Forensic extraction process for consumer messaging accounts

This document outlines our procedure for gathering online and offline consumer information through consented access or a ‘consent order.’ Our approach is designed to be efficient, professional, and approachable, while adhering to relevant technical and expert evidence standards. This is not the full procedure, but an outline in a format accessible to non-technical readers.

Why This Process Exists

To ensure accuracy and reliability in evidence collection, we strictly adhere to the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response((Kent, K., Chevalier, S., Grance, T. and Dang, H. (2006). SP 800-86 -Guide to integrating forensic techniques into incident response, National Institute of Standards and Technology (NIST), United States, [online] doi:https://doi.org/10.6028/nist.sp.800-86)) procedure and the relevant jurisdiction’s expert code of conduct. In Australia, the federal expert code is GPN-EXPT((Allsop, C.J. (2016). Expert Evidence Practice Note (GPN-EXPT).  Federal Court of Australia, Available at: [online] https://www.fedcourt.gov.au/law-and-practice/practice-documents/practice-notes/gpn-expt.)), while states and territories have similar codes. In New Zealand, its the High Court Rules 2016 Schedule 4((New Zealand Government, High Court Rules 2016 (LI 2016/225) (as at 23 June 2022) Schedule 4 Code of conduct for expert witnesses – New Zealand Legislation. [online] Available at: https://www.legislation.govt.nz/regulation/public/2016/0225/latest/DLM6953324.html [Accessed 25 Apr. 2023].)).

Process for Consumer Cloud Forensic Extractions

Access Requirements: To provide access to online services like Facebook, iCloud, Instagram, Gmail, GDrive, or Google Photos, or similar online services, we require passcodes, passkeys, and 2FA login assistance which may include a QR code or other thing. backup passwords, or pin patterns for devices. We arrange a Zoom call with the individual granting consented access, during which they may have their lawyer present if they choose.

Zoom Call Focus: During the call, we keep the discussion confined to: a. Our data collection and secure storage process. b. The handling of data at different stages.

Evidence Collection: For verification purposes, we gather evidence through two methods: a. Screenshots or recordings. b. Utilising the provider’s ‘download your own data’ service (e.g., Google Takeout, Facebook Privacy Data Download, Apple iCloud, Samsung Cloud, etc.). In some cases, we may use specialist software to download data based on our instructions, consent agreements, or consent orders.

Please direct any further questions to your lawyer.

Process for Device-Based Forensic Extractions

Almost all extractions from devices occur at our lab, which is common industry practice for digital forensics examiners. By special arrangement, we can conduct a witnessed or onsite evidence extraction, but this typically costs more.

We don’t normally need to have the consenter present (or by video link). We do require passcodes, passkeys, backup passwords (if any), or pin patterns for devices.

Devices within Australia or New Zealand: We request that the device be couriered to us or dropped off at our Sydney office. We then collaborate with the consenter to gain access to the device and courier it back upon completion.

Devices in Other Countries: We have agreements with digital forensics companies worldwide who can collect evidence on our behalf. Depending on the country, we may ship devices (e.g., the Philippines) or not (e.g., the USA).

This procedure only applies to consumer-based accounts and some consumer devices. For other evidence extraction approaches, please contact us.

 

Note to other digital forensics firms

For international companies wishing to establish a mutual assistance partnership, please contact us for a discussion here.

Important note on general advice

We are a cyber security firm, but we may not be YOUR cyber security firm. Seek independent advice.

None of this is ever legal advice. Always seek legal advice from a qualified and licensed legal practitioner.

All cyber-security and digital forensics decisions require careful consideration of your own circumstances and risks. General information is not not tailored to your individual needs. You should seek the advice of a suitably qualified cyber-security or digital forensics specialist.