First Response has a team of digital forensic investigation specialists to assist with retrieving and analysing data and digital evidence from any media that stores data (forensic investigations). This evidence can be used to recover data, whilst maintaining evidential integrity, for use in court proceeding through to determining whether data has been lost in a data breach.
An example of this is when a multinational development company established an internal team to quickly investigate allegations of misconduct. The team turned to First Response and Nuix (an Australian Software Company) for help to rapidly process, search and analyse three terabytes of data from disparate sources within the company. Within hours, the digital forensic investigations team found the critical information it needed to respond properly to the allegations, saving the weeks that it would have taken using any other software to get the same results.
The development company faced allegations of misallocated funding and general misconduct within a four-year programme with multiple delivery strands that crossed international borders and involved more than 150 staff operating in many languages. The organisation launched a forensic investigation to find out if there was any truth in the allegations. The data analysis requirements of the investigation were large and complex. Investigators quickly needed to find accurate answers to these allegations from approximately 3TB of data which was spread across multiple file types and locations, including:
- More than 250,000 documents stored within a cloud system
- 92GB of data in two different mailbox formats
- Numerous folders within multiple Microsoft SharePoint sites comprising over 250GB of data
- A hosted program knowledge management system.
The organisation called in digital forensic specialists First Response, a Nuix services and training partner, to support its internal investigations team. John Douglas, Technical Director at First Response deployed Nuix Workstation, a supercharged data processing, search and analysis platform, which he used to index the large quantities of programme data and make it easily searchable for timely analysis with the team.
FORENSICALLY PRESERVED RELEVANT EVIDENCE
Using Nuix, Douglas and the investigations team quickly and efficiently identified the evidence sources required to respond to the allegations. Investigators kept data from all these sources within a compound Nuix case file, removing the need to convert or move data between formats and tools during the investigation. “This made it much easier to maintain provenance and trace critical evidence identified during the investigation back to its original source,” said Douglas. “We also needed to maintain evidential integrity and produce a legally sound forensic technical report,” he explained. “This is why it was so important to use Nuix.” A spokesperson for the company added, “Nuix helped us meet organisational imperatives for transparency in our programming and we would not hesitate to use it again for any future due diligence processes.”
PROCESSED 3TB OF DATA WITHIN HOURS
First Response used Nuix on two reasonably powerful office work computers to process all 3TB of case data within hours. This enabled the team to start searching the data using keywords almost immediately. “Consolidating the data from the various project sources and indexing it to enable effective keyword searches would have been impossible without Nuix’s forensic processing capabilities,” said the spokesperson. “The advantage of using Nuix when you have a lot of data to analyse in a short time frame is the speed with which it can index your data – it’s the fastest data slicer and dicer there is,” said Douglas. “Other forensic tools can’t process the same volume and variety of data types as Nuix can, in the time it can do it. Nuix has made this information available for search, analysis and review while other tools are still churning through the dataset.”
QUICKLY ELIMINATED DUPLICATES AND IRRELEVANT DATA
Nuix’s inbuilt data analytics capabilities automatically deduplicates data during processing which significantly reduced the size of the dataset investigators needed to review. “Nuix saved us a lot of time by matching identical content regardless of where this data was stored and identifying the unique items,” said Douglas. “This was particularly useful given our data was spread across multiple repositories and networks. “We could then identify within hours rather than days which documents were relevant to the investigation. By reviewing only the relevant files, we could pinpoint the critical information we needed to understand the facts of the case much faster.”
COMPARED SIMILAR DOCUMENTS SIDE BY SIDE
Nuix gave investigators a single pane of glass to compare and cross-reference intelligence across all data sources at once. “Nuix automatically grouped and visualised the most important forensic artifacts,” said Douglas. “We could also display a complete chronology of events in one timeline and see communication networks and maps of activity across all sources.”
“At the start of this investigation we had no idea about what Nuix could do,” said the spokesperson. “Once John outlined the possibilities of the tool, we provided timelines, GPS locations, email addresses, keywords and other information that John combined into search terms and applied to the entire database of indexed data. “As a group, it only took us 45 minutes to narrow down these search results and find the answers we needed. Without John’s digital forensic expertise and the power and capability of Nuix, we have no idea how long it would have taken us.”
HOW WE CAN HELP
If you have a cybersecurity incident, believe you are under attack or have been compromised, then call us immediately for assistance on 020 7193 4905 or email us as incident [at] first-response.co.uk