Three Things to Look for in a Digital Forensics Provider
- 3 min read
During the discovery phase of litigation or an investigation, organizations need to defensibly collect and analyze data under pressing deadlines. When digital forensics is involved, there needs to be a high level of trust in the team of experts that a provider utilizes as this process often involves sensitive information and technical methodologies. Organizations need to perform their due diligence and vet potential partners in this space that comply with industry best practices.
Key attributes to look for when choosing a provider for your forensic data collection
Customization: Every matter is different and will require varying levels of analysis and expertise. Sometimes only a baseline review of data activity is required while other times a more in-depth analysis into communications or evidence spoliation/destruction may be necessary. Look for a provider that builds this into their business model by personalizing data collection and forensic analysis services based on a client’s technology configuration and common case types. The result with be methods and workflows that ensure maximum service value with quick turnaround times.
Having tiers of service with pre-established pricing is optimal and provides flexibility based on data analysis needs. For example, a first pass forensic review could look at artifacts like operating system information and installation, current user profiles, evidence of data wiping, activity on key dates, external devices, and visited websites. After this, the client and provider can determine if a more advanced review is necessary. A subsequent review could take a deeper dive into things like data exfiltration and recovery or parsing of relevant communications.
Diverse experience: A provider that offers a comprehensive and complete set of forensic services is ideal. While you want a provider that leverages advanced technologies, experts also need to rely on a time-tested set of standard work instructions and documentation methods to maintain legal defensibility. Forensic experts should be able to coordinate data collection and analysis from common electronically stored information (ESI) sources like Google, Microsoft, and Apple, in addition to less common ESI sources like Slack, Jira, and Confluence. Experts should have the capacity to review a range of forensic artifacts such as USB activity, chat communications, email, browsing history, installed applications, and more. Reports should contain key information like when USB devices were plugged into a computer, what files were opened on the computer and when, indications of any mass deletion activities, when applications were run and what content the user was browsing.
Some other attractive offerings include a team of forensic experts that hold industry credentials and are experienced with providing testimony during a court proceeding, investigation or arbitration. This includes deposition testimony, discovery affidavits and trial testimony where the experts are required to demonstrate the methodologies they employed that culminated in reported findings crucial to the matter.
Collaboration: While forensic analysis will ultimately result in a findings report, organizations should look for a provider that communicates with the legal team throughout the entire lifecycle of a project. This provides the opportunity for feedback and the ability to quickly scale efforts or implement process changes if necessary. Initially, there should be an in-person meeting or conference call to discuss the case facts, matter stage, and forensic needs. Then, during the analysis forensic experts should be reporting on matters of importance as those situations are discovered. In short, the forensic expert should be working closely with key stakeholders as information unfolds to ensure the most important information is surfaced and highlighted as quickly as possible. A final comprehensive and defensible report containing an expert’s findings is the typical end-product of any forensic analysis.
Partnering with a provider with these attributes will streamline complicated matters, mitigate risk, and control costs. This also provides a level of confidence that the same provider can complete future projects effectively and efficiently, which eliminates the hassle of vetting new talent each time a forensic need arises. This is especially beneficial to organizations that deal with complex litigation or regulatory inquires that often take unpredictable turns and that are under tight production timelines.