This chapter looks at the importance of forensic technology within investigations. It starts by looking at why data is so crucial to an investigation, before examining the different types of data available to an investigator. It then discusses the processes that should be followed to capture, prepare and investigate data to ensure that it is incorporated into an investigation appropriately before discussing how artificial intelligence and machine learning can assist the investigator.

ii Criticality of data to an investigation

Data is the lifeblood of most modern-day organisations: this is no less true for an investigator. Although not the only source of information relevant to an investigation, data can provide an unbiased, unaltered and accurate reflection of historic events unlike other sources. Data can be more reliable than the human mind, especially if the relevant events are historic, and data tends to be more pervasive and persistent than paper documents. Forensic technology is the practice of dealing with data in such a way that it can be incorporated into an investigation in a legally admissible form.

When conducting an investigation, it is essential that data is fully incorporated within the overall scope of the investigation. Not only does data need to be included, it should be central to the investigative process and not viewed as a separate, stand-alone task. As with other aspects of an investigation, the process is more efficient and effective if the different aspects are connected and the findings flow between them in a timely manner. The key goal is to empower the investigation through the intelligent analysis and investigation of data.

However, data tends to be highly volatile and can easily be altered or deleted, intentionally or otherwise; therefore it is important that the process of managing data in an investigative sense is dealt with at an early stage of the investigation, in a forensically sound matter and in an all-encompassing way. This does not mean that every single byte of data needs to be fully investigated, just that all relevant systems need to be appropriately considered.

When it comes to managing data in a forensically sound manner, the Association of Chief Police Officers' (ACPO) Good Practice Guide for Digital Evidence2 provides a sound basis for any investigator, specifically the four principles it promotes:

Principle 1: No action taken ... should change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. ...
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

It is essential during an investigation that the process followed to capture, prepare and investigate data is robust and complete, otherwise the results may not be admissible in a court of law or the investigation itself may become publicly criticised.

iii Types of data available to an investigator

Given the use of technology throughout a workplace and beyond, data exists in many different forms and sources, but can be considered within a two-dimensional grid, as illustrated below:

Table 1: Framework for understanding data types

Type of data Internal to the organisation External to the organisation
Unstructured Organisational email, file shares, computers and phones/tablets, etc. Personal devices, websites, etc.
Structured Accounting information and telephone records, etc. Databases of directorships, shareholdings, etc.
Social Internal blogs, etc. Facebook, LinkedIn, Twitter, etc.

All these sources need to be considered in regard to an investigation; however, for the purposes of this chapter, I will not differentiate between internal and external sources, as from a technical perspective the approach is the same – although the practical and legal considerations vary greatly.

Unstructured data refers to information that does not have a pre-defined structure and is typically text-heavy, but may contain dates, numbers, graphics and other types of information. It is the form of data that we are probably most familiar with and would include emails, documents, spreadsheets and presentations. Typical sources of unstructured data would include:

  1. computers, be it a laptop, desktop or workstation;
  2. mobile phones and tablets, which tend to be more and more central to an investigation;
  3. email systems, including archives;
  4. network file shares, including but not limited to personal 'home' drives, departmental drives and profiles within a typical organisation; and
  5. other document repositories within an organisation, for example SharePoint servers.

Although the above sources will contain a myriad of different file types, including music, videos and system files, unless there are specific reasons why they should be included in an investigation, typically, the investigation will focus on user-generated files such as emails, documents, spreadsheets and presentations, with the rest being filtered out.

Structured data is the opposite of unstructured data, in that it refers to information that does have a pre-defined structure and is generally in the form of 'databases', but can be much wider than this. In respect of an investigation, the most common sources of structured data relate to systems that monitor or record activity related to the substance of the investigation; for example, accounting and banking records in respect of a financial fraud, or expense claims in respect of an expense fraud.

A hybrid of structured and unstructured data, referred to as semi-structured data, can also be prevalent within an organisation: this is where the content tends to be unstructured but it is bound by a more solid structure. A typical example of this would be chat or instant messenger messages, which can be very revealing to an investigation and therefore should not be overlooked.

Social data is a relatively new class referring to data that is shared publicly, or in a more restricted context (e.g., within an organisation or a circle of 'friends'), which is stored within a central repository and includes not only the content but also information that is linked to this content, such as shares, likes, location, time posted, and so on. Although the most recognisable sources will be external to an organisation (e.g., Facebook, LinkedIn), many organisations are using these technologies internally and thus they need to be included within an investigation.

When considering these different sources of data, it is important that they are not simply considered from a technical perspective, as it is easy to get swamped by data when collecting everything due to the sheer volume created and captured by modern companies. Other factors can influence what and how different sources are dealt with during an investigation, for example:

  1. Time: it is important to consider which sources of data were actually in use at the time the investigation relates to, as opposed to the ones in operation currently.
  2. Backups: all organisations should have some sort of backup policy implemented across some or all of their systems. It is important that the above-mentioned sources are considered as they can provide a timely snapshot of activity from a historical moment in time. This can be particularly useful if there are any suspicions of data being deleted.
  3. Custodian scope:
    • to recognise that not all processes (see later) need to be applied to all custodians or data sources. Therefore, it is generally more appropriate to cast a wider net at the start of the investigation but then focus on key custodians or data sources; and
    • that 'witnesses' as well as 'suspects' should be included in the process. Typically this will include assistants as they often store much more data than the people they work for.
  • Actual usage: there is often a wide variance within an organisation between how IT think computer systems are used within their organisation and how individuals actually use them. For an investigation, it is the latter that is important.

It is also critical when considering all the above data types that hard-copy or paper sources are not forgotten or overlooked, although they should be fully integrated into the investigation process, as discussed later.

iv Processes to follow to maximise the use of data in an investigation

When dealing with data in respect of an investigation, the exact way that it is managed and implemented will vary from case to case; however, there are various models available that set out some of the key stages of such exercises. The most widely used, and referenced, is the 'Electronic Discovery Reference Model',3 which was designed to meet the requirements of legal discovery under US litigation and it has equal applicability to how you can manage data during an investigation. A more simplified model for investigations that I have used comprises five key stages:

  1. identification;
  2. collection;
  3. processing;
  4. data repository; and
  5. investigation and analysis.

The first stage is designed to identify the entire universe of systems that may hold relevant documents, which can be very varied (as described above). A data-mapping exercise is a core component of this, and is most effectively compiled by having timely discussions about the systems in place at the relevant time with both members of the IT team and individual users. With this dual perspective, as described above, it is possible to establish and document which systems could hold relevant documents, not only from a theoretical perspective (i.e., how systems should have been used) but also from a practical perspective (i.e., how systems were actually used). Once collated, the identified systems can be analysed to determine their potential relevance to the investigation.

One key difference when dealing with an investigation, as opposed to a discovery or disclosure exercise, is that the concept of proportionality does not apply to the same degree – especially in the context of regulatory driven investigations, whereby the actions performed within an investigation can be scrutinised as thoroughly as the findings. This generally means applying a wider scope to the exercise when determining the relevance of systems and individuals to an investigation, and thereby deciding whether to collect data related to them.

The collection phase of an investigation consists of two separate components: preservation and the actual forensic collection. The key goal with preservation is to ensure that nothing relevant to the investigation is 'lost' or compromised. Typically this will involve taking steps, such as those listed below, to ensure that relevant data should be available as and when needed during the investigation:

  1. activating litigation hold procedures and mechanisms;
  2. prohibiting backups from being recycled or deleted;
  3. ensuring all automatic archiving or deletion processes are suspended;
  4. suspending the wiping and reissuing of any physical devices (e.g., computers and smartphones); and
  5. enabling journaling (or equivalent) on any email or chat system.

The second phase is the actual forensic collection of data, complying with the ACPO guidelines for digital evidence, as discussed above, which have become the standard to which all forensic practitioners should comply to ensure that collection exercises cannot be challenged. It is important to note here that to preserve some forms of data, a forensic image is the most practical solution – especially when dealing with physical devices such as computers and smartphones. However, whereas the scope of the preservation should be set in the widest possible context, the scope of any forensic collection exercises would tend to be more targeted, although still broad enough for the purposes of the investigation.

Once the relevant data has been securely collected and backed up, then the data needs to be processed into a single data repository, so that the contents can be thoroughly analysed, investigated and reviewed. This stage has effectively three phases:

  1. identifying which documents (or data) from the collected systems are to be processed. This does not necessarily mean the entire universe of collected data;
  2. the documents or data selected then, in certain cases, need to be converted or normalised to ensure that they can be handled effectively in latter stages of the process; and
  3. the documents and data then need to be loaded into a single data repository. This typically also includes performing:
    • compound file expansion, to ensure that the individual files, records and emails from containers (e.g., ZIP, RAR, PST files) are included as separate records within the data repository, otherwise they can be overlooked;
    • signature analysis, to identify the true file type of each file, rather than relying on the simple file extension, which can be altered by the user, to ensure that files are categorised and analysed correctly;
    • deduplication, to ensure that only single instances of each document exist in the repository, although it is important to be able to track where any duplicates existed, as sometimes seeing who had access to which documents, and when, can be very important;
    • near deduplication, which is an extension of deduplication but focuses on the actual content within a document (as opposed to its form and metadata) and provides a degree of similarity (e.g., 95 per cent identical in content) to determine whether two documents are considered near duplicates;
    • email threading, so that chains of emails can be identified and grouped together to enable the investigator to look at the complete sequence of communication in one place, as opposed to seeing the different components piecemeal and multiple times;
    • indexing, so that documents can be searched;
    • latent semantic indexing (or similar), so that the key concepts and phrases can be identified and searched during an investigation, rather than just the individual words;
    • language identification, so that documents containing foreign languages can be identified and directed towards appropriately fluent investigators; and
    • optical character recognition across relevant 'images' so that any text they contain can also be made searchable.

The ideal end result is that all selected data is processed in its entirety and can be made available to the investigators through a single repository. The concept of a single repository is crucial to a successful investigation as it enables all data and documents, irrespective of form or source, to be analysed through a single lens. This enables intelligence from different documents and sources to be considered together, in context with each other; for example, being able to analyse phone calls, emails, chat messages and trades between a group of individuals together enables accurate event sequences and conclusions to be drawn, which could be missed if the different forms of data are reviewed in different systems by different people.

v Investigating data

Understanding and utilising structured and unstructured data has become the lynchpin in advancing large, complex investigations. The escalation of volume and types of electronic information has made sifting through and contextualising information a significant challenge in all types of investigations.

When dealing with data during an investigation, there are really two different perspectives through which to analyse it: content and forensic technology.

From a content perspective, the investigation will be focused on the actual content contained within the data or documents in question – what was 'said', to whom and when. Typically this is referred to as a 'document review' exercise, which comprises two stages, although as I will explain later, there are many different analytical methods that can be applied to arm and inform the investigator.

The first stage of a document review, often called the early case assessment, refers to the steps followed to search and filter the processed documents in order to create a review population (i.e., a population of documents that will then be reviewed). Typically, this will involve a series of evolving searches and filters based on the investigation team's knowledge of the case, associated facts, hypotheses and lines of enquiry. It is especially important in the context of an investigation to consider this a 'living' process, so that it lives symbiotically with the investigation, evolving as the investigation as a whole does.

The second step relates to the actual substantive review of the documents. Typically, this is performed using a web-based review system, which enables the reviewers to see the documents, tag them based on a predefined schema and make comments on them because they are relevant to the investigation. In most cases, documents will pass through several review phases, until all of them have been reviewed and tagged appropriately. During this process, the findings from the review will be integrated with the rest of the investigation, ensuring that they form part of the overall strategy and report.

However, technology can assist beyond providing a platform to search, review and code documents based on their content alone. By analysing either the metadata related to a document or by analysing the documents through lenses other than the keywords they contain, greater insights can sometimes be gained from the review. These processes never remove the need to review the actual document, but they do provide more context or linkages around the documents and their potential relevance to the investigation.

There are a variety of different lenses that can be applied across the data. Their applicability to an investigation will vary depending on the data itself and the nature of the investigation. Some of the most common methods are detailed below.

i Time analysis

Rather than focusing on what was said, this process focuses on when something was said, almost irrespective of what was actually said. This enables the investigator to see the entire pattern of communication around critical time periods, rather than only those that contain a key word, and enables themes or issues to be 'mapped' over time.

ii Network analysis

Rather than focusing on what was said, this process focuses on who said something, almost irrespective of what was actually said. This enables the investigator to focus on communications or interactions between key people relevant to an investigation and gain a view of their relationship. This can specifically help to identify:

  1. the relationships between key players in an investigation, between individuals and among the group;
  2. hidden relationships with additional players who were previously unknown to the investigation team; and
  3. the flow of money or information between players in the investigation.

iii Entity extraction

This seeks to automatically identify known entities (e.g., people, places, organisations, times, things) from within all the documents in the repository. Any identified entities can then be searched and analysed as part of the investigation. This can not only help identify formerly unknown entities but can also help to establish the links and relationships between different entities within the investigation.

iv Clustering

The system uses the results of the semantic index to cluster like documents together based on their key concepts and terms, as opposed to anything else. This process can also take into account other variables, such as dates or times and participants in a conversation. This allows for documents to be viewed through the overall context of their meaning as opposed to the actual words used. This process can be used in various ways:

  1. examining the entire population at a high level to get a 'feel' for the overall content and what the key topics are;
  2. quickly removing irrelevant or trivial content from the scope of the investigation; and
  3. finding conceptually similar documents to a particularly key document that has been identified through other means.

v Sentiment analysis

The content of a document is analysed to determine, if possible, whether it is projecting a positive, neutral or negative view. This enables an investigator to potentially focus on key conflict documents by analysing those with a particularly negative sentiment. A similar analysis can be performed to determine whether the content of a document is considered subjective or objective.

Two additional analyses can be applied to the results from some or all the above lenses, the first being that multiple lenses can be applied in conjunction with each other, thereby building more complex analytical queries; for example, search for all communications between A and B that are negative in context and include the entity ABC Limited. These can also be combined with traditional filtering and keyword searches to provide a much more comprehensive and sophisticated analytical toolbox for the investigator.

The second relates to the way that the results are displayed and the use of visualisations to aid the investigator. This lends itself to the fact that, generally, human beings can take in more information and see patterns more readily if in graphical form, rather than a long string of text. These exist in all sorts of different shapes and sizes and can focus on content (for example, a word cloud) or on a particular item of metadata (for example, a geographical representation of search results).

vi Forensic data investigation

As well as considering documents and data from a content perspective, a parallel line of investigation relates to the forensic aspects of the data. This generally relates to how the relevant individuals used technology and what they did, as opposed to the live content contained within. Therefore, this line of investigation is generally focused on sources that individuals 'touch' (i.e., physical and personal devices such as computers, smartphones, tablets, USB drives) as opposed to remote storage-central systems. There are some exceptions, such as:

  1. where the company uses virtual machines to run their operations, these will generally be stored remotely and need to be investigated in the same way as a physical device would be; it is just collected from a different source; and
  2. when considering deleted files, deletion exercises are not necessarily limited to physical devices and can be performed across networked drives and email systems; however, the best form of attack to counter this is to include backup tapes in the investigation through a 'content perspective' as opposed to dealing with them forensically. Additional analyses would probably be performed looking explicitly at what and when data was deleted.

The list of forensic techniques that can be applied across systems is very long; however, I will focus on the most common, and on the most common subject of a forensic investigation: a Windows-based computer.

The first technique that is core to most investigations is the recovery of deleted files. This is based on the fact that where there is malpractice, people tend to try to cover their tracks and deleting files is one way of attempting to do this. Although it is always best to start an investigation without the suspects being aware or suspicious of an investigation, this is not always possible; therefore recovering deleted files is a key step to take in an investigation.

Before examining deleted files, it is important to explain some of the technological workings of a Windows-based computer so that the process can be fully understood.

A partition (or a logical volume) on a computer hard drive is a single storage area with a single file system that can have data written to it and is generally referred to by a letter followed by a colon and a back-slash (e.g., C:\).

The new technology file system (NTFS) is the one used by Microsoft in its operating systems, since the introduction of Microsoft Windows NT, to manage all files and folders on the partition (including itself). Fundamentally, the NTFS works by viewing a partition as having two main components, an index component and a data component. The index component, which is called the master file table (MFT), contains a list of the files and folders contained on the partition, details about them and pointers to the location of files in the data component. The data component contains the actual data of the files and its usage is managed by system files, including the $bitmap file. Every file and folder has a separate, unique entry in the MFT.

The Recycle Bin is a special folder that Windows uses as a repository for files that are deleted in a normal manner from a fixed drive (e.g., a hard drive). Generally, there is a Recycle Bin for each user on each partition of a drive. Files and folders that are deleted in a normal manner from a fixed drive are moved by the operating system to this folder and renamed. There is also a database system within each Recycle Bin that records the original location of the deleted files or folders and the time and date they were deleted.

When a user deletes a file, it does not mysteriously disappear from a computer. The first thing that happens is that it is moved to the Recycle Bin (see above for how this operates). The next phase of a 'deletion' is when the user empties the Recycle Bin. What this actually does is delete the renamed file and empties the associated database within the Recycle Bin. In respect of it 'deleting the renamed file', effectively two things happen:

  1. The flag in the file's MFT entry is changed to say it has been deleted, and that the operating system can reuse that entry in the MFT.
  2. The operating system is notified that it can reuse the space where the file was saved (e.g., to act as though the file was not there) through a special 'file' called the bitmap, which tracks which areas of the disk are used and which are not. It does not change anything in respect of the file content itself.

However, at this point both the MFT entry and the space on the drive where the file was saved are perceived as being 'free' by the computer and hence new data can, and given enough time, probably will be saved in their place, thus overwriting the previous contents. This does not necessarily happen in a totally predictable or timely way. In respect of the MFT, Windows will always use the first available entry when writing a new entry in the MFT, but in respect of the drive space, there are no known rules or logic to explain when or if the data will be overwritten and whether the overwriting file will overwrite all or some of the previous file. Therefore, there are a number of resultant possibilities that can occur, as set out in the table below:

Table 2: Different stages of file deletion and the associated consequences for recovery

MFT entry Data area Consequence
Not overwritten Not overwritten The file can be fully recovered and all details about it are available
Overwritten Not overwritten File content is recoverable but no details about the file are known (e.g., name, dates, etc.)
Not overwritten Partially overwritten Details of the file are available, but only a fraction of the content is available (it is not recoverable and needs to be viewed using specialist forensic software)
Not overwritten Fully overwritten Details of the file are available, but no content is available
Overwritten Partially overwritten Fragments of unassociated text are available (i.e., you may be able to locate interesting text but you will not be able to determine which file it originated from or anything about it)
Overwritten Fully overwritten Nothing is recoverable

From an investigation perspective, where the data area has not been overwritten, files should be recovered and be included in the subsequent processes along with the other data relevant to the investigation. Where the MFT entry is not overwritten but the content is, then this information alone can be relevant and should be incorporated into the investigation.

An extreme case of deletion is when a user 'wipes' data from a computer. There are numerous free tools available that enable users to do this fairly easily, although it can take significant time to fully wipe data and the tools will only wipe what they are instructed to; some relevant materials can therefore sometimes be missed from this process. Effectively what wiping does is to purposefully overwrite the specified areas of the hard drive with random data, thus making the previous content unrecoverable. However, from an investigation sense, although the content may be lost (from this source), there are relevant findings that can sometimes be established to be incorporated into the investigation, such as:

  1. the fact that wiping has occurred;
  2. a time frame of when the wiping is likely to have occurred; and
  3. details of what was wiped.

Two other key techniques often used as part of an investigation are analysing internet activity and profiling other user-related activity on the computer. Although they sound similar, the areas of a computer that are analysed to produce the analysis are very different.

In respect to internet activity, although every browser works in a slightly different way, there are in principle three sources of evidence that can be analysed to help determine usage:

  1. the cache: this records local copies of the content reviewed during a browsing session, including web pages, graphics and other components from the web pages;
  2. the history: this is a database that tracks the websites visited during a browsing session and various metadata related to the pages; and
  3. other related files, such as cookies: these are used in various ways by different applications to track or 'improve' the way the application works.

By analysing these together, including deleted versions that can sometimes be recovered in the same way as any other data, it is possible to produce a detailed picture of how the internet was used on the computer. This can be of upmost importance and relevance to an investigation, for example where relevant content can be identified and recovered from:

  1. personal web-based email systems;
  2. web-based or cloud storage systems;
  3. search histories; and
  4. a general review of websites visited.

In respect of profiling the user activity on a computer, the most important source of evidence is the registry on a Windows computer. The registry is a large database, made up of various individual files, that manages the different components, software and users on a computer and how they all interact with each other. It is used extensively by the operating system and all applications installed to ensure that they perform in the way that they are intended. In respect to investigations, there are a number of key facts that can be determined from analysing the registry that should be incorporated into the wider investigation, which include:

  1. recently used files and folders;
  2. other external devices (e.g., USB devices) that have been used in connection with the computer;
  3. time and date settings on the computer;
  4. network drives that have been used;
  5. log-on and log-out times for users; and
  6. Wi-Fi networks that have been connected to.

In addition to the techniques referred to above, there are many others that can significantly aid an investigation and, given the right circumstances, should be central to the process.

vii Use of artificial intelligence and machine learning to support investigators

All the aforementioned investigatory tasks and steps involve a human being making the lead decisions and instructing a computer to perform analyses. However, computers can aid an investigation by having a more active role in deciding the direction of the investigation, or making it more efficient through the use of artificial intelligence and machine learning. There are four specific uses of these techniques that can be especially applicable to investigations: predictive coding, predictive analytics, link analysis and in-context searching and analysis.

Predictive coding, also known as predictive text analytics or technology-assisted review, uses a combination of statistical analysis and computer-learning algorithms to make the document review process more efficient. It allows for the system to automatically propagate coding decisions across the entire population of documents, based on how a human being codes an initial sample or samples. This is an approach that is commonly used in disclosure review exercises, but can be less relevant in an investigation (except maybe in the closing stages when the fact base is more complete) as the fact base is not necessarily known and, therefore, what is relevant to an investigation will change over time as the fact base will also change as the investigation progresses. One specific use is a 'find similar'-type search around specific key documents, whereby the system will identify other documents that, based on the same statistical analysis and computer-learning algorithms, are similar to the key documents already identified. Another use of predictive coding is as a form of quality control to ensure that no documents similar to those identified as being key to the investigation have been overlooked.

Predictive analytics is very similar to predictive coding in concept but is applied across structured data as opposed to unstructured textual data. Effectively it is the practice of using advanced statistics and historical data to predict future outcomes, and applies a very similar approach to the above, namely:

  1. the identification of relevant historical datasets, referred to as training data, where the outcome to be predicted is known;
  2. the application of machine learning algorithms to identify patterns or relationships within the data that have a high probability of predicting an outcome;
  3. these models, once tested and refined are used to create a model; and
  4. that model is applied to either the remainder of the dataset or new data as it becomes available to predict the outcome.

Link analysis takes the concept of entity extraction, discussed above, a stage further, and as well as identifying the entities contained within a document, it identifies relationships between them. These relationships can be both assessed by a human being to determine their strength and relevance, and strengthened based on multiple occurrences of the same identification across multiple, non-duplicate, documents. This then enables these relationships to be automatically mapped within a visual chart to depict them and how different relationships relate to each other, eventually generating an overall relationship analysis diagram, as is commonly used within an investigation, the key difference being that in using this technology, they are automatically identified.

The final concept is one that enables in-context searching and analysis. This is where the system prompts and promotes lines of enquiry that investigators might wish to take based on an analysis of a combination of the data population and the action taken by the investigator. The system effectively learns what sort of action generates relevant documents (based on human actions and decisions) and then seeks to augment the investigation through making likely relevant suggestions.

The technologies for this are not being developed in a legal or investigative context but rather in a wider machine-learning context and most of them can be readily observed in the way large technology companies, such as Google, Facebook, Amazon, Apple and Microsoft, use them to enhance web browsing or online behaviour.


Technology will never replace human beings within an investigation but it will enable them to understand, connect and analyse more data from different sources in a single environment. Therefore, it is essential when undertaking an investigation that, not only is the full scope of data considered within the investigation, but also that the technology is used to its fullest extent to enhance and drive efficiencies within the investigation.

When approaching an investigation, there are five key points that must be fully considered:

    1. ensure that all data is collected in a forensically sound manner to avoid any issues with its future admissibility and use;
    2. document all actions and decisions taken throughout the investigation to ensure that the process is managed efficiently and effectively;
    3. ensure that all processes are verified and confirmed to ensure that the full set of data is included in the investigation and nothing has been missed;
    4. fully incorporate the investigation of data into the overall investigation to maximise its benefit; and
    5. ensure that the work is performed by a qualified expert.


1 Phil Beckett is managing director at Alvarez & Marsal Disputes and Investigations, LLP. The information in this chapter was accurate as at June 2018.

3 EDRM LLC, 'EDRM Framework Guides', retrieved from www.edrm.net/frameworks-and-standards/edrm-model.