Cybercrime and digital evidence — what business owners need to know

Cybercrime against businesses: the threat is more real than ever

Cybercrime poses one of the greatest threats to Dutch businesses. From ransomware attacks that paralyse entire networks to Business Email Compromise (BEC) where millions are transferred to criminal accounts, the damage is often enormous and the impact long-lasting. The National Cyber Security Centre (NCSC) warns that the threat is structurally increasing and that small and medium-sized businesses are particularly vulnerable due to limited security budgets.

For businesses that fall victim to cybercrime, securing digital evidence is a crucial first step. Without proper evidence, it is virtually impossible to prosecute the perpetrator, substantiate insurance claims or establish liability. Yet in practice, things regularly go wrong: systems are restored too quickly, log files are overwritten or evidence is unintentionally contaminated.

Professional digital evidence analysis ensures that digital evidence is secured, analysed and documented in a forensically sound manner — making it admissible in legal proceedings.

The most common forms of cybercrime targeting businesses

Europol reports annually on the severity and scope of cybercrime in Europe. The following forms most frequently affect Dutch businesses:

• Ransomware encrypting business files until a ransom is paid
• Business Email Compromise spoofing directors to trigger fraudulent transfers
• Data theft and extortion threatening to publish stolen business information
• Supply chain attacks exploiting vulnerabilities at suppliers or software partners
• Insider threats from employees leaking data or misusing access rights

The NCSC emphasises that prevention is essential, but that businesses must also have an incident response plan for when an attack succeeds. Part of that plan should always be: who secures the digital evidence?

Why digital evidence matters so much

After a cyber incident, the natural reaction is to restore systems as quickly as possible and resume operations. Understandable — but from a legal and investigative perspective, this can be disastrous. By restoring systems without first making a forensic copy, crucial traces are lost.

Digital evidence is inherently fragile. Log files are automatically overwritten, temporary files disappear and malware can delete itself after activation. This is why evidence preservation must be performed by someone who masters the forensic principles:

• Chain of custody documenting who found, copied and stored each piece of evidence
• Forensic copies as bit-for-bit images including deleted files and slack space
• Hash values proving data has not been altered after copying
• Timeline analysis combining timestamps from files, logs and network traffic

The Dutch Police has cybercrime teams, but their capacity is limited. In complex business-related cybercrime, it can take months before a criminal investigation is initiated. An independent forensic investigation gives businesses the ability to act faster.

How SAJ Recherche conducts digital evidence analysis

At SAJ Recherche, we combine digital forensic expertise with investigative experience. Our approach to digital evidence analysis after cybercrime includes:

• Incident response on-site to isolate systems and perform initial evidence preservation
• Forensic investigation of hard drives, servers, email systems and network traffic
• Malware analysis to determine the attack method and potential perpetrator group
• Perpetrator investigation via IP addresses, domain registrations and digital traces
• Reporting suitable for criminal charges, insurance or civil proceedings

All work is conducted under our POB licence 8779 and in compliance with GDPR, making findings legally admissible.

Practical example: BEC fraud at logistics company

A mid-sized logistics company discovered a substantial payment had been transferred to an unknown foreign account after the financial director received a spoofed email from a lookalike CEO domain requesting an urgent transfer. SAJ Recherche was engaged the same day. Our forensic analysis of email headers traced the domain to an Eastern European server, and log files revealed attackers had been reading the CEO’s correspondence for weeks via a prior phishing attack. The financial trail investigation enabled the bank to initiate a recall procedure, freezing a portion of the funds before they disappeared. Our report also provided concrete leads for the police investigation.

Be prepared — act quickly during a cyber incident

The damage from cybercrime rarely stops at direct financial loss. Reputational damage, operational downtime and regulatory fines can multiply the total impact. Good preparation and rapid response make the difference.

Dealing with a cyber incident at your business? Contact SAJ Recherche for a confidential consultation.