Respond

Evidence across hemispheres

Forensic acquisition in Australia for a UK-based investigation

Acquisition standard applied
NIST 800-86
Time to evidence delivery
Hours
Written acquisition statement provided
1

The situation

A UK-based cyber security firm was conducting insurance-related investigations that required forensic evidence to be acquired from devices located in Australia. The evidence needed to meet the NIST 800-86 standard to be admissible in proceedings, and the UK firm required a local specialist who could handle the acquisition professionally and deliver the evidence securely.

Details in this case study have been altered to protect client confidentiality. The core facts, forensic methodology, and outcomes are accurate.

What we found

The devices contained corporate data that required careful handling during the acquisition process. NDF needed to ensure that forensic copies were complete and verifiable while protecting the integrity of the corporate information stored on the laptops.

How we responded

NDF conducted the forensic acquisition with the following approach:

  • Evidence collection adhering to NIST 800-86 standards, ensuring chain of custody and forensic integrity throughout
  • Corporate data protection, handling sensitive information on the laptops appropriately during the acquisition process
  • Decryption testing to verify the forensic copies were accessible and complete
  • Secure packaging using the highest available encryption standards for transit
  • Online delivery, enabling the UK firm to retrieve the evidence within hours of acquisition
  • Written statement documenting the acquisition process in accordance with international expert codes of conduct

The outcome

The UK cyber security firm received forensically sound evidence copies within hours of acquisition, packaged and encrypted to international standards. The accompanying written statement provided the documentation needed to support the evidence’s admissibility in proceedings. The engagement demonstrated that cross-border forensic work can be completed quickly without compromising evidentiary standards.

Lessons for similar organisations

  • International investigations need local expertise. Having a trusted forensic partner in each jurisdiction eliminates delays and ensures evidence meets local and international standards simultaneously.
  • Speed and rigour are not mutually exclusive. Same-day forensic acquisition and secure delivery is achievable when processes are well established.
  • Documentation is as important as the evidence itself. A written statement of the acquisition process, prepared to expert codes of conduct, is what makes the evidence usable in proceedings.