19 Sep 2019

FLOW: Forensics, technology and the future of legal services 09: Data leak investigations

Data is the new currency, constantly under attack, either from the inside by employees who have an axe to grind and decide to leak sensitive or confidential information, or from the outside by professional hackers who are looking to exploit an organisation's vulnerabilities for their own gain. When a leak occurs, a swift, agile and decisive approach is crucial.

Other flow videos

Related Knowledge

Get in Touch

Get in touch information is loading


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.


Data is the new currency.  Our clients' data is constantly under attack, it can come under attack from within the organisation, possibly disgruntled employees with an axe to grind or it can come from the outside by professional hackers who are expert at exploiting a company's vulnerabilities for their own gain.  It's becoming an ever increasing problem because the amount of information which our clients store increases exponentially all of the time.  In response to this we have developed a robust approach which utilises our end to end solution using lawyers and our FTS team.

So when a data leak occurs or an information leak, the first initial period is super critical to the investigation and doing collections or preservation of that data once it's identified is absolutely pivotal.  To get this kind of information and to analyse it, we need state of the art tools which we have in our toolkit to be able to identify these very pointy end results.  The basic investigation workflow that we undertake for these kinds of matters, it starts with an identification piece so the identification piece is we are trying to identify the systems, the internal systems, third party, whatever it may be that holds this pivotal or the leaked information I should say.  Once we've identified these systems we identify who has access to them, who has accessed them, where they sit internally within the business and we try to understand whether there's auditing or logs or whatever it may be that we can use for analysis. Additionally to that we try and find out information that may not necessarily be in a log form, whether it be identifying key people within the business that may have the motive and the means to have done said leak essentially. 

The second part of the investigation is obviously data collection and preservation so we want to preserve the information within those internal systems, whether it be logging or auditing information to try and understand the activity around that system, additionally on that we're looking at end point devices so that can relate to custodian PCs or laptops or phones so it'll be a preservation exercise across that whole environment. 

Following that is the analysis piece so using the specialised software such as Nuix, Celbrate, Axiom, Magnet Forensics, we conduct this analysis piece and we timeline the event to try and find out those relevant artefacts that we can link together to basically form our investigation and sometimes it's a kind of cyclical effect of finding artefacts, doing further investigation, further preservation and again finding artefacts, it's a whole cycle. 

So after we have done the analysis and we've found out those specific relevant artefacts and we've linked them back to both a POI or different sources of information, the final part is putting that together and painting a final picture in terms of reporting and findings so this can be expressed in both a final report, a detailed final report or a dashboard with the different artefacts that we've discovered or purely going through it face to face with the client.

The best way of stopping a leak of confidential information is preventing employees when the leak occurs internally from transmitting the documents to external locations and for that reason we recommend a number of things which includes limiting the ability of employees to access from work gmail accounts, dropboxes and external printers, all of those things can either be limited or tracked so that if a leak does occur it can be swiftly identified and the culprit brought to account.  A collaborative legal and forensic technology approach allows us to provide cost efficiencies, it's cheaper and it's quicker and we have the specialised tools to enable us to or to enhance that offering.