Blog Post

Q&A: In Headline-Making Investigations, Forensic Readiness is Key

  • LinkedIn icon
  • X/Twitter icon
  • Print icon

Q&A: In Headline-Making Investigations, Forensic Readiness is Key 

FTI Technology’s digital forensics experts have provided investigative support and testimony in some of the world’s most contentious disputes and internal investigations. When matters make headlines, or involve serious crimes involving bribery and corruption, the pressure and scrutiny intensify. Digital evidence is often the linchpin in these cases, meaning forensic methodologies must be impeccable, defensible and validated by experts. In this Q&A, Managing Director Matias Livachof discusses how FTI Technology approaches highly sensitive and high profile cases throughout the investigation lifecycle. 

Matias, there are many types of investigations that FTI Technology experts handle, some more intense than others. What are common challenges your team encounters in high profile investigations?

The element of surprise is critical in many high-stakes investigations, particularly those involving instances of suspected fraud, bribery or corruption within an organization. Custodians can’t be informed in advance that their data is going to be collected, because that significantly increases the risk of intentional data spoliation, especially given the proliferation of ephemeral messaging applications and readily available wiping tools. We’ve been involved in many investigations like this where custodians were located in different countries and jurisdictions. To prevent data destruction, the entire effort must be coordinated and executed as a simultaneous, multijurisdictional operation, similar to a dawn raid with digital forensic specialists and legal counsel all arriving at the locations and seizing devices and data simultaneously. So, there’s a significant need to have a large and geographically diverse team ready to support these needs at a moment’s notice.

Even when we have the element of surprise on our side, it’s common to find that messages or data have been deleted. So, our team must move as quickly as possible to preserve, look for backups or other sources that might contain copies of the deleted information, and know how to spot signs of missing information so they can be noted and included in any subsequent reports or testimony. 

Will you give an example of a case that involved unique sensitivities?

We handled a Foreign Corrupt Practices Act investigation at an oil and gas company in Mexico. Outside counsel engaged us to investigate a targeted group of individuals who were suspected of systemic misconduct. These custodians were dispersed between four locations and it was critical that we preserve and collect from all of them at the same time, to prevent tipping off the wider group and triggering a cascade of data deletion. 

The logistical footprint was massive, requiring more than 50 people involved in this coordinated effort across the law firm and our team. Once we began, we found many devices that needed to be preserved, and in some situations, custodians had swapped their devices. By analyzing device artifacts, such as discrepancies in cloud backup timelines and fresh activation dates, we were able to definitively prove the swap had occurred. This technical intelligence gave counsel the immediate leverage required to confront the custodians and compel them to surrender their original devices, allowing us to perform full file system extractions before the critical evidence could be permanently wiped. 

What set FTI Technology apart in this matter?

We were able to respond quickly when the request came in because we have the specialized digital forensic capabilities required, backed a large global team. Not many providers can disperse a team of experts internationally for on-site collection at such short notice and under such high-pressure and sensitive circumstances.

Beyond logistics, our technical capabilities in mobile forensics were pivotal. Dealing with modern, encrypted mobile devices and the pervasive use of ephemeral messaging requires far more than basic data extraction. We have the hands-on experience needed to quickly preserve text messages and chat data — before custodians have a chance to delete it and cover their tracks — and detect when there are signs of evidence tampering. 

What are some of the pitfalls clients experience if they aren’t able to move quickly or deploy a strong digital forensic team? 

Data is easy to delete, especially on mobile devices. So, time is of the essence in preserving information. When organizations aren’t able to maintain an element of surprise leading up to a collection, or other factors delay data preservation, it can significantly impact the ability to secure the evidence required to pursue a case.

It’s also essential for organizations to have a technical team that can connect the dots when there are holes in the data. Even when it’s not possible to find a smoking gun or identify exactly what happened, experienced digital forensic investigators can detect signs of suspicious activity and piece together patterns of deleted data we provide legal counsel with the actionable intelligence required to determine exactly what happened and how to proceed strategically. 

Related topics:
Digital Forensics & Investigations

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

Related Solutions