Digital Forensics Manager
The BBC is often required to identify, collect and analyse data in a forensic manner in order to support a number of its functions.
Whether to support responses to cyber-security incidents, internal disciplinary investigations, or external legal proceedings in which the BBC is involved, the Digital Forensics function within BBC Information Security exists to ensure that data held on BBC information systems is preserved and acquired in an evidential (and where necessary, legally-admissible) manner.
The Digital Forensics function also provides an investigatory service supporting teams such as the BBC Investigation Service, BBC Internal Audit and BBC HR investigating the use of BBC information systems where there is a suspicion that they have been used in a way that breaches BBC policy and/or to commit criminal acts.
Given the BBC-wide scope of the team's remit, occasional travel both within the UK or to the BBC's international offices may be required.
Provide an IT forensic investigation service to BBC Internal Investigations, BBC Internal Audit and BBC HR by:
- Isolating and seizing as evidence BBC computers, laptops and mobile devices that are believed to have been used in relation to internal disciplinary or criminal activities;
- Maintaining evidential integrity by ensuring that proper exhibit management methods are followed and that a full chain of custody process is documented;
- Acquiring data from devices in a manner that is forensically sound, ensuring that any evidence obtained is legally admissible;
- Conducting detailed forensic analysis of acquired data using recognised digital forensic techniques and tools to either prove or disprove investigatory hypotheses;
- Where necessary, using data-recovery techniques such as file-carving or password cracking to obtain hidden or otherwise unavailable information to support an investigation;
- Preparing reports based on findings for use in court, internal disciplinary hearings or other dispute resolution forums;
- Engaging in proactive investigative activities, including covert surveillance techniques, for the identification of offenders and the prevention of crime;
- Prioritising case-load in accordance with the needs and objectives of the corporation;
- Ensuring that all of the above duties are done so in line with relevant legislation, such as PACE, RIPA, CMA, employment laws as well as internal BBC policies;
- Attend meetings/liaise with external organisations (including law enforcement agencies) where directed by the investigating officer for a given case;
- Owning and maintaining the internal BBC Forensic Readiness Policy and Digital Investigations Standard.
Support Security Operations Centre's cyber-security incident responses by:
- Isolating BBC machines believed to have been involved in an incident;
- Acquiring data from these devices in a manner that ensures information pertinent to the response isn't lost, for example by conducting volatile memory captures or by preserving server logs;
- Conducting detailed forensic analysis of acquired data to determine if and how a machine has been compromised;
- Supervising SOC analysts working on incident responses to ensure that correct forensic procedures are followed;
- Preparing reports of findings to support the follow-on processes in the aftermath of an incident;
- Providing recommendations to management and other stakeholders during and after an incident;
- Owning and maintaining the internal BBC Forensic Readiness Policy and associated standards and procedures documentation.
Support responses to threats to the BBC and BBC staff via social media by;
- Overseeing Open Source Intelligence (OSINT) investigations to identify individuals levelling threats to the BBC and BBC staff;
- Overseeing OSINT work to help members of BBC staff to understand what information is available to a would-be attacker that might be used to locate them;
- Monitor the BBC's social media accounts (and staff member accounts where approval has been sought) for threats of violence or signs of harassment;
- Provide OSINT-gathering support to teams in BBC Safety, Security and Resilience who are in turn supporting teams in high-risk environments, situations or large BBC events.
Provide a comprehensive eDiscovery service to teams in BBC Legal by:
- Identifying where data that is pertinent to their requirements is located within the BBC;
- Obtaining the data in a manner that is suitably documented, ensuring that the process will stand up to scrutiny in court;
- Processing and indexing the data to ensure that it can be searched across comprehensively;
- Filtering the data using techniques such as keyword-searching, de-duplication and thread-analysis to extract only the data that is of value to a case;
- Making the data available for review by the legal teams;
- Exporting the resultant legal-packs in a format that is suitable for disclosure to court;
- Providing expert guidance to the teams in BBC Legal around the eDiscovery process and where necessary, defending the process against scrutiny in court.
- Management of the Information Security: Forensics Analyst and Information Security: Forensics Junior Analyst.
Policy, Training and Documentation:
- Ownership and maintenance of the BBC’s Forensic Readiness Policy and associated standards documents;
- Documentation of Digital Forensics procedures;
- Preparation and presentation of in-house staff training for Digital Forensics investigations alongside day to day advice and guidance on such matters
Are you the right candidate?
- Demonstrable digital forensic and investigative experience in a corporate security environment, UK Police Force, or other relevant setting, using industry-standard computer forensic software and hardware to independently conduct comprehensive analysis of networks and endpoint devices;
- Knowledge of guidelines relating to computer evidence recovery as well as procedures for the collection, preservation and presentation of computer evidence, which may have been deleted/erased, fragmented, hidden, or encrypted from data storage devices.
- Experience in providing digital forensics support to cyber-security incident responses;
- Knowledge around using Open Source Intelligence (OSINT) to support investigations;
- Knowledge of the eDiscovery Reference Model (EDRM) and how it is applied in a legal setting;
- Demonstrable ability to handle sensitive / confidential information
- Good working knowledge of applicable laws including the Computer Misuse Act 1990 (as amended), Police and Criminal Evidence Act, Criminal Procedure and Investigations Act, General Data Protection Regulations, and the Investigatory Powers Act 2016;
- IT literate across all common operating systems (Windows, Linux, Mac OSX) coupled with strong data analysis skills, e.g. Splunk, Elastic Stack etc.
- Knowledge of scripting and programming skills e.g. Bash scripting, Python, SQL and Java;
- Experience of the following commonly used digital forensics tools: Encase, Nuix, Blacklight, Magnet Axiom;
- Demonstrable ability to evaluate and maintain hardware and software necessary for the performance of computer related investigations;
- Experience giving evidence in court, disciplinary hearings and/or provide written statements when and where required;
- Knowledge of the BBC and general awareness of the broadcasting industry
About the BBC
We don’t focus simply on what we do – we also care how we do it. Our values and the way we behave are important to us. Please make sure you’ve read about our values and behaviours in the document attached below. You’ll be asked questions relating to them as part of your application for this role.
The BBC is committed to building a culturally diverse workforce and therefore strongly encourages applications from underrepresented groups. We are committed to equality of opportunity and welcome applications from individuals, regardless of their background.