Once we know what we are looking for, based on the investigation plan and developed hypotheses aiding to verify the alleged wrongdoing we can engage into collection of information and establishing facts enabling to verify and conclude on the hypotheses.
In order to establish facts we need to find eligible sources of information, these need to be discovered by initial triage of available sources (this stage is often called a “discovery phase“). In discovery phase we may consider:
- People, who might have seen or heard about the alleged action
- Databases that may store data ta and information associated with the alleged action, e.g. cloud storage, company servers, PaaS , IaaS or SaaS solutions used by the company
- Devices that may store data eligible for fact finding, e.g. mobile devices, tablets, laptops
- “Old timer” hard copy documents and notes 🙂
Once we have discovered (established) the eligible information sources wee need to collect the facts in a human readable format, which is often referred to as “evidence collection“. We need to bear in mind that evidence collection applies equally to facts confirming and denying the alleged wrongdoing. If we focus on confirming the allegation only we may not reach out the truth, but more to bring a risk of false allegations and possible action for infringement of personal rights and good name. While collecting evidence we may consider:
- Data mining for databases and electronic devices, e.g. computers or mobile phones
- Interviews for people engaged to the investigation, i.e. witnesses, suspects, expert witnesses [if needed]
- Review of hard copy documentation, e.g. contracts, invoices, other supporting materials stored in paper (these could be also scanned, OCRed [processed by optical character recognition software] and included to the data mining procedures
- Visual inspection of the place or an object in search of other eligible evidence or circumstantial evidence
Once we collected all the eligible information we need to sieve fake news from truth and organise them in sequence [often the sequence of events counts]. Having that done we may conclude whether the alleged action has been confirmed or denied. The conclusion needs to be documented. Often, the documentation of conclusions from an investigation is captured in the form of a report. More on the recommended format of the forensic investigation reporting in the next chapter.
