Most of the time, digital forensics is one component of a much larger investigation, so the forensics results are integrated into a single report for the whole investigation. On some occasions, the forensic results even form the basis of the entire investigation. Whatever the situation, it is vital to first assess the case background and make a proper digital investigation plan by discussing issues of concern with the client, assessing the potential availability of the expected information, as well as exploring the pros and cons of different investigative methods.

​

Occasionally, clients are concerned about the risk of decontextualizing data which is gathered from HDD forensics alone. With this in mind, we ensure that digital forensics is complemented with thorough background investigations and that open dialogue is maintained with clients to discuss our findings throughout the forensics process. 

For data storage device-based assignments (such as HDD forensics and mobile phone forensics), acquiring a forensically-sound image of the original data is usually the next step after the initial case background discussion and planning.    

Acquiring a forensically-sound data image is key to collecting a full copy of the raw data source, including existing files on the source and the data structure of deleted files which are potentially recoverable.  

For this to be possible, the client must have control over the computer and therefore it is most suitable for internal investigations (such as fraud and data leakage cases). In these cases it is usually possible to find irrefutable evidence of misconduct, as well as additional information which assists in the identification of other suspects in a fraud network.

​

In cases where companies simply require the raw data to reconstruct the concerned information (e.g. accounting data), Grapevine can assist in collecting the image of the raw data in Asia/China, as well as assembling and organizing specified files as required. 

Once an HDD has been successfully imaged, there are several forensics methods to choose from. Two of the most effective tools available at our disposal are a powerful forensic software program called EnCase and X-ways forensics. Below is an example of the procedure we follow:

​

• Automatically process the raw data, index it, recover deleted files, analyze file signatures, etc.

• Locate emails which have been downloaded onto the computer by desktop email clients such as Outlook. 

• Use keywords relevant to the case, such as names, events, dates and times, to perform a scan of all files on the computer. 

• Inspect the deleted files and emails (particularly important if we have reason to believe the HDD user suspects they are being investigated).

• Examine the internet browsing history and, if any, instant messenger data (this can contain information that the user did not intend to keep, such as online emails and chat histories). We often find valuable case-related information from Chinese-based instant messaging app data such as Wechat. 

• Search metadata files to see if any files were created or edited by people at the same time as relevant events in the investigation.

• Boot the target’s hard drive to simulate using the user’s computer.

​

The type of information we find on a suspect’s computer depends on the way in which the computer is used and can differ widely from one user to another. It is crucial to determine whether the computer is the user’s primary computer, or if they use their personal computer at work instead. Even if it is not their primary computer, we are usually still able to uncover evidence of misconduct or information which can be used to verify evidence from other sources.

​

In situations where suspects have not been especially careful in covering their tracks, we have on occasion been able to find large amounts of data which points to the user’s illicit activities, such as email correspondence evidence of fraudulent activities or a document showing that the user has been trading company information. In our experience conducting commercial forensics cases in China/Asia, most suspects are surprisingly lax when it comes to removing evidence of misconduct from their computers however, even the more vigilant suspects can still make mistakes and incriminating information can usually be found because the suspect is not aware that deleted files remain on the computer’s hard drive.

• Compile comprehensive timelines and relationships between multiple suspects;

• Investigate recent activity using software records created through the forensics process; 

• Crisis management and data breach response; 

• Cyber inquiries and consulting; 

• Social media analysis; 

• Online evidence capture, and protection of data for submission in legal proceedings or further actions; 

• Compliance and best practices guidance.