03 Oct Why Use a Digital Forensic Specialist When You Have an IT Department?
You have your own IT department. Something goes wrong and you need to carry out in-depth, discreet enquiries. Can your own IT people pitch in and gather the necessary evidence? We explore the reasons why it’s vital to hand over to a digital forensic specialist.
The importance of legal admissibility
The data you collect must be legally admissible, the first reason why it’s so important to bring in a digital forensic specialist. Only they can ensure the information is ‘provably reliable’. We’re specially trained in collecting, preserving, analysing and presenting data evidence. No matter how experienced the people in your IT team are, it’s unlikely they have the specific expertise needed to guarantee data reliability in a legal context. It’s specialist knowledge.
When the other side has the right levels of expert support
If there are two sides involved in resolving an issue in the courts it’s even more important to get the right professional support, since the other party will probably have a digital forensic specialist of their own on the case. It’s difficult to convince a court or tribunal beyond all doubt that the data produced by inexperienced non-specialists is complete, untainted and 100% admissible, and in our experience it just isn’t worth the risk.
Can you guarantee your internal IT team’s impartiality?
Could your internal IT team unwittingly compromise your case thanks to doubts about their impartiality? If you’re investigating a delicate employment matter, for example, you might end up having to deal with counter-claims for constructive dismissal.
Discretion is key, but with the best will in the world it’s unwise to rely on your IT department’s corporate loyalty. They might place more value on the welfare of a colleague than the success of your legal case against one of them. We, on the other hand, are not employees, so we’re naturally impartial.
The things your internal IT people MUST know
Here’s a checklist of the essential things your internal IT team needs to be aware of before you let them loose on digital evidence collection.
- Do your IT people appreciate how their actions can affect evidence, for example overwriting information or changing the last access dates?
- Do they have access to write-blockers, devices that let you acquire information without accidentally damaging the drive’s contents?
- Are they familiar with the applicable laws and evidential guidelines?
- Can they establish and maintain a valid chain of custody, also called continuity?
- Are they able to explain the consequences of their actions clearly in court?
- Do they know the correct procedures around finding illegal material on your system, for example indecent photographs of children?
- Do they test their equipment and software, and do they cross-verify the output?
- Do they know how to create and preserve an audit trail of the actions they’ve taken?
- Are they familiar with writing witness statements and technical reports?
- Can they accurately explain their actions to a non-technical person, in plain language?
- Will they be seen as an independent, disinterested party by the other side and the court, or do they have an interest of some sort in the outcome?
How expert data gathering supports the right results
As digital forensic specialists with many years’ experience, combined with access to the finest specialist software and hardware available, we have exactly what it takes to ensure the best possible outcome for our clients. But we do much more than resolve issues that have already arisen. We also help prevent issues arising in the first place, thanks to our specialism in forensic readiness.
This means helping our clients successfully negotiate future incidents via a set of proven processes and procedures, as well as helping them to avoid incidents in the first place. When all the right evidence generators are in place and your first responders have had forensic awareness training, you dramatically improve the probability of the right results.
If you’d like to future-proof your organisation against future incidents, or deal with a current one, feel free to contact us.