This document outlines our procedure for gathering online and offline consumer information through consented access or a ‘consent order.’ Our approach is designed to be efficient, professional, and approachable, while adhering to relevant technical and expert evidence standards. This is not the full procedure, but an outline in a format accessible to non-technical readers.
Why This Process Exists
To ensure accuracy and reliability in evidence collection, we strictly adhere to the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response((Kent, K., Chevalier, S., Grance, T. and Dang, H. (2006). SP 800-86 -Guide to integrating forensic techniques into incident response, National Institute of Standards and Technology (NIST), United States, [online] doi:https://doi.org/10.6028/nist.sp.800-86)) procedure and the relevant jurisdiction’s expert code of conduct. In Australia, the federal expert code is GPN-EXPT((Allsop, C.J. (2016). Expert Evidence Practice Note (GPN-EXPT). Federal Court of Australia, Available at: [online] https://www.fedcourt.gov.au/law-and-practice/practice-documents/practice-notes/gpn-expt.)), while states and territories have similar codes. In New Zealand, its the High Court Rules 2016 Schedule 4((New Zealand Government, High Court Rules 2016 (LI 2016/225) (as at 23 June 2022) Schedule 4 Code of conduct for expert witnesses – New Zealand Legislation. [online] Available at: https://www.legislation.govt.nz/regulation/public/2016/0225/latest/DLM6953324.html [Accessed 25 Apr. 2023].)).
Process for Consumer Cloud Forensic Extractions
Access Requirements: To provide access to online services like Facebook, iCloud, Instagram, Gmail, GDrive, or Google Photos, or similar online services, we require passcodes, passkeys, and 2FA login assistance which may include a QR code or other thing. backup passwords, or pin patterns for devices. We arrange a Zoom call with the individual granting consented access, during which they may have their lawyer present if they choose.
Zoom Call Focus: During the call, we keep the discussion confined to: a. Our data collection and secure storage process. b. The handling of data at different stages.
Evidence Collection: For verification purposes, we gather evidence through two methods: a. Screenshots or recordings. b. Utilising the provider’s ‘download your own data’ service (e.g., Google Takeout, Facebook Privacy Data Download, Apple iCloud, Samsung Cloud, etc.). In some cases, we may use specialist software to download data based on our instructions, consent agreements, or consent orders.
Please direct any further questions to your lawyer.
Process for Device-Based Forensic Extractions
Almost all extractions from devices occur at our lab, which is common industry practice for digital forensics examiners. By special arrangement, we can conduct a witnessed or onsite evidence extraction, but this typically costs more.
We don’t normally need to have the consenter present (or by video link). We do require passcodes, passkeys, backup passwords (if any), or pin patterns for devices.
Devices within Australia or New Zealand: We request that the device be couriered to us or dropped off at our Sydney office. We then collaborate with the consenter to gain access to the device and courier it back upon completion.
Devices in Other Countries: We have agreements with digital forensics companies worldwide who can collect evidence on our behalf. Depending on the country, we may ship devices (e.g., the Philippines) or not (e.g., the USA).
This procedure only applies to consumer-based accounts and some consumer devices. For other evidence extraction approaches, please contact us.
Note to other digital forensics firms
For international companies wishing to establish a mutual assistance partnership, please contact us for a discussion here.