At CCL Group we equip our digital forensics specialists, data analysts and cyber security experts with the latest technology and most innovative thinking to ensure they stay one step ahead.
The world of digital investigation and cyber security can be a minefield of industry jargon.
At CCL, we listen to your challenges and work with you to understand your needs so that we can deliver an effective solution. Whether you are leading a criminal or civil investigation, protecting your assets or responding to a cyber security incident – we have the expert capabilities to work with you.
CCL is the UK’s leading digital forensics provider. We regularly deal with technical challenges that forces and other labs have been unable to overcome internally.
We started providing digital forensics services to the Metropolitan Police in 2001 and are a long-standing partner of the National Crime Agency and UK police forces, supporting the most complex investigations including counter terrorism, serious organised crime, child abuse and major investigations.
We hold one of the widest ranges of accreditation of any UK digital forensic lab encompassing ISO 17025 (digital forensics) and the Forensic Science Regulator’s Codes of Practice and Conduct, ISO 9001 (quality management) and ISO 27001 (information security).
As the volume of data has grown exponentially, so the need to manage, analyse and integrate data has become a critical requirement for investigations and security applications alike.
Our understanding and experience with large and diverse data sets, and challenges of ingesting, analysing and deriving intelligence from this data, means that we can support clients with the technical, procedural and training solutions to apply data analytics solutions to complex real world problems including:
Effective cyber security is key to an organisation’s ability to protect its reputation, intellectual property, staff and customers. However, there is a common misconception that investment in sophisticated technical solutions alone will ensure protection from cyber-attacks, but this is only one part of an effective defence.
CCL Group believe in building sustainable relationships by providing our partners with clear and comprehensive insight into the likely vulnerabilities, access risks and attack patterns that threaten their business, and delivering a prioritised strategy to overcome them.
For us, being a trusted cyber security partner isn’t about delivering a one size fits all solution, but applying our industry knowledge and service excellence to deliver tailored support, regardless of industry, scale or sensitivity.
Our extensive international experience means we can support our partners with:
CCL Consultancy works side by side with you, helping to reach the next level of performance and future proof your organisation. CCL’s independence ensures they are a consulting partner who understands a plethora of market sectors, business practices and the many technologies available.
For more than 30 years, our consultants have helped businesses to develop appropriate IT strategies, encompassing:
A phased approach to projects, ensures the delivery of the business objectives are delivered at a manageable speed, with certainty, while helping to manage risk.
CCL Group is the UK’s leading digital forensics provider. We regularly deal with technical challenges that forces and other labs have been unable to overcome internally.
CCL Group was asked to recover internet browsing history and other data from a mobile device. However, upon initial inspection, the device was secured with an advanced passcode, which can be up to 32 alphanumeric characters long. It is currently impossible to try and guess a passcode this long, as current computers are not powerful enough to do this in our lifetime. The suspect was not co-operating and would not provide the lock code.
Despite this, CCL Group were able to bypass the lock and recover a full chip-level read from the phone using JTAG. The method we used did not require the flash chip to be de-soldered and was non-destructive.
Once we had recovered a full read of the phone, internally developed scripts were used to recover and present some of the most pertinent data we have ever seen in a murder case. The internet history was recovered, which showed that the suspect’s searches and browsing had changed right after the murder was suspected of occurring. The suspect was now searching for ways to dispose of a body and clean up blood.
Along with this data, deleted text messages were also recovered using Epilog, one of CCL Group’s proprietary forensic tools. These deleted messages contradicted the suspect’s version of events leading up to the timeframe in question.
The combination of bypassing secure lock codes and recovering hard to find and deleted data, meant CCL Group was able to provide a full picture of the suspect’s activities, which showed he was trying to hide evidence and pervert further investigations.
CCL Group received a Sat Nav from a UK police force, who were investigating a kidnap and suspected murder. The police force’s own High Tech Crime Unit had already extracted data from the suspect’s Sat Nav, but this did not provide any information on the possible location of a body to help focus search efforts.
CCL Group examined both the Sat Nav’s memory card and internal memory, and found that data was stored on the device’s internal memory only. CCL Group extracted a file from the internal memory, which contained crucial data relating to recent journeys made, trip logs, entered locations and favourites.
CCL Group also found additional trip logs in archived files dating back seven months. This data is easy to miss; however CCL Group’s analysts were able to use their specialist knowledge to identify that the archived files may have contained valuable data and so bought them into the scope of the investigation.
By using an in-house developed Python script, CCL Group automated the process of extracting the large amount of trip log data from the Sat Nav, and plotted these trips onto a map. Without the Python script, it would not have been feasible to extract and plot this information on a map manually within the time constraints of the investigation, due to the sheer volume of data. Using a script to automate this process meant that this could be completed in a matter of hours, giving the police the data they needed swiftly.
The Sat Nav data that CCL Group extracted was key in bringing a prompt resolution to the investigation, which would otherwise have continued for weeks, or even months. By searching the points CCL Group plotted on the map, detectives found that an unidentified body had already been found at one of these locations, later identified as the missing person. The suspect was subsequently found guilty of kidnap and murder at the Old Bailey, and sentenced to life imprisonment.
As the volume of data has grown exponentially, so the need to manage, analyse and integrate data has become a critical requirement for investigations and security applications alike.
Law Enforcement Agency
CCL Group were approached by a law enforcement client involved in an extensive international money-laundering operation two years in the making.
After the search warrants co-ordinated search and seizures across several continents, 70 exhibits, a myriad of mobile devices and computers were submitted to CCL Group, and it was clear a different approach to the analysis of these devices was necessary due to the sizeable amount of electronic devices for subsequent examination.
Given the number and variety of devices, it was decided that the Nuix software would be used to process the forensic images (copies) of the exhibits, including the recovery of deleted files and carving data from unallocated space, to ensure all material was extracted from them in preparation of analysis.
Following processing, over 8 million reviewable items were identified consisting of e-mails, documents, text messages, photographs and more. At this stage it was decided the case team would be best-placed to review the material, as they had been working on the investigation for two years prior to the exhibits’ seizure.
CCL Group therefore deployed a Nuix review suite consisting of a server and four terminals into their offices. This enabled the team, consisting of experienced officers, financial investigators and intelligence analysts to search and identify the evidence required.
The case team were able to use advanced features within Nuix, such as, near-duplicate analysis, to identify documents associated with the trail of laundered cash. They completed their initial review within twelve weeks and were able to identify sufficient evidence to secure a charge against several of the defendants, as well as maintaining all information about the provenance and origin of the files.
The client has since engaged CCL Group to deploy three similar review suites across the country to facilitate the review of material in various investigations.
CCL Group were engaged by a large agency that had previously examined over 50 computer exhibits in a fraud case and produced a significant volume of material as evidence.
However, in preparation for the trial it was deemed by disclosure counsel that there had not been a consistent approach to the examination of the exhibits for material that could assist the defence or undermine the case for the prosecution. There was a risk they would not be able to demonstrate how the case satisfied their disclosure obligations under the Criminal Procedure and Investigations Act.
Therefore, there was no option but to re-examine the computers, with the trial due to start in just four months.
A case conference was held at CCL Group with the senior investigating officer, CPS and disclosure counsel to discuss how new technologies could be used to help the organisation solve this problem.
CCL Group subsequently developed a solution based around Nuix software, to ingest the forensic images (copies) of the computer exhibits, including processing of deleted files, to search and filter the contents for keywords and date ranges, agreed with the defence, and to facilitate their review.
The search identified over 250,000 e-mails, documents and spreadsheets for review. So, CCL Group deployed a Nuix review suite consisting of a server and four terminals to their offices, empowering the reviewers to identify and record privileged and disclosable documents. Additional training was also delivered.
The reviewers were each able to review up to 3,000 documents a day, completing the exercise several weeks before the trial.
Analysts from CCL Group produced the disclosable material which was released to the defence along with a technical report on the adopted methodology. A combination of specialist software, technical expertise and knowledge of the client’s legal requirements enabled CCL Group to develop this bespoke and defensible solution. This enabled the client to meet strict deadlines that may not have been possible with standard digital forensic practices.
Effective cyber security is key to an organisation's ability to protect its reputation, intellectual property, staff and customers. However, there is a common misconception that investment in sophisticated technical solutions alone will ensure protection from cyber-attacks, but this is only one part of an effective defence.
CCL Group was engaged by the client to perform a review of their Cyber Security.
CCL Group used the engagement model ‘OCTAVE’ (Operationally Critical Threat, Asset, and Vulnerability Evaluation), a security framework for determining risk level and planning defences against cyber assaults, involving a review of the organisations processes, people and technology. This framework helps organisations minimise exposure to likely threats, determine the likely consequences of an attack and deal with attacks that succeed.
CCL Group conducted structured one to one interviews with a cross section of staff and ran a series of workshops with the IT team to construct profiles of the threats the organisation faced, based on the relative risks posed. An initial report was then produced including SWOT analysis and a high level ‘Statement of Cyber & Information Governance Requirements’ was created, including Gap Analysis, between current status and good practice.
The report was used to engage with senior management to develop a series of recommendations, and an action plan to address the issues identified. In developing the action plan, CCL Group and the client took account of the severity of each threat, the likelihood of occurrence and the impact. The action plan also reflected the cost of remediation and budgetary constraints, the ease with which the organisation could complete the changes, as well as staff availability and skills to implement the changes.
Staff at a small business had been tricked into making payments into bogus bank accounts by an attacker using cleverly forged emails, apparently from the client’s Managing Director. Other forged emails had also been sent using different techniques and the client wished to ensure that attacks like these would not succeed again.
These were sophisticated attacks, making use of a variety of technologies and leveraging simple human weakness – most staff in most organisations just want to do the right thing, but can be too helpful to an attacker if they can’t read the warning signs.
CCL Group collected samples of the fraudulent email for forensic analysis and conducted structured one to one interviews with Directors, senior management and the client’s outsourced IT contractor. An analysis of all the information provided during this process was performed and a report produced including:
The client implemented CCL Group’s suggested improvements including improvements in its technology, changes in some key business processes and staff training and awareness of contemporary cyber threats. The client has suffered no further losses and has also benefitted from improvements which make it far less susceptible to other forms of attack, including ransomware and remote access toolkits.
CCL was engaged by the client to conduct a security review and penetration test. The review consisted of an assessment of their web applications and supporting infrastructure, comprising of: Application Security Assessment, Web Services Security Assessment and an External Infrastructure Security Assessment.
For web application testing, CCL follow an engagement model developed in-house. This model provides a framework for CCL’s consultants to ensure that all aspects of an application are examined for vulnerabilities and weaknesses, which could be exploited by an attacker to compromise the application.
CCL began by performing reconnaissance of the application to get an understanding of its structure and functionality. This allowed us to perform a targeted assessment against key areas of interest such as the authentication and authorisation functionality.
The web services were tested for a variety of implementation issues such as session management flaws and ensuring malicious data cannot be submitted.
We performed a detailed analysis of the exposed services on the underlying web server. This enabled us to ascertain what weaknesses and vulnerabilities were present which could be leveraged by an attacker on the Internet.
The assessment highlighted serious vulnerabilities that were communicated to the client during the engagement. Doing so, allowed the client to remediate these issues and have them retested within the assessment timeframe. These vulnerabilities included a way to; bypass the authentication, exfiltrate data, and a means to inject malicious code.
Consequently, we could verify that the client had resolved the most significant attack vectors present within their applications and supporting infrastructure.
Following the assessment, our report enabled the client to then prioritise their focus in remediating the remaining issues.
CCL Consultancy works side by side with you, helping to reach the next level of performance and future proof your organisation. CCL Group’s independence ensures they are a consulting partner who understands a plethora of market sectors, business practices and the many technologies available.
Merseyrail – transport industry
Merseyrail engaged CCL Group to help improve the effectiveness of their IT department, define an IT strategy to improve staff utilisation and give the company a clear view of staff costs, efficiency and effectiveness.
Merseyrail boasts some of the highest rates of reliability and punctuality as well as record levels of satisfaction among customers. Maintaining Merseyrail’s high levels of service is no easy task, and Merseyrail’s Operations Director was concerned that its ageing IT infrastructure was having a detrimental effect on the business and impacting both its customer services and operational efficiency.
CCL Group was engaged to conduct an IT effectiveness review – assessing the existing IT provision and the value it Delivered, IT Strategy – aligning it with the business decision, Specification and selection of an integrated rostering and personnel system, as well as project management – reducing the implementation risks.
Campden BRI – scientific & technical research based organisation
When the UK’s largest independent food research company recognised that their existing core IT systems could not provide a firm foundation for growth, they turned to CCL Group’s IT expertise to guide them through the process of finding a replacement system and to oversee its subsequent implementation.
CCL Group found a number of issues associated with Campden BRI having two sites in the UK. Different departments were operating independently, often on different systems that were not well integrated. This made it difficult to communicate and share information across the business and resulted in inefficiency and duplication of work. So, CCL Group produced a detailed IT strategy report making a number of recommendations to Campden BRI and detailing the associated costs and timescales to implement them.
The key recommendation was an entire refresh of the Campden BRI infrastructure which, in its current state, was not adequate to support the business moving forward. This led to a programme of infrastructure improvements, including a major virtualisation project.
CCL Group identified that Campden BRI needed a hardware and network infrastructure upgrade to support, grow and develop new capacity. This would involve upgraded external communication lines, as well as a hardware and internal network infrastructure upgrade, and a virtualised server environment to host the current applications, with sufficient headroom to accommodate any new integrated packages required.
CCL Group subsequently provided project management expertise to ensure in-house IT staff were fully supported throughout this process of major change and the implementation progressed as planned.
CCL Group holds the ongoing position of Virtual IT Director for Campden BRI and has done for a number of years. This means that CCL is on-hand to provide high level, knowledgeable advice and guidance on any aspect of Campden BRI’s IT infrastructure, as and when required.
IT strategy accepted by the Board
We live in an era of rapid innovation. Every day new digital products are released and our ever more connected world means that we are faced with entirely new classes of devices with every passing year.
With every innovation, there are new opportunities to capture evidence, but also new challenges to be overcome to maximise the usefulness of this intelligence. These challenges can be technical but might also require a deep understanding of how new technology fits within the larger evidential landscape. Research and Development at CCL Group is all about overcoming these challenges and furthering the understanding of digital evidence to help enrich your investigations.
Research and innovation is woven into the fabric of all the work we do at CCL Group. The fast-paced nature of change in the digital landscape means that an over-reliance on off-the-shelf tools and techniques will always put you behind the curve so our analysts are constantly looking to further our understanding of emerging technology, but for specific challenges, we have a dedicated Research and Development team.
Our Research and Development team is made up of highly experienced practitioners who are skilled in undertaking work that is out of the ordinary and outside of the scope of industry standard digital forensic tools. This work includes: extracting and making sense of data from new, unusual or otherwise unsupported devices such as in-vehicle systems, IoT devices; providing expert reports and advice on complex technical issues and finding new ways of presenting large volumes and variety of digital evidence.
The Research and Development department at CCL Group have been responsible for developing many forensic software tools. Our library of over 1300 “scripts” bolsters our capabilities beyond those provided by off-the-shelf tools by adding support for new apps, data sources and file types that could otherwise go un-investigated. We have also developed a number of unique software products for use in digital investigations such as Epilog and Ribbon which are available for purchase globally.
CCL Group’s R&D department are also happy to discuss undertaking bespoke research projects into any area of the digital forensics landscape; whether that’s deep dives into the specifics of a particular smartphone app, a technical market review of an interesting class of devices or anything in between.