Mariam Absar ACCA offers an overview of the challenges and complexities involved in corporate forensic analysis, and looks at how investigators go about their work
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
This article was first published in the April 2019 international edition of Accounting and Business magazine.
The massive intrusion into everyday life and business operations alike by technology shows little sign of coming to an end. One byproduct of this phenomenon is that the true history of events or incidents can increasingly be teased out through the careful analysis of digital activity.
Digital footprints, if captured properly, can be turned into digital evidence, which can lead to the indictment or vindication of an individual or organisation in civil or criminal cases. And with some 20 billion internet-enabled devices expected to be in existence by 2020, digital’s scope for supporting investigations is huge.
This work is called digital forensics – the collection and analysis of data from computers and other electronic devices with the purpose of obtaining evidence that can be used in courts of law as admissible and acceptable evidence. Any failure to observe adequate search and seizure process can ruin an investigation, regardless of how incriminating the evidence is, so it is particularly important that forensic investigations in the digital sphere comply fully with the law.
Examples of investigations that may turn to digital forensics include hacking, unauthorised use of corporate computers and any physical crime committed by a suspect in possession of a computer or any other IT device.
Digital forensics can help companies unravel the chain of events and collect material evidence. Examples include when corporate information is disclosed without permission – for example, when an employee steals intellectual property from their employer and passes it on to a competitor or uses it to set up a competing company – or other non-violent and financially motivated crimes that are committed by business professionals or governments.
Reconstructing the truth
The main goal of any forensic investigation is to reconstruct the truth of an event by discovering residual facts (‘remnants’) on an IT system. These remnants can subsequently be used in court as evidence.
Digital forensics is divided into two broad categories, based on the evidence source:
- Networks. This covers the assessment of incoming and outgoing network traffic to ascertain how an event was carried out and to determine internal/external threats.
- Devices. This covers the assessment and collection of evidence from IT devices such as laptops, tablets and external drives.
Digital evidence needs to be gathered and treated with care as any negligence may impact its integrity and useability. Evidence presented in the report and investigation should be admissible, authentic, complete, reliable and believable.
The investigating team’s primary concern is to determine the validity of the types of forensic tool used for data and evidence collection. For example, using unlicensed software or following inadequate procedures may result in the evidence gathered being ruled inadmissible. If the software is open source, the forensic team should ensure it is the authorised and verified version.
It is important to maintain the record of collected evidence as required by the local jurisdiction. There must also be adequate facilities for safe storage and easy retrieval of data and devices – they may need to be produced in court.
Key guiding principles for forensic investigators include: do not surf the internet, check emails or perform general IT duties from the forensic workstation; and never allow peer-to-peer file-sharing applications to be run on the same network as the forensic workstation.
Given the spread of digital technology in the workplace, and the large amounts of digital data created, digital forensics is set to be a significant growth area. Digital forensic procedures may be time-consuming and disruptive, but the potential costs of not conducting a proper digital forensic examination may be substantial – if not disastrous.
Mariam Absar ACCA is director of advisory services at Limitless Consulting in United Arab Emirates.
CPD technical article
"The main goal of any forensic investigation is to reconstruct the truth of an event by finding residual facts on an IT system "