Original Post Date: July 2, 2014
Myth-Busting Digital Forensics
As we've said in previous posts, whenever the concept of a
Digital Forensic Examiner is introduced to John Q. Citizen, the overwhelming
reaction is "That's cool! What is
it?" Invariably, the next question
is, "Is that like CSI?"
Well... yes and no.
As Author of this blog, I have to admit, I don't watch CSI
often. But as a former law enforcement
professional and one who has helped find the truth through the court process in
numerous criminal jury trials, I can speak from experience in telling you that
the "CSI effect" is a real thing.
Before it was called the "CSI effect", it was probably called
the "Law & Order effect", but the issue is essentially the
same: citizens who are not involved in
the criminal justice process on a regular basis find it hard to believe that
cases don't get opened and shut within 42 minutes (with commercial
breaks). Everything is not tied up in a
neat little bow and the bad guy doesn't always go to prison.
What we'll try to do here is dispel some of the myths that
may be propagated by Hollywood and show business in general. See, when a case is investigated, it often
takes months or years and some are never cleared. Even the "easy" cases like drug
dealing can often be much larger in scope than just catching the street-level
drug dealer. In fact, your author has
worked cases that have begun and ended in one night and cases that have gone on
for 10 months or more... it all just depends.
So what is realistic to expect from your investigators and
forensic experts? At the heart of every
case, all we really want to do is find the truth. It's what drives and motivates us. From the digital forensic standpoint, many
factors can go into finding the necessary evidence to prove or disprove a case
-- And yes, some cases are disproven by the non-existence of evidence. Some of these factors include the time in
between the alleged incident and the seizure of the evidence, the technology
involved in the evidence (i.e., what type of evidence), whether or not
potential digital evidence has been deleted or wiped and what is the overall
volume that is to be examined. For
instance, if you have a child exploitation case where the suspect had several
2Tb hard drives that were seized, it may take a large amount of time to image,
parse, catalog and report that evidence.
If the suspect password-protected his devices, it may take a long time
to crack the password... if it ever happens at all! The overall point is, as previously stated,
it just depends.
So now on to what we can't
do. We can't send bugs over the internet
to infiltrate your computer and show us everything that may be stored on
it. We can't eavesdrop on your mobile
phone conversations (at least not at our level). We can't pinpoint a miniscule
amount of evidence on a 2Tb hard drive to break your case within 5
minutes. It just doesn't happen that
way.
What we can do is
examine the digital devices for evidence of what was 1) going on at the time of
the seizure and/or 2) what may have been going on prior to the seizure, but
again, refer to the list of "maybes" above for whether or not that's
possible. Given the right circumstances,
we can tell where you were, with whom and when based upon evidence in your
smart phone. We will find your internet
and email history and locate search strings that may have been input. We can recover current and deleted text
messages and pictures, at least in part.
We can perform link analysis to tell us who your friends are and how
close they may be to you based upon your online activities. And, of course, we can pull out all sorts of
other information from your installed programs and apps to help paint the
picture of what was going on before we got there.
Hopefully this has given you a glimpse of what we can and, more to the point, what we cannot do. The main points are these: it doesn't take 5 minutes, 10 minutes or an hour (most of the time). It requires adherence to a tried and true methodology that, in itself, takes time. Second, it really just depends on the size, time frame and scope of the evidence that is requested to be found. Evidence on the surface is easy to find. Evidence which may be buried a bit can take a lot longer and definitely require a trained, experienced examiner. Finally, we aren't miracle workers and we don't and can't fabricate anything. The evidence is either there or it's not. Plain and simple.
Author:
Patrick J. Siewert
Owner, Lead Forensic Examiner
Pro Digital Forensic Consulting
Based in Richmond, Virginia
Available Globally
www.ProDigital4n6.com
