Tuesday, August 16, 2016

Sooner Rather Than Later… Please!



August 16, 2016

Sooner Rather Than Later… Please!

In the past few weeks, we’ve received a higher than average number of requests for digital forensic services on very short notice.  To some digital forensic practitioners, particularly in the public sector, this may seem almost unheard of, but when I say short notice, I mean short notice!  For example, an attorney called on a Friday afternoon from out-of-state and wanted a mobile forensic extraction and analysis done on a serious felony case set for trial the following Wednesday.  Without the weekend, that would have given us 2 working days to obtain the evidence, analyze the evidence and somehow put forth a set of conclusions suitable for a high-level trial.  To aggravate the circumstances, the case also involved analyzing the search warrant return from an internet service provider and incorporating that into the overall case.  In another serious case, counsel wanted call detail records and tower records analyzed, mapped and concluded for trial in just a few days.

The purpose of this article is not to whine or chide, rather to illustrate to all of the potential stakeholders in the legal system and corporations who may have need to for adequate, competent and professional expertise in the field of digital forensics why it is important to call us sooner rather than later.  Pretty please.

Reason #1: Thoroughness

Being thorough normally manifests itself in one of the following ways:  Either you are trained to be thorough or you have thoroughness in your genes.  Me, I’ve had to work rather hard at being thorough and in particular, knowing how thoroughness plays into all of the cases we work.  In digital forensics, thoroughness is extremely important.  It is important that your examiner know where to look for potential evidence, where potential evidence may be hiding, clues that may lead to the discovery of hidden evidence and what all of that means when put together in the larger investigation.  More often than not, thorough examinations also involve multiple levels of analysis using a variety of tools to adhere to the “holistic” approach.  Depending on the scope of the case, this process can take a lot of time.  The last thing you need, as an attorney, corporate security manager or a CEO, is a rush job.  The bottom line is, lives are depending on it.  Whether the case involves someone’s employment status, a potential divorce or custody issue or a defendant’s ultimate freedom, it matters.  And if it matters, its worth taking the time to be thorough and utilizing an examiner that is thorough.



Reason #2: No Examiner is an Island

Current status: Solo practitioner.  This means that I rely heavily on training, expertise, reference material and instinct.  These resources not only provide a more focused view of the cases Pro Digital works, but also serve to build upon a base of knowledge so each case is (hopefully) better than the last.  When I really need to bounce an idea off someone who is generally more knowledgeable and experienced, I call upon one or more colleagues for their advice.  However, because it is in the Pro Digital Mission Statement (as well as my personal belief), every effort is made to research, learn and grow as a digital forensic resource for our clients.  This time is not billed.  It does take time, though.  Every case is different, so every case requires different amounts of resources in order for the final product to be acceptable and defensible.

Recently, opposing counsel in a civil case put forth digital forensic conclusions from their expert which were not supported by evidence or fact in the declaration.  This means that our rebuttal is based upon their conclusions, which are incomplete at best.  It also necessitated posing questions of the opposing expert for clarification, which naturally extended the court-imposed deadline.  Could we have rendered some opinion based on what was presented?  Yes.  But the opinion would have been full of qualifying statements and holes that can only be filled by taking the time to do the examination.  Please remember, we cannot do what you want us to do with incomplete or partial information.  It invites opposing parties to poke holes in our conclusions, which is embarrassing and ultimately not helpful in your case.



Reason #3: You Want the Best We Can Give

I put forth a question to attorneys of all areas of practice who may read this article:  Would you represent a client in a serious civil, administrative or criminal matter where the client brought the case to you a week or less before trial?  Of course not.  By the same token, you don’t want a digital forensic expert to take on a case with little or no time to be as thorough as possible and render conclusions that may very well affect the outcome of your case.  Often, getting the data and/or disk image is a simple matter, so we can work to get that done in a timely manner, but the devil is in the details and in digital forensics, the details are in the analysis. 

We prioritize cases likely the same way – court-imposed deadlines are prioritized by date and others are taken in-turn.  If there is an employment matter that is time-sensitive, we will work to get those completed as soon as possible, but to reiterate, we strive in every case to be thorough and render conclusions based upon the analysis and examination of evidence.  It is my constant hope that all colleagues who conduct digital forensic analysis do the same.  Therefore, we all need the time to do the proper analysis, attempt to locate the relevant evidence, consult with you and/or the client and button-up our findings as best we can.  We all owe that to the client/company/defendant/plaintiff in the pursuit of justice.

Wrapping it up

So what’s the point of all of this?  Please give your digital forensic examiner/resource the time they need to help you and your case to the best of their ability.  We don’t want to turn the work away for a multitude of reasons and we’ll help you out any way we can, but please allow us the time to do that.   Some of the best cases we’ve worked have incorporated several key elements:   Plenty of notice, excellent coordination/communication and effective security of the evidence once the relevant evidence items are identified.  By putting those three elements together, you maximize the effectiveness of your digital forensic resource as well as the value they can add to your case!


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6