February 22, 2021
Keys To Success in Digital Forensics: Incident Response vs. Litigation Support
Digital forensics as a practice and as a service has been evolving for since its inception. Among the evolutionary explosions we’ve seen in the field are the hardware, the size of data repositories, the data storage technology and the tools we use to acquire and analyze the data we come across in our analysis cases. The advent of remote work, cloud data storage, universal use of email and internet-based applications and the development of bad actors on a worldwide scale has confirmed that the field of digital forensics will be not only present, but necessary now and well into the future. We’ve also seen offerings in academia growing with colleges offering coursework in both undergraduate and graduate programs focusing on digital forensics. What is sometimes overlooked, however, is the nuance that there is more than one path within the field of digital forensics. So which path will you choose: Incident Response (IR) or Litigation Support?
Incident Response Path
To help to identify which path is appropriate, it’s probably best to first define the particular path. Digital Forensic Incident Response (DFIR) is defined loosely by a myriad of online resources as incorporating digital forensics techniques to identify bad actors at the heart of malicious attacks on networks networks and systems. This can include malware/spyware infections, hacker attacks, data theft, data leakage, etc. This is often referred to as an arm of Cybersecurity and is part of what many cybersecurity professionals do. But all one has to do is look up jobs for a Cybersecurity Responder or Engineer to read the litany of responsibilities that are associated with these positions to realize that it is truly only one part of the listed responsibilities. I’m often boggled when I search for job openings in Digital Forensics and find the dozens of listings that have very little to do with digital forensics at all, but because the job of a DFIR responder is partially to deal with these incidents, forensic response is listed as one of the desired skills. The argument could be made that the forensic component is a dedicated position in itself.
Regardless of that, the work of a DFIR responder is somewhat different than that of a litigation support professional in several ways. First, the manner in which you acquire the data to be analyzed can be very different. It is a common practice in IR work to acquire logical data from a network repository for analysis and not a “dead box” physical acquisition of the data. This is a practical consideration because networks in enterprise environments can’t be shut down for a physical acquisition. Many times, network logs, Windows event logs, registry entries and IP log files play a crucial role in determining who is responsible for the incident. Acquisition and analysis of these logs can be tedious and may only lead to part of the conclusion about what happened. The job of an IR digital forensic professional is absolutely necessary, particularly in large corporations and those that store sensitive personal information. We hear about data breaches of personal information almost weekly and security-minded practitioners struggle with constant pulpit-pounding of good practices leading to good security.
Regular readers of this blog know well that I put forth regularly that “forensics” means the acquisition, analysis & reporting of facts associated with the data in such a manner that is presentable in a Court of Law. While it is no doubt possible that an IR professional could work a case that would lead to litigation, it is far less likely than in the litigation support realm. As such it’s probably safe to say that IR practitioners could reasonably be more on the technical side than the presentation & explanation side. However, every incident has at least one stakeholder, so the ability to explain very technical matters to very non-technical people is still a vital skill.
Litigation Support Path
It’s probably safe to say that when many people decide on a Digital Forensic course of study, they probably think of litigation support as their main path, probably due to the romanticization of the field in TV shows like CSI. We hear about data breaches in the IR realm all the time, but we rarely hear in popular media the outcomes of their investigations. Litigation support can be (and often is) the exact opposite. Most law enforcement digital forensic practitioners are involved in litigation support and do so in very high-profile incidents. Many private companies are also involved in digital forensic litigation support. So what does a litigation support analyst do? We acquire, analyze and report on evidence most often specific to a particular person, company, etc. The means by which we acquire this data often differs from the IR path because we generally have physical access to the suspect or target media to be analyzed. This means we can acquire physical repositories, instead of just logical data. Of course, mobile forensics can be a large exception to the last statement, but generally speaking and with current technology, we are able to acquire physical memory of stand-alone computer systems and workstations. (However, that will probably not always be the case.)
Law Enforcement works criminal litigation support by identifying a criminal suspect, seizing their electronic equipment, acquiring & analyzing same as part of their investigation and reporting about their findings. Part of their reporting often comes in the form of formal expert testimony in court, which is one of the biggest differences between IR and Litigation Support. It requires further refinement of the skill of presenting very technical matters to very non-technical people.
Private companies who engage in Litigation Support also have a similar approach to casework, but work Civil disputes as well. These civil cases may be everything from divorce/custody matters to intellectual property theft to employment disputes to independent analysis in criminal defense cases. No matter the court of the case at hand (i.e., criminal or civil), the litigation support professionals seek to add clarity, value and definition to the matters they work as part of the adversarial justice system.
Similarities between Incident Response & Litigation Support
We’ve highlighted the main differences between IR and Litigation Support, but there are naturally many similarities. The basic knowledge of how data is stored and analyzed is probably the largest similarity. Both paths need to have a good basic understanding of data storage and forensic implications thereto. Another similarity can be in the tools we use. Fortunately, most modern and popular digital forensic tools, whether open source or proprietary, are capable of handling both IR and litigation support work. The nuance factors in with the examiner’s ability to properly use the tool, given the particular type of case or incident. Some forensic tool vendors like to say their tool has “been validated in Court”. This is a misleading statement. Tools don’t get validated in court. Examiners get qualified as Experts in Court and their findings are validated because of their requisite knowledge, skills, abilities and experience.
Finally, the most important part is that the approach philosophy is and needs to be the same across the digital forensic spectrum. In every case, we operate on the approaches of objectivity & neutrality, analyzing the data as the data is presented to us and never allowing personal bias or beliefs about the suspected parties involved to cloud our ability to prove or disprove what happened. Digital Forensics is a scientific discipline. It requires us to constantly evaluate evidence in a neutral environment to arrive to a conclusion of fact. As experts in the field, we are afforded the ability to draw conclusions based upon our knowledge and experience, even if the data doesn’t explicitly show us what those conclusions are. But those conclusions are always supported by the data and never created out of conjecture or bias.
Wrapping It Up
In every field, there are nuanced sub-sects. If one decides to be a doctor, they can become a surgeon or a psychiatrist. If one decides to be a lawyer, they can become a corporate risk manager or a criminal litigator. The refined skill sets for the two paths within the same field are where the differences lie and Digital forensics is no different. There are nuances within the two paths of Incident Response and Litigation support that dictate which skills will be highlighted and which will be of less value to hone and refine. Knowing the difference is key to the practitioner’s success, particularly early in the field of practice. Can a DFIR practitioner choose to switch between IR and Litigation support (or vice-versa)? Absolutely! Many litigation support professionals from law enforcement retire to work for IR shops. The take-away here is to start the thought process about which path is the best fit for you. Ultimately, everyone involved the practice of digital forensics wants to get to the heart of the matter, just like all doctors want to help their patients and all lawyers want to serve their client in the best manner possible. So do some soul-searching and drill down about what path you’d like to choose. And as a wise man once said, “Go with your gut, but use your head!”
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA). In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice. Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert on LinkedIn: https://www.linkedin.com/in/patrick-siewert-92513445/