Rigorous, defensible collection in a time-sensitive investigation

The challenge: Collect, image and return 50+ computers from senior stakeholders with minimum disruption, whilst maintaining impeccable and incontrovertible forensic data integrity.

Our highly experienced team of forensics experts collected and forensically imaged and validated more than 50 laptops and a number of desktops, imaging more than 35TB of data from hard drives in two and a half days.

In response to an urgent call from our client, a leading African law firm, we were requested to scramble a team to take responsibility for the imaging of a large number of devices in an ongoing and highly sensitive investigation.  Drawing on our experience and knowledge of complex data collection cases, our client not only had confidence that we would deliver within the short timeframes but that the chain of custody would be guaranteed and all actions would be completed in a forensically sound and defensible manner.

Our approach was to set up a secure laboratory for processing at the client site. We also established a separate area for the receipt and return of the laptops to their owners to ensure access to the forensic environment was restricted to our team.  All computers were carefully bagged and evidence labels were meticulously applied and checked.  We were careful to gather evidence in accordance with forensic investigation protocols, taking master and working copies, and storing everything in secure, clearly labelled locations.  Our team were also efficient in their use of overnight hours to maximise imaging time having previously ensured continuity of power supply, such that outages did not disrupt the process.  We were careful to ensure that each machine was returned to its owner in the same state as it had been received so that disruption to the individuals involved was kept to a minimum.

Having secured digital copies of each device, we stored all the evidence in a forensically sound storage facility.  A priority list of devices was provided and within one week we were able to process, de-NIST, de-duplicate and identify initial custodians, reducing the volume of data under review to 2%-5% of its collected volume and delivering a first pass draft report to the law firm.  Further review using Reveal BrainSpace, AI-powered search and NLP was also conducted to assist in focusing the investigation.  The remainder of the digital images were stored, ready for processing and review at short notice, if/when required.

Salient’s team of experts are well versed in the defensible collection of data.  Our attention to detail and experience ensure that the process is smooth and forensically sound.  We are meticulous in ensuring that the chain of custody remains intact; all administration is efficiently organised and our knowledge of digital forensic procedures guarantees that verified forensic images with the requisite digital signatures are always obtained and the integrity of the device that we’re imaging is preserved.

Microsoft 365

Was the cyber attack successful?

The challenge: Provide reassurance to our law firm client that a recent phishing attack had not compromised security or left malware on their system. We

Read More »