top of page

How to provide information to an Investigation

If you are participating in an investigation, be it as a complainant, subject of investigation or witness, you may want to provide information in the form of emails, documents or other items such as screenshots or videos. This guidance sets out how to do that. 

The first section is for those who do not consider themselves particularly technically minded. If you are technically minded, you might want to jump straight to the guidance for technical people.

If you do struggle with any aspect of data sharing please do let your contact at Twin Kingdom know and they will be able to help you.

Don't worry about sorting the data or presenting it in particular ways

Ironically, the biggest challenge we face is when people try to be too helpful! When we receive data (emails, documents, recordings, or screenshots etc.) the first thing we do is label each item in a particular way and add it to a secure database. If people have ‘combined’ and embedded files into other documents, we have to break them all up again before we can begin our work. In some cases this isn’t a big job, but where there is a lot of data this can be very time consuming. It is very helpful to us if you do not embed documents in other documents.

Don't worry about duplicate files

The system we use automatically identifies and deals with duplicate files. Where there are any differences at all we can see exactly what they are and this can be helpful; we have even identified differences in documents that people always thought were identical! 

Don't change file formats

Most digital files contain two levels of data: the data designed to be seen (the words, images etc.) and metadata, which is not designed to be seen. If you convert a file from one format to another – or even just compress it as a zip file) that data can be changed or lost.

This also applies when people take photos or screenshots off their phone and convert them to pdf. Again, this is usually an attempt to be helpful, but it means that we can't access that metadata which is sometimes important.

 

We would much rather have access to lots of individual files rather than one compressed archive. 

Quick reference guide

Our preferred ways to share the most common types of data with us are:

Emails: Forward on the originals to your contact at Twin Kingdom. 

Digital documents: Attach the document to an email or else share it via OneDrive.

Social media: Screenshot and email the image to us.

Video/Audio: Share a link via your own secure system (OneDrive, GoogleDocs etc.)

Paper copies: Either share scans as pdf or image files, or we can arrange a secure courier.

If you have any questions at all, including issues relating to particularly sensitive data, please speak to your contact at Twin Kingdom.

Guidance for technical people

technical_guide

Our data analysis is done on GNU/Linux systems using various raw text based tools such as bash and python scripts, and standard programs such as Awk, Grep and Sed for text analysis and manipulation. It is for that reason that we much prefer to work with non-proprietary file formats and with raw data that we can play with rather than formatted reports. 

We are happy to provide GPG/PGP keys on request (although they should appear on keyservers) and our Managing Director's GPG public key for david@twin-kingdom.com can be found here. We are also able to work with the permission controls in Office365. We can also work with any Free and Open Source encryption software or methods for secure file transfer.

Our preference is always to receive files in their original or native format. This means that even if an original file is in a slightly unusual format, we would rather have that than a pdf export or screenshot. 

Disks including removable storage: .iso images

Code: Private GitHub repositories that we are able to clone.

Reports from databases: .csv/.tsv

Emails: MIME/eml (please only use .msg/.pst if there is no other option).

Calendars: .ics or .csv

Compressed archives: .tar.gz or a recent version of .zip that retains metadata and file permissions.

Text documents: Plain text formats such as .txt., .md or other ASCII based formats.

Office documents: .odt where that would not require conversion. Alternatively we can work with .docx, .xlsx, pptx etc.

Social media: Plain text extracts unless only screenshots are available.

Dates: Timestamps in format <YYYY-MM-DD DAY> or simply YYYYMMDD / YYYY-MM-DD

Password databases: .kdbx or similar.

If you have any questions at all, including issues relating to particularly sensitive data, please speak to your contact at Twin Kingdom.

bottom of page