The post The Role of Digital Forensics in Cybersecurity Incident Response appeared first on CYFOR Forensics.
]]>It involves collecting, preserving, and analysing digital evidence to determine the scope of an incident, the techniques used by attackers, and the extent of the damage caused.
When a security incident is suspected, the first step is to preserve the digital evidence. Digital forensics experts use specialised tools and techniques to ensure that data is collected in a forensically sound manner, preserving its integrity and authenticity. This evidence can include log files, memory dumps, network traffic captures, and system snapshots.
Once evidence is collected, digital forensics experts analyse it to reconstruct the timeline of events leading up to and during the incident. They identify the attack vectors, techniques, and tools used by the attackers. This analysis provides insight into the attacker’s methods and helps in understanding the scope of the breach.
Once the extent of the compromise is understood, digital forensics aids in devising strategies to contain the incident and prevent further damage. This might involve isolating compromised systems, removing malware, and closing exploited vulnerabilities.
Digital forensics can determine patterns of behaviour. This is achieved by analysing various aspects of the attack, such as the tactics, techniques, and procedures (TTPs) used, as well as any artefacts left behind. Therefore, time is of the essence and an investigator needs sight of the data involved, which is a core element of any investigation. Most of the time an investigator will work on triaged data sets rather than full disk images, which is more digital forensics focused. If there’s a cyber incident taking place at that time, you need to be able to deal with it there and then.
Rather than dealing with, say, five terabytes worth of data, you might be whittling that down to 10% or so, if not less, just so you can have a good understanding as to what’s happened as quickly as possible to then provide the containment and remediation strategies as soon as you possibly can.
There’ll be ongoing communications in relation to the investigation with the client, and that’s the consultative approach, which is where there is quite a difference. Unless you’re working in the corporate arena for digital forensics, your traditional legal side, the criminal side of digital forensics doesn’t necessarily fall hand in hand with that aspect. That can be one of the more difficult things for people to pick up.
The digital forensics side of an investigation has numerous elements and many applications when it comes to the cybersecurity incident response world.
Digital Forensic Incident Response (DFIR) experts look at a situation with an investigative mindset, which massively assists in the cyber incident response side. Traditionally, the digital forensics elements are continuity-based with data remaining intact, as the verification data hasn’t changed, which in Incident Response is hugely beneficial. However, this is not always the case, as the necessity is to retrieve the data for investigation.
This is where the skill set of an experienced cybersecurity professional comes into play. The digital forensics angle, as it sits currently is the primary focus of data collection. Maintaining evidence continuity is key with correct data acquisition methods being vital.
Then there is the investigation approach, which also differs slightly as it looks at different datasets. There are traditional endpoints for an investigation, but you’ll also have a lot more evidence to consider, which could be live data, that is being pulled there and then or maybe it’s still ongoing, so you’re monitoring the environments.
However, it also may be data, which is pre-event, so you can see what happened in the lead-up to the incident. This is where the mindset of an investigator comes into play because you’re building a timeline of events, you’re investigating what’s happened over a series of minutes, hours, days, weeks, whatever the case may be, which should then lead you down a path to have an overview of the root cause of the matter.
The application of business resumption and remediation can come in whilst an investigation is ongoing and can be done concurrently as you remediate and rebuild a network. A real-world scenario would involve an investigator going onsite after a client has suffered a cyber-attack or data breach, and forensically collecting the data ready for analysis. Once they are confident that the process has been completed, remediation can begin. Ideally, and depending on the size of the incident, there needs to be at least two individuals working on the investigation from two different angles of the incident response lifecycle. With the data collection element completed, the investigation is split, allowing for remediation and business resumption actions to commence.
For example, if a file server has been compromised by a cyber-attack, then the file server data can be forensically collected, and any other data that needs to be collected can be analysed. Whilst that’s being investigated, a new server and any other associated devices and systems can be rebuilt.
When dealing with remediation efforts to rebuild a client’s systems and backups after an incident, there needs to be an understanding of how the incident happened in the first place, and how to correctly build the network backup in a secure fashion. There is a comprehensive analysis of firewalls, servers, switches, and the whole infrastructure. Being able to understand the DFIR elements as well as being able to understand how to actually rebuild in a secure manner using cyber security methodology is critical.
During an incident, there are protocols that an organisation needs to follow prior to instructing a DFIR specialist. It is always advised that lawyers who are experienced in cyber incidents are approached for legal advice due to their experience in such matters. They know who to report to, when to report and how to report to them in the processes that are involved.
Digital forensics findings are often compiled into detailed reports that provide a comprehensive overview of the incident, its impact, and the steps taken for mitigation. These reports are valuable for internal analysis, management decision-making, and communication with stakeholders, including law enforcement agencies if necessary.
Digital forensics processes are conducted with legal and regulatory considerations in mind. Properly conducted forensics procedures ensure that evidence is collected in a way that preserves its admissibility in legal proceedings, should they arise. Compliance with data protection laws and regulations is also an essential aspect of the process.
The Information Commissioner’s Office (ICO) are one of the biggest regulation authorities that would need to be informed of a breach. Law firms that have suffered a breach would also need to inform the Solicitors Regulation Authority (SRA). Depending on the business type, the company will report, or the lawyers will report on their behalf. This can be supplemented with expert findings from a DFIR specialist report.
Vulnerability assessment tools such as CYFOR Secure’s Pulse Scanning device are utilised during every incident response engagement. It helps by scanning the network, making sure that the network is secure while simultaneously providing a blueprint of the client’s current IT security posture, and identifying areas of security to be built-in during the refresh part of the ongoing process. It also provides the tools to secure forensic imaging and forensic data collection if required. The vulnerability assessment is a default process during the engagement but can be integrated to form ongoing cyber security services to ensure maximum protection. Other services that can be implemented off the back of an engagement to bolster cyber security are user awareness campaigns, antivirus packages, SOC and SIEM.
After an incident is resolved, digital forensics analysis can provide valuable insights into an organisation’s security weaknesses and vulnerabilities. This information can be used to refine security policies, enhance defence mechanisms, and improve incident response plans to better prevent and respond to future incidents.
In summary, the use of digital forensics in cybersecurity is a critical component, as it helps organisations understand the nature of security breaches, identify responsible parties, assess the damage, and take appropriate measures to recover and strengthen their security posture.
CYFOR Secure are the dedicated cyber security division of the CYFOR Group, specialising in a breadth of proactive and reactive cyber security services, with expertise in Digital Forensics and Incident Response (DFIR). They are a trusted provider to SMEs and large enterprises globally, spanning numerous sectors that include legal, education, manufacturing, healthcare, and finance. CYFOR Secure’s cyber security experts ensure that the technical aspects and specific sensitivities of each cyber security engagement are fully understood, mitigating any cyber risks, and enforcing security protocols. This makes them ideally suited to intelligently advise and implement the appropriate cybersecurity strategies for businesses.
The post The Role of Digital Forensics in Cybersecurity Incident Response appeared first on CYFOR Forensics.
]]>The post Former employees behind Tesla data breach appeared first on CYFOR Forensics.
]]>Tesla, the electric car maker owned by Elon Musk, has said that the massive data leak that the company suffered in May was due to insider wrongdoing. The Tesla data breach included personally identifiable information on over 75,000 company employees, and the automaker has pinned the leak on ex-employees.
In a data breach notice filed with Maine’s attorney general, an internal investigation had found that two former employees leaked more than 75,000 individuals’ personal information to a foreign media outlet, German newspaper Handelsblatt. The outlet assured Tesla that it wouldn’t publish the information and that it is “legally prohibited from using it inappropriately,” according to the notice.
Steven Elentukh, Tesla’s data privacy officer, said “The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet,”
The leaked data includes personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees.
The publication obtained more than 23,000 internal documents, dubbed the “Tesla Files,” containing 100 gigabytes of confidential data. This included employees’ personal information, customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features. According to Handelsblatt, Musk’s Social Security number was also included in the leak.
Tesla filed lawsuits against the employees allegedly responsible for the data breach, which resulted in the seizure of the employees’ electronic devices. “Tesla also obtained court orders that prohibit the former employees from further use, access, or dissemination of the data, subject to criminal penalties,” the company said.
This incident comes after Reuters reported in April that Tesla workers shared sensitive images recorded by customer cars. Between 2019 and 2022, it was reported that employees shared “invasive” images and videos recorded by car cameras.
Mat Cowey, Head of Corporate Forensic Investigations at CYFOR commented on the data breach,
“The Tesla data breach comes as no surprise. These are the kinds of data breaches that we see all too regularly within numerous organisations. The protection of employee and customer data is a critical area of an organisation’s security posture and insider threats can be a huge problem for an organisation; whether it is part of a ploy to steal data for personal use, brand/reputational damage or for whistleblowing. The full details of the data breach have not been made public; however, these threats are real and all organisations must ensure that the appropriate securities and practices are in place, monitored and continuously improved upon.
Recognised as true leaders in this niche area of complex investigation, CYFOR are frequently instructed by clients who have had company data stolen by current or former employees. We provide corporate forensic investigations in cases ranging from intellectual property theft, partnership and contract disputes to whistleblowing matters. The extensive capabilities of our multi-disciplinary team of experts allow us to forensically investigate digital devices such as computers, mobile phones, hard drives and tablets within strict time frames to meet client requirements.
The post Former employees behind Tesla data breach appeared first on CYFOR Forensics.
]]>The post Deepfake audio evidence used in UK court to discredit father appeared first on CYFOR Forensics.
]]>Deepfake audio evidence was used in a UK child custody battle in an effort to discredit the father, as reported by The National News. Byron James, a partner at law firm Expatriate Law involved in the case said a heavily doctored recording of his client had been presented in court as evidence in a family dispute.
In the edited version of the audio, the child’s father was heard making direct and “violent” threats towards his wife. However, when digital forensics experts examined the recording, they found it had been manipulated to include words not used by the client. Mr James stated,
“This is a case where the mother has denied the father access to the children and said he was dangerous because of his violent and threatening behaviour, She produced an audio file that she said proved he had explicitly threatened her. We were able to see it had been edited after the original phone call took place and we were also able to establish which parts of it had been edited. The mother used software and online tutorials to put together a plausible audio file.”
Manipulated video or audio recordings, sometimes referred to as deep fakes, risk becoming an increasing issue for police, the courts and other law enforcement agencies. Mr James said it was the first time he had encountered doctored audio evidence in his career but said that all courts needed to be vigilant.
Local legal experts are warning parents going through a divorce against travelling with their child over the holidays unless they have permission under a custody agreement. Mr James outlined what had happened to his client, who lives in the Emirates.
“We were lucky to get the original audio file and be able to study the metadata on the recording. She [the wife] said [the doctored recording] justified her stance and that he [the husband] should not be allowed to see the children. If we hadn’t been able to challenge this piece of evidence, then it would have negatively affected him and portrayed him as a violent and aggressive man. It raises all sorts of questions about what sort of evidence you can rely on. Is there sufficient judicial training to identify digital evidence that has been manipulated in this manner?”
Mr James went on to suggest that it would never occur to most judges that deepfake audio evidence could be submitted and that recordings could be taken at face value, unfairly influencing the outcome of trials.
The post Deepfake audio evidence used in UK court to discredit father appeared first on CYFOR Forensics.
]]>The post Digital Forensics Expert Andrew Frowen Joins CYFOR appeared first on CYFOR Forensics.
]]>The CYFOR Group are proud to announce that industry expert Andrew Frowen will join the business in January 2024 to fill the newly created position of Chief Technical Officer.
With a career that spans over 20 years, Andy has held numerous senior and board-level positions within the Digital Forensics industry. The technical and strategic expertise that he brings to the role will be invaluable to the CYFOR Group, helping to continue the growth and expansion of the business.
Andy Frowen commented,
“I’m very excited to commence my role at CYFOR, and I’m honoured to be joining the executive board as Chief Technical Officer, as it promises a dynamic range of challenges in digital forensics, that I am thrilled to embrace. My initial focus will be on driving technical innovation and leading the delivery of top-notch digital forensic solutions to our valued clients. Grateful for this opportunity and looking forward to the impactful journey ahead. I am eagerly anticipating the opportunity to immerse myself in a forward-thinking, collaborative, and inclusive organisation, where exciting prospects abound.”
On Andy’s appointment as CTO, Chief Operating Officer, Lawrence Perret-Hall added,
“With the recent introduction of a C-Suite to the CYFOR Group, this has been great timing for Andy to join the business as Chief Technical Officer. Andy’s expertise will be crucial as we continue to grow as a business, add extra services to our divisions and expand the overall group.”
The post Digital Forensics Expert Andrew Frowen Joins CYFOR appeared first on CYFOR Forensics.
]]>The post CYFOR Forensics achieves milestone in accreditation journey appeared first on CYFOR Forensics.
]]>We are thrilled to announce that we have received a recommendation subject to action closure for an ISO 17025 extension to our scope, covering the capture, preservation, processing, and analysis of mobile devices.
This ISO 17025 extension further reinforces our position as a trusted and reliable partner in the field. We remain committed to providing our clients with first-rate services and cutting-edge solutions for their digital forensic needs.
We would like to express our deepest gratitude to our exceptional team for their unwavering dedication and hard work in making this achievement possible. Their expertise and commitment have propelled us forward in maintaining the highest standards in digital forensics.
Stay tuned for more exciting developments as we continue to enhance our capabilities and strive for excellence in the ever-evolving landscape of digital forensics.
The post CYFOR Forensics achieves milestone in accreditation journey appeared first on CYFOR Forensics.
]]>The post The Role of Digital Forensics in Care Proceedings appeared first on CYFOR Forensics.
]]>As our society becomes increasingly reliant on digital technology, digital forensics has emerged as a critical tool in determining the truth behind allegations and providing crucial evidence in childcare cases. In this blog, we explore the significance of digital forensics in childcare proceedings and how it aids in the pursuit of justice and child protection.
Digital forensics is the process of recovering, preserving, and analysing electronically stored information (ESI) from various digital devices, such as smartphones, computers, tablets, and social media accounts. The goal is to extract relevant information that can serve as admissible evidence in legal investigations and proceedings, often resulting in expert witness testimony in court. Digital forensics is used in many different types of investigations that involve electronic devices, particularly criminal law, however, family law matters are no exception to its application.
In today’s digital age, almost every aspect of our lives leave behind a digital footprint. Digital footprints encompass a wide range of activities, such as communication via messaging apps, social media interactions, browsing history, and location data from smartphones. Analysing these digital footprints and the subsequent retrieval of digital evidence can provide the evidence required for family law matters.
Year after year, our experts have seen a considerable increase in the requirement for digital forensics in care proceedings and the retrieval of vital evidence. With people spending countless hours on their mobile phones and social media, this is not surprising. We are seeing more requests for the preservation of social media accounts, along with personal email accounts and cloud-based storage sites.
One of the challenges that must be overcome within an investigation is getting the physical handsets surrendered by clients. When we do, it is often the case that data has been deleted, the mobile device factory reset or a different device is handed over to us for examination. It is in this instance that digital forensics in childcare proceedings cannot be underestimated. There are numerous sources where data can reside and it’s critically important to identify them. Determining the type of electronic device that needs to be preserved and examined is the primary step of the digital forensic process. Typical electronic devices include smartphones, tablets, and computers.
A digital forensics expert will ask what type of devices are involved in the matter so that an accurate quotation for timings and costs can be provided, as well as an overview of their forensic capabilities with that type of device.
Is the device in question a smartphone or a tablet? What is the make and model? Is it a Samsung device running the Android operating system or is it an Apple iPhone running iOS? Is a computer involved, and if so, what type? Windows or Mac operating system?
With these specific details in hand, a digital forensics expert will be able to better understand the support they can provide for the device and what data can be recovered and extracted.
Digital Evidence in Childcare Proceedings
There can be gigabytes, even terabytes of data on computers, smartphones, and tablets. So, what types of data are commonly requested in family law investigations?
The most sought-after data in family law cases is communications between parties. This can include SMS and MMS text messages, call history, emails, third-party app messages (WhatsApp, Facebook Messenger, Snapchat, etc.), and voicemails. On smartphones, communications can make up the majority of the stored data. It’s not uncommon to see several thousand to hundreds of thousands of messages on an individual device.
The extracted data from a device is also dependent on the support for the device and the specific messaging application. In some cases, data from unsupported messaging applications may not be extracted. Therefore, it is important to know what type of messages are being sought.
In cases where ephemeral messaging applications are used, message data may not be stored on the device at all or for only very short periods of time. Ephemeral messages are ones that disappear after being read. Some applications such as Snapchat and Instagram’s messaging features make use of this.
Expert Testimony and Presentation of Findings
Digital forensics in care proceedings can play a crucial role. An expert can not only uncover relevant evidence but also present their findings in a clear, understandable manner to legal professionals and the court. Simplifying complex technical details for non-experts ensures that the evidence is properly considered and understood by all parties involved.
Conclusion
Digital forensics in care proceedings has become indispensable, especially in the digital era that we now live in. It empowers legal professionals to uncover critical evidence, establish patterns of behaviour, and ensure the safety and well-being of children. As technology continues to evolve, the role of digital forensics in safeguarding children and seeking justice will only grow in importance, reaffirming its position as a valuable tool in childcare proceedings.
The post The Role of Digital Forensics in Care Proceedings appeared first on CYFOR Forensics.
]]>The post Cell Site Experts and Corporate Forensic Investigations appeared first on CYFOR Forensics.
]]>With the prolific use of mobile phones, being able to determine the movement and location of a handset can be invaluable admissible evidence in court. Whilst the requirement for cell site experts has been commonplace in criminal investigations for some time, the application of cell site analysis is becoming more prevalent within corporate forensic investigations. The data obtained by cell site experts can be crucial for companies that require digital evidence for internal corporate investigations, covering a range of circumstances, including:
What is Cell Site Analysis?
When a mobile phone makes or receives a call, sends or receives a text message, or connects to the internet, it connects to a cell site. The record of this communication is stored by the network that the phone connects to for 12 months. This golden copy of the records does not require the device, and furthermore, it is retained by the network regardless of what happens to the phone, or the contents of it. Should the location of the cell be of importance to your investigation, a Radio Frequency (RF) survey can be completed at locations of interest to establish whether the cell concerned serves the location of interest, thus showing the user of the phone could have been at that location. This information can prove invaluable during the course of a corporate investigation or during a court case.
Smartphones will often connect to the internet in the background, be that to check for emails, or run an application, which means that even when it is not on a call or involved in a text message, it could be generating data indicating the locality it is in as frequently as every few minutes. Cell site experts can examine this information within the call data records (CDRs) provided by mobile networks to determine whether a suspect could have been at a particular location at a specific time. Conversely, a defender may retrieve this information in order to be able to prove that their client, or their mobile phone, was not at a given location at a particular time and may have been elsewhere.
Call Data Records (CDRs) are a golden copy of communications data by a mobile device held by the networks for 12 months and are not tampered with in any way. As such, examination of CDRs for any reason, be that for corporate clients, a criminal matter, or a family court matter, will provide the truth about the activity of a mobile phone whilst it is attached to the network. The CDRs that are provided by telephone networks contain several elements which can provide vital evidence:
This means that further analysis can be done, such as:
CYFOR was recently instructed by a law firm for a corporate client whereby CDRs were obtained for a mobile phone belonging to the driver of a vehicle involved in a collision. Our team of cell site experts were able to accurately decipher what the CDRs revealed about the use of the handset and equip the client with vital information which they were then able to effectively use at court when dealing with the matter.
Our cell site experts were required within an employee misconduct hearing, whereby an employee of the client was accused of communicating with competitors and passing private information to them. CYFOR’s cell site expert was able to examine the call data results of the work phone used by the employee and establish both communications with the competitor and the use of cells that served the competitor’s offices, indicating occasions that the former employee may have visited the location. This was used in the hearing by the company to take action against the staff member.
The post Cell Site Experts and Corporate Forensic Investigations appeared first on CYFOR Forensics.
]]>The post How Digital Forensics Can Assist Workplace Investigations appeared first on CYFOR Forensics.
]]>Workplace investigations are typically undertaken when there are reports of suspicious behaviour or allegations of employee misconduct. Conducted correctly, they can evidence malicious activities and substantiate internal misconduct allegations.
Examples of internal misconduct
Workplace investigations can be time-consuming, expensive, and organisationally disruptive. If conducted correctly they can provide a legitimate defence to any legal challenges raised by disgruntled former employees. However, a workplace investigation that is not conducted in a confidential and ethical manner can lead to significant complications and legal issues. In most cases, serious workplace misconduct involves the use of electronic devices, such as smartphones, computers, and USBs. This is where a digital forensics expert can help identify the digital evidence at the heart of the matter, improving the efficiency of the investigation.
During a workplace investigation, the retrieval of digital evidence is one of the most critical initial steps. Without following the correct forensic steps pivotal evidence could be missed or overlooked. With technology and digital communications being a critical part of business operations, it is almost a necessity that a reputable digital forensic expert is involved from the start of an HR investigation that involves digital media.
Depending on the circumstances, the primary source of evidence can take many different forms. As a primary tool in the workplace, emails are a main contender during HR investigations. When an employee sends an email, a retrievable copy is most likely stored in one or more devices or locations. Digital forensics can be utilised to extract existing emails as well as potentially retrieve deleted emails. Other forms consist of computer and mobile phone data, as well as the authentication and analysis of documents.
When an investigator is briefed on the background of a case, they must identify relevant evidence in the context of the investigation. They can compile a list of relevant data sources, and review devices for file activity during a specific date range. As evidence resides in many locations within digital media, a forensics expert will use specialised tools and techniques to identify evidence and ascertain the activities of the perpetrator, examples of which are:
At a base level, employers must understand the basics of securing evidence on digital devices. Although electronic data is recoverable in most instances, it is important to ensure the integrity of that evidence by refraining from searching themselves. This will help ensure any evidence is not overwritten or altered.
Digital forensics is a very specialised field, and an IT technician is not a Digital Forensics Investigator. Years of training and ongoing development are standard, forensic imaging devices, analysing the data recovered using specialist forensic software and examining metadata is a complex process. To have any electronic device involved in a case should be viewed as an absolute asset, as the quantity, variety, and potential value of data stored on the hard drive can be invaluable. However, if best practice guidelines are not followed, and forensic experts are not deployed, evidence can be lost forever, or it becomes inadmissible in court or at tribunals.
Backup copies or ghost images that an in-house IT person often generates are not true forensic images. Although these backups are critically important for the purpose of data recovery, they only contain current data that the user can ‘see’. Instructing a digital forensic specialist at the early stages of an investigation will ensure the integrity of the data, and its admissibility in court should the matter escalate.
Metadata interrogation can be a vital instrument for ascertaining the authenticity of digital evidence. When an electronic document is created and stored on a digital device, ‘hidden’ intrinsic data is created. This is referred to as metadata and details information such as:
Metadata is a blanket term. There are many types of metadata; for example, EXIF (Exchangeable Image File) data is a type of metadata found within image files and is very useful for digital forensic analysis. When accessing documents as a normal user it is not possible to alter or ‘tamper’ with metadata. However, there are specialist tools readily available that can make this possible in the hands of someone with sufficient knowledge. When files are out of a ‘native’ environment, metadata can only be taken at face value; there is no way of determining any metadata manipulation.
Digital forensics at its core is the identification, preservation, collection, and analysis of electronic data taken from devices such as computers, laptops, tablets, mobile phones, servers, cloud storage, portable hard drives, and USB flash drives.
Utilising specialist tools, a forensics expert can extract data relevant to workplace investigations in the form of emails, documents, images, chat logs, social media and internet usage history, call logs, text messages and contacts. Data can be collected and can tell when documents were created, altered, or deleted as well as any devices which have been connected to a computer/laptop.
Devices identified as relevant to an investigation have their data preserved by creating a forensic image. This is a forensically sound method to create an exact ‘bit-by-bit’ copy or ‘clone’ of the entire contents of the original storage media and is created to such a standard that the evidence obtained from them is admissible in court.
The forensic image is performed using write-blocking equipment, which ensures that the data is not altered in any way and copies the contents of all the unused areas on the hard disk as well as the areas that currently contain data. The unused data often contain data that has been deleted by a user but still resides on the device and is important to capture. With the correct digital forensic processes in place, any tampering or manipulation of the cloned data is readily detectable.
The digital evidence that is retrieved using digital forensics expertise could make the difference between a successful and unsuccessful outcome of a workplace investigation.
CYFOR Forensics have been instructed on thousands of digital forensic cases, including workplace investigations. Our dedicated Corporate Forensics division is equipped with the knowledge and expertise to scope any workplace investigation and assist clients every step of the way. If you or a client are concerned about possible employee misconduct, please get in touch with our consultants.
The post How Digital Forensics Can Assist Workplace Investigations appeared first on CYFOR Forensics.
]]>The post New Statutory Code of Practice Introduced for Criminal Investigations appeared first on CYFOR Forensics.
]]>The new code is a consequence of the Forensic Science Regulator Act 2021, which places the Regulator on a statutory basis as a new legal entity and provides the Regulator with legal powers. The code will be a significant step forward in the way forensic science is held accountable and meets the Regulator’s requirements for quality.
As a critical component of criminal investigations, forensic science contributes to the admissible evidence presented in court. Although the intention of regulation is to reduce risk and error, forensic science carries significant risks. Failures in quality management can have serious consequences, and the remediation of these can be a challenging process, as the consequences can be organisationally damaging.
The new statutory code of practice is intended to minimise the risk of quality failures, and miscarriages of justice, ensuring that accurate and reliable evidence is produced.
“The introduction of the Forensic Science Regulators Statutory Code of Practice will provide confidence in the information and evidence entered in the judiciary system and being presented to courts. It requires practitioners to be properly trained and to understand fully what forensic tools generally automate. The validation required also ensures that tools that are used frequently have been assessed and those undertaking the work understand the limitations. This minimizes the risk of misinterpretations and improves the reliability and quality of the work being produced. As with all new legislation and procedures it comes with its own challenges for Investigators, Quality teams, and the industry, but overall is a positive move for the industry.”
– Vicky Saunders, Senior Digital Forensic Investigator
The key elements of quality management addressed in the code are:
“The Forensic Science Regulators Statutory Code of Practice is a significant milestone in the way forensic science is held accountable and meets Regulatory’ requirements for quality. The Code was approved by both houses of Parliament earlier this year and comes into force on 2nd October 2023. The Code sets quality standard requirements for Forensic Science Activities (FSA’s) related to the investigation of crime and the criminal justice system in England and Wales. The majority of the FSR Code requirements remain largely unchanged from the previous non-statutory version. However, there are some major changes within the new Codes such as the addition of the Senior Accountable Individual role. To ensure CYFOR have accounted for all changes a Gap analysis is being undertaken to allow for the transition from compliance with Issue 7 of the FSR non-statutory code to Issue 1 of the FSR Statutory Code.”
– Shruti Patel, Senior Quality Officer
The post New Statutory Code of Practice Introduced for Criminal Investigations appeared first on CYFOR Forensics.
]]>The post Government to limit non-competes in employment contracts appeared first on CYFOR Forensics.
]]>Non-compete clauses, also known as “restrictive covenants” are a type of post-termination restriction (PTR) that an employer may seek to include in a contract of employment. Non-compete clauses are governed by case law which has developed over time and provides that PTRs will only be enforceable if they are no wider than is reasonably necessary to protect the employer’s “legitimate business interests” such as confidential information and customer connections. If a court deems a PTR too broad or unnecessary in the circumstances, it will be unenforceable.
In 2020, the government published a consultation paper exploring options for reforming the law in this area, which focused on two main alternatives:
Fast-forward two and half years after it invited comments, the government has, finally, published its formal response to the consultation paper on non-compete clauses. The government has concluded that requiring businesses to pay for a non-compete period “would apply a substantial direct cost to businesses…at a critical junction in our economic recovery”. This is despite the majority of respondents to the consultation being in favour of Option 1. The government also decided that, in its view, banning non-competes altogether may lead to “unintended consequences” such as a “loss of investor confidence” and a “lower appetite for training employees”.
The government has decided to scrap Options 1 and 2 and, instead, to go with “Option 3” – capping the period of a non-compete to three months through legislation.
The impact of reducing the duration of a non-compete clause to three months can have several potentially negative consequences.
With shorter non-compete clauses, employees can join competing firms sooner. Any data taken by those employees would have significantly more value at 3 months than at 6 months.
Companies may face increased difficulty in retaining employees, particularly those with valuable skills and expertise. Employees who know they can transition to competitors after a short period may be more inclined to explore alternative job offers, potentially resulting in higher turnover rates.
Shorter non-compete clauses could lead to increased concerns regarding the protection of intellectual property. Companies may be concerned that departing employees could take valuable or sensitive information to competing organizations. It would also mean there is less time for the employer to replace relationships with clients and suppliers.
It is even more important to preserve any potential evidence of data theft as early as possible to prevent the data from being used and causing economic and reputational damage. Even if no wrongdoing is suspected it would be good practice to take a forensic image, this image can be stored and investigated at a later date if required.
By having a forensic image taken and documented organisations can evidence the state of an employee’s device at a specific time. This documentation serves as a record of the contents of the device and can be used to establish a chain of custody, ensuring accountability and integrity throughout the process.
If there are concerns regarding the employee’s activities, a forensic image can be crucial for conducting an investigation. It provides a starting point to analyze the employees’ devices for any signs of unauthorised access, intellectual property theft, or policy violations.
In summary, taking a forensic image of devices used by an employee who is leaving is essential for preserving evidence, enabling data recovery, supporting investigations, ensuring legal compliance, establishing documentation and accountability, and protecting intellectual property. It is a proactive measure that assists organisations in managing potential risks and maintaining the security and integrity of their digital environment.
Visit our Corporate Forensics Investigation services to find out more about how we can assist.
The post Government to limit non-competes in employment contracts appeared first on CYFOR Forensics.
]]>