Blog Post

Pandemic Lessons Learned in Remote Forensic Analysis

Over the last two years, our teams at FTI Technology have experienced numerous multi-jurisdiction matters throughout Asia and globally, including internal investigations pertaining to IP theft and employee misconduct, which required remote collections. Our teams were tasked with conducting these exercises while adhering to digital forensics best practices, including establishing a defensible preservation approach and utilising a tested and proven methodology. Many of these began as seemingly simple data preservation exercises, only to escalate into large, complicated investigations.

Emerging global data sources

Technical and Practical Challenges

In many cases, remote collections involved utilising network connections via collaboration tools such as Microsoft Teams or Citrix to preserve network share data directly from cloud sources. Theoretically, connecting remotely to a corporate computer and copying data for transfer in a forensically sound manner is not a novel process. However, remotely collecting data from a variety of data sources across multiple jurisdictions had not been common practice prior to the pandemic. Doing so introduces multiple challenges that will persist regardless of technological advancements.

For example, global inter-connectivity has enabled organizations to outsource certain business activities via knowledge process outsourcing (KPO) and business process outsourcing (BPO) to developing countries such as India. Network and power outages are not uncommon in these countries, and deploying a network-dependent solution to upload or transfer data may not be reliable. For example, the Telecom Regulatory Authority of India (TRAI) has mandated that telecom service providers clearly specify their fair usage limit and data speeds — which could result in investigatory teams being unable to transfer a large amount of data across the network.

The proliferation of emerging data sources, including proprietary chat and collaboration platforms, has also significantly increased the challenges associated with developing defensible remote collection methodologies. The most significant is chat applications on mobile phone devices. Performing forensically sound collection of mobile chat data, while adhering to privacy compliance for bring-your-own-device (BYOD) environments, will always be a prevailing challenge. Other collaboration tools such as Microsoft Teams, Zoom and Slack will require in-depth knowledge of the data structures to facilitate the downstream legal review of data.

Another example of physically transferring corporate-owned devices also comes with challenges, particularly for devices purchased under the Special Economic Zone (SEZ) in India. The SEZ is subjected to a specific set of economic laws, with the intention of promoting rapid economic growth using tax and business incentives. However, this also means that there are strict requirements around transferring devices from the SEZ to outside of it. Any device purchased under SEZ will need special permission to be transferred out.

Another challenge is that there is increased regulatory scrutiny on forensically sound collection techniques, with the intent of verifying that the data has been defensibly collected. Providing forensic reports on data collections with detailed acquisition notes is a standard process for any collection, and it is important that these reporting requirements are taken into consideration when new workflows are developed.

Simultaneously, developers of forensic tools have released remote collection capabilities that enable practitioners to perform targeted data collections remotely across networks. However, some of these features still require additional development as they may not be effective in situations involving regular power and/or network outages. Specific security settings in VPNs may also block or prohibit some of these forensic solutions. Customizing existing solutions to fit the project requirement is an option that typically provides the best outcome. This will require a thorough understanding of the existing solutions and data structures, case experience and knowledge of the matter’s and region’s unique legal requirements. Ideally, bespoke solutions should be scalable, repeatable and provide results in a manner that can be utilized by the project and/or legal team.

Privacy and Compliance

Data privacy laws

Before data is collected and sent to another jurisdiction, the amount of data available in a user profile and the prominence of BYOD practices will need to be thoroughly considered for data privacy implications. Data protection regulations are escalating around the world, and many govern the parameters for how personal information may be transferred across borders. Ensuring compliance with privacy laws across all jurisdictions relevant for the investigation is a critical step in any large-scale investigation. Doing so may involve establishing separate review teams in certain locations such as China, Europe, the U.S. and Dubai.

From a compliance perspective, extra-territorial reach is another privacy compliance aspect that requires consideration. Although GDPR has extra-territorial reach, it is certainly not the same case in every nation. As an example, there are no specific provisions for extra-territorial operations in the Personal Data Protection Act in Singapore or in the Personal Data Privacy Ordinance in Hong Kong. However, the IT Act in India states that it has unlimited territorial jurisdictions, and that it applies to any offence or contravention committed outside of India.

Consent requirements will also have to be considered if the data preservation occurs across multiple jurisdictions. Personal Information Collection Statements (PICS) are informed consent forms that may be required depending on where the personal data is collected. This may require inclusion and explanation of the purpose of the collection, as well as the method of transfer.

Conclusion

This article covers the most common challenges that have been recently encountered during large scale remote investigations throughout Asia and even worldwide. These challenges underscore the importance of enabling adaptability in investigations, so teams can utilise new technology and workflows when necessary. Such flexibility involves a thorough understanding of the underlying technology and involving experts with domain experience to understand how to best develop solutions to fit the specific needs of the matter at hand.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.