August 16,
2016
Sooner Rather Than Later… Please!
In the past few weeks, we’ve received
a higher than average number of requests for digital forensic services on very
short notice. To some digital forensic
practitioners, particularly in the public sector, this may seem almost unheard
of, but when I say short notice, I mean short
notice! For example, an attorney
called on a Friday afternoon from out-of-state and wanted a mobile forensic
extraction and analysis done on a serious felony case set for trial the
following Wednesday. Without the
weekend, that would have given us 2 working days to obtain the evidence,
analyze the evidence and somehow put forth a set of conclusions suitable for a
high-level trial. To aggravate the circumstances,
the case also involved analyzing the search warrant return from an internet
service provider and incorporating that into the overall case. In another serious case, counsel wanted call
detail records and tower records analyzed, mapped and concluded for trial in
just a few days.
The purpose of this article is not to
whine or chide, rather to illustrate to all of the potential stakeholders in
the legal system and corporations who may have need to for adequate, competent
and professional expertise in the field of digital forensics why it is
important to call us sooner rather than later.
Pretty please.
Reason #1: Thoroughness
Being
thorough normally manifests itself in one of the following ways: Either you are trained to be thorough or you
have thoroughness in your genes. Me, I’ve
had to work rather hard at being thorough and in particular, knowing how
thoroughness plays into all of the cases we work. In digital forensics, thoroughness is
extremely important. It is important that
your examiner know where to look for potential evidence, where potential
evidence may be hiding, clues that may lead to the discovery of hidden evidence
and what all of that means when put together in the larger investigation. More often than not, thorough examinations
also involve multiple levels of analysis using a variety of tools to adhere to
the “holistic” approach. Depending on
the scope of the case, this process can take a lot of time. The last thing you need, as an attorney,
corporate security manager or a CEO, is a rush job. The bottom line is, lives are depending on
it. Whether the case involves someone’s
employment status, a potential divorce or custody issue or a defendant’s
ultimate freedom, it matters. And if it
matters, its worth taking the time to be thorough and utilizing an examiner
that is thorough.
Reason #2: No Examiner
is an Island
Current status: Solo
practitioner. This means that I rely
heavily on training, expertise, reference material and instinct. These resources not only provide a more
focused view of the cases Pro Digital works, but also serve to build upon a
base of knowledge so each case is (hopefully) better than the last. When I really need to bounce an idea off
someone who is generally more knowledgeable and experienced, I call upon one or
more colleagues for their advice.
However, because it is in the Pro Digital Mission Statement (as well as
my personal belief), every effort is made to research, learn and grow as a
digital forensic resource for our clients.
This time is not billed. It does
take time, though. Every case is
different, so every case requires different amounts of resources in order for
the final product to be acceptable and defensible.
Recently, opposing counsel in a civil
case put forth digital forensic conclusions from their expert which were not
supported by evidence or fact in the declaration. This means that our rebuttal is based upon
their conclusions, which are incomplete at best. It also necessitated posing questions of the
opposing expert for clarification, which naturally extended the court-imposed deadline. Could we have rendered some opinion based on
what was presented? Yes. But the opinion would have been full of
qualifying statements and holes that can only be filled by taking the time to
do the examination. Please remember, we
cannot do what you want us to do with incomplete or partial information. It invites opposing parties to poke holes in
our conclusions, which is embarrassing and ultimately not helpful in your case.
Reason #3: You Want the
Best We Can Give
I put forth a question to attorneys of
all areas of practice who may read this article: Would you represent a client in a serious
civil, administrative or criminal matter where the client brought the case to
you a week or less before trial? Of
course not. By the same token, you don’t
want a digital forensic expert to take on a case with little or no time to be
as thorough as possible and render conclusions that may very well affect the
outcome of your case. Often, getting the
data and/or disk image is a simple matter, so we can work to get that done in a
timely manner, but the devil is in the details and in digital forensics, the
details are in the analysis.
We prioritize cases likely the same
way – court-imposed deadlines are prioritized by date and others are taken
in-turn. If there is an employment
matter that is time-sensitive, we will work to get those completed as soon as
possible, but to reiterate, we strive in every case to be thorough and render
conclusions based upon the analysis and examination of evidence. It is my constant hope that all colleagues who
conduct digital forensic analysis do the same.
Therefore, we all need the time to do the proper analysis, attempt to
locate the relevant evidence, consult with you and/or the client and button-up
our findings as best we can. We all owe
that to the client/company/defendant/plaintiff in the pursuit of justice.
Wrapping it up
So what’s
the point of all of this? Please give
your digital forensic examiner/resource the time they need to help you and your
case to the best of their ability. We
don’t want to turn the work away for a multitude of reasons and we’ll help you
out any way we can, but please allow us the time to do that. Some of the best cases we’ve worked have
incorporated several key elements:
Plenty of notice, excellent coordination/communication and effective
security of the evidence once the relevant evidence items are identified. By putting those three elements together, you
maximize the effectiveness of your digital forensic resource as well as the
value they can add to your case!
Author:
Patrick J.
Siewert
Principal Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history.
A graduate of SCERS, BCERT, the Reid School of Interview &
Interrogation and multiple online investigation schools (among others), Siewert
continues to hone his digital forensic expertise in the private sector while
growing his consulting & investigation business marketed toward litigators,
professional investigators and corporations.