Digital Evidence Collection

By:  Cynthia Horn

Investigators looking into workplace disputes need to be on the look out for digital evidence. In this day and age, more and more business is conducted online, with Slack, Teams, or other internal messaging systems even supplanting corporate email in some organizations. But how you collect this evidence can be just as important as what you are collecting, so be careful. Read on for issues and advice on digital evidence collection.

Before you begin collecting digital evidence, think about your collection strategy. A good strategy should employ tactics that are reasonable and defensible. At a minimum, you should be able to prove the date items were collected, how exactly items were collected, and who collected them. It is also a good practice to document the chain of custody. Additionally, you should think about how to safely store your evidence. Storing and transferring data to the cloud introduces security vulnerabilities. To mitigate that risk, utilize VPNs and encrypt data. Access to cloud-based storage of digital evidence should be protected with strong security, including two-factor authentication.[1]

When you are gathering digital evidence, you want to collect enough data that you have what you need, but not so much that you overwhelm your review team. Be thoughtful about what you ask for and avoid the temptation to ask for way more than you can meaningfully review. External investigators, especially, must take care to balance the cost to the client of review time against the likelihood of finding evidence and what its probative value might be. That said, make sure you don’t collect less than what you need, either. For example, if you are looking at pertinent emails, be sure to collect every email, individually, in the chain, rather than taking only the last email in the thread. This helps ensure the authenticity of each email.

When you begin your evidence review, don’t manually review every document unless there aren’t very many. Instead, leverage technology. Use keywords to rapidly search for relevant information. Sort evidence by file type, date, author, and so on. There are many platforms available to review data.[2] Pick an application that you can familiarize yourself with and use effectively. And remember to work only on copies of data and never use the original copy you obtained.

In more complex cases, you may want to consider hiring an outside expert to assist. This is especially important in cases where you need to prove forensically that someone did something to a computer, such as when you have a person accused of unauthorized access to a computer system. A digital forensic expert, besides being highly knowledgeable, can testify about how they collected the evidence and attest that they did not manipulate it. Though it isn’t necessary to hire a third party, it can be helpful to have one. If hiring someone is too expensive or just not an option, you can also consider preparing an affidavit attesting to the methodology used to collect the evidence.

Websites

When the content of a website is important to your investigation, try to capture the webpage in full. Capture a true and accurate representation so that when saved or printed, it looks exactly like it appeared online. To achieve this, use a web browser plugin for full page collection. For example, “GoFullPage” is a browser extension you can download on Chrome.[3] It is a free tool that will allow you to capture a full website page quickly and easily. It also includes premium features that enable you to obtain extra metadata. When capturing websites, be sure to save using the PNG filetype. A JPEG file uses compression, and you will lose metadata. Although a PNG file is larger, it is a more true and correct copy.

Social media

When capturing social media posts, always capture the content in full. That includes all profile sections, posts, and comments. Each social media service is different, so be familiar with each service and know where to look for additional tabs and expandable comments. Some sites also allow users to edit comments over time. The metadata from your capture will show when your evidence collection was made and is important to preserve.

If you are a lawyer, remember that it is unethical for an attorney to gain access to private content in a deceitful manner, such as by “friending” a target of an investigation to get to their profile. However, if you know someone, who knows someone, who is friends with your target, accessing a target’s profile through them should be just fine.

Mobile devices

For evidence on a mobile device, determine whether data can be extracted directly from programs or by physically copying the device. Live data can be extracted from programs, but it will not recover deleted files.[4] You may need a forensic expert to look at the phone and assist with digital forensic tools. If you end up in possession of a phone, do not turn the device off. In some instances, it is best to turn off mobile data and wi-fi, or put the phone on Airplane mode, to avoid remote deletion.

Another good practice to consider is to document the evidence collection process by physically recording it with a camera.[5] Such a recording will allow you to show exactly what was done and how, and if ever needed later, can be played for a judge in court.

Employers

If you’re an employer, be sure to have a records retention policy and follow it. If you become aware of an incident, issue a clear and concise legal hold and make sure your IT people know about it. Even if you hire an outside law firm or investigator, it is your responsibility to preserve the evidence in a reliable way that avoids spoilation.[6]

Digital evidence can be highly compelling, and care should be taken to collect it in a faithful manner such that it can be relied on as a true and correct copy later. When in doubt, and budget permitting, consider hiring a third-party expert to assist in the process.

[1] Guttman B, White DR, Walraven T (2022) Digital Evidence Preservation: Considerations for Evidence Handlers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency Report (IR) NIST IR 8387. https://doi.org/10.6028/NIST.IR.8387.

[2] Popular eDiscovery software programs include Relativity, Everlaw, Exterro, Logikcull, and many others.

[3] https://gofullpage.com/

[4] Kevin A. Thompson, “Online Investigations in 2023: Tips and Tricks,” presentation for Association of Workplace Investigators (August 10, 2023).

[5] Id.

[6] Id.

Archives