Every security incident is followed by an investigation phase into the causes and responsibilities that led to its occurrence.
The occurrence of security incidents, which may or may not result in personal data breaches, triggers the need for the organisation to protect its rights and interests in court effectively or before independent administrative authorities, such as the Data Protection Authority or the Competition and Market Authority.
The need for (digital) investigations may originate from a variety of circumstances: the theft or misuse of company data by internal or external parties; a malware or spyware attack; the unlawful use of a company information device; or the infringement of the organisation’s proprietary rights, such as trade secrets.
The list could go on and on: all these cases have in common is the need to collect and analyse (digital) evidence that can be used in court. Hence, the concept of digital forensic investigations was born in this context, i.e. aimed at acquiring and analysing information of a digital nature, using techniques and methodologies suitable for preserving sources of evidence.
Computer experts carry out digital forensic investigations in compliance with the technical standard ISO/IEC 27037.
Practical tip: Technical advisors must be assisted by lawyers who are experts in the field to ensure not only compliance with privacy regulations but also to verify that all investigative activities are carried out in such a way as to ensure the admissibility of the evidence gathered as evidentiary material.
From a methodological and procedural point of view, it is possible – with a reasonable degree of simplification – to subdivide digital forensics activities into three distinct moments: the acquisition of evidentiary material, that of selection, and that of analysis.
The acquisition phase is dedicated to the identification and copying of computer evidence.
This is a highly delicate phase, as it aims at properly preserving evidence. Therefore, it is crucial to ensure that it remains unaltered to be used as an evidentiary tool in the acquisition of the material.
The acquisition must take place using so-called imaging techniques aimed at acquiring and ‘crystallising’, also employing hashing techniques, a forensic image of the memory media on which the investigation is to be conducted.
Once crystallised, the evidence must then be selected. The selection process is crucial to limit the subject of the investigation to those elements that are of genuine interest and for the lawful processing of personal data of the matters subjected to or otherwise involved in the research.
Selection is typically made by applying filters and indexing techniques to the collected material. The choice of the filters to be used represents a task of some importance: using too restrictive risks eliminates evidentiary elements of interest. At the same time, too broad filters could lead to indiscriminate analyses that can be challenged in court.
On the other hand, the analysis phase represents the last element in the chain of digital investigation operations. It takes the form of the various search activities within the data pool that are necessary at the time.