take the form of simple network logs, targeted packet captures, or in highly mature networks full network flow data. Interpreting these sources can help identify malicious connections to adversary infrastructure, an ongoing denial-of-service attack or the act of data exfiltration. 

Thomas Murray can assist with all aspects of digital forensics including: 

Forensically defensible collection and preservation of evidence from a range of digital sources. 

Independent analysis of devices for all manner of matters including intellectual property disputes, insider theft, and ongoing litigation.  

Associated experts report and testimony with experience covering criminal and civil cases across a wide range of jurisdictions.  

eDiscovery: See you in court 

Electronic discovery (eDiscovery) is the digital process of identifying, collecting, and producing electronically stored data needed as evidence in a legal or regulatory matter.   

Potential evidence could come from a range of data types – emails, documents, presentations, databases, audio and video files, social media, messaging systems, and cloud-based collaboration systems.  

To add to the complexity, the vast amount of electronic data that the average organisation creates and stores every day continues to increase exponentially. Digital evidence is more dynamic and transient than physical evidence. It often contains metadata, which includes information like time-date stamps, author and recipient information, and other properties.   

It’s crucial to preserve the original content and metadata of ESI to ensure defensibility of process and prevent claims of evidence tampering. This can be achieved by appropriately and proportionally applying a digital forensic approach to the preservation and collection of data.  

Once identified, all documents that might be relevant (including hard-copy materials) are analysed by specialist eDiscovery software to identify common themes and accelerate the elimination of irrelevant or duplicative information.   

This is not just to save time and costs – everything found during the eDiscovery process may be disclosed to counterparties and even end up on the public record. Care must be taken to identify data that may contain private, commercially sensitive, or legally privileged information.  

Often, courts and regulatory bodies will require that such processes be verified as a Statement of Truth from the parties involved, so it is important to ensure that oversight of any process is maintained by individuals with the appropriate level of seniority and expertise. Without this expertise, the approach may be called into question and could result in sanctions for spoliation and adverse inferences being drawn.  

As with most areas of digital technology, these complex fields are evolving all the time as advances in AI and machine learning demand new skill sets and areas of expertise. Thomas Murray’s experts stay ahead of the curve, maximising the use of technology to lower costs and reduce complexity, while still maintaining a defensible approach. 

Thomas Murray can assist with all aspects of the eDiscovery process, including: 

• Policies and procedures for litigation readiness. 
• Vendor assessment and selection. 
• Provision of eDiscovery processing and hosting for document review. 
• Advanced technologies to reduce the burden of legal review, such as supervised machine learning (for example technology assisted review (TAR) and continuous active learning (CAL)); generative artificial intelligence (GenAI); natural language processing (NLP); and entity extraction). 
• Assessment and triage of large pools of data. 
• Document review by legally qualified practitioners, including privilege, privacy and confidentiality, and business secrets.  

Please contact our team to find out more about how digital forensics and a defined approach to eDiscovery can help safeguard your organisation and its people.