How to Deal with Difficult Clients as a Digital Forensic Examiner

 

How to Deal with Difficult Clients as a Digital Forensic Examiner

Businesses large and small often have the unfortunate occasion where they must deal with a difficult client.  In the world of digital forensics, this is no exception. It is essentially how you deal with them that matters.  Truth be told, most of us know that this is not always an easy task.  We often work with attorneys on behalf of their clients.  That being said, in our field, we have the occasional clients that represent themselves, however, a majority of clients are the attorneys which represent another individual(s).

There are several strategies to take into consideration when working and dealing with “difficult” clients.  In truth, there will be some clients that will be difficult regardless of what is done to remedy an issue they may present. However, many difficult situations can be potentially averted if certain steps are taken to minimize any potential issues that could arise. 

1.      Set clear concise boundaries and expectations.  If a client knows where you stand from the beginning of the business relationship, there is likely to be less confusion, deterring an angry client.  Items such as cost, schedule, deadlines and requirements are crucial in this step.  Each case will vary to one degree or another, therefore, those stipulations should be discussed in the initial meeting and put into a contract that all parties sign and date if agreed upon.  It should be noted that if a complication in a deadline arises, it should be addressed immediately and not held until the last minute.  This is applicable for ALL parties in the case.

2.      Be professional.  It is sometimes easy to get emotional in litigation, especially if you feel attacked on a personal level. It is best to remain calm and talk to the client in a professional matter, regardless of the manner to which they choose to respond.  In the field of digital forensics, we are often sought out for a specific task.  How you react to a difficult customer can impact not only your business, but your reputation as well.

3.      Document, document, document!!  As previously stated, not everyone will be happy with a resolution proposed.  There may be instances that arise that you may not have an immediate solution for an issue that pops up.  This is where documentation is critical.  Just as when performing an analysis from beginning to end, documentation is the backbone to cover yourself.  This is no exception. 

4.     If a mistake is made, own it!  Naturally, no one likes to admit they made a mistake.  We are human, mistakes happen.  However, trying to pawn the blame off on someone else, including the client, will do nothing but produce friction.  It is best to be upfront and honest about the mistake, address it and work on a solution to fix it.  Of course, the opposite can also apply in this situation.  If a mistake is made and it was not any fault of yours, do not take the blame on yourself.  This causes a divide in the business relationship.

5.     One big thing…If the client is so difficult that there is no solution that pleases them, know when to walk away.  Do not be afraid to let them know that their behavior will not be tolerated. Digital Forensic Examiners have a specialty that other seek out.  No one should be disrespected in the workplace. 

NOTE:  In the world of digital forensic cases, examiners are accustomed to the technology and forensic programs we work with daily, so often we tend to speak in terms that we understand without realizing that our clients are not as versed in such, making this confusing for them and leading to further frustration.  We must always remember to take this into consideration at the beginning of any professional relationship to lessen the possibility of frustration for all parties.

Wrapping It Up

In today’s business world, having a difficult client is almost a certainty.  How a business professional handles a difficult client makes all the difference.  At the same time, every individual deserves a modicum of respect. You cannot be afraid to walk away from a situation if you are put in a situation that makes you uncomfortable.  Your reputation and business could be on the line as a result of how a situation is handled with a difficult client.  As with any relationship, whether it be personal or professional, constant open communication and boundaries are key to the successful relationship between the service provider and the Client and/or attorney handling their matter.

Author: 

Tami Smith

Digital Forensic Examiner

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

 

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Tami Smith is a Digital Forensic Examiner and Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  An Army Veteran, she is a Suma Cum Laude graduate of Computer Forensics and Digital Investigations, she has had the opportunity to practice in the field, examining civil and criminal cases with the discipline of her military experience.  Tami holds vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is also a Private Investigator in the state of Virginia. She continues to hone her digital forensic knowledge, education, and experience in the private sector.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Tami Smith on LinkedIn:  https://www.linkedin.com/in/tami-smith-1b28ab29/

 

Three Myths About Digital Forensics as a Practice

July 14, 2021

Three Myths About Digital Forensics as a Practice

Following up on last month’s article about “Three FAQs About Digital Forensics as a Service”, we thought it useful to spend some time debunking some myths about digital forensics from both a general practitioner and service provider perspective.  

Every industry comes with “urban legends” or popularized myths that surround the practice.  Many of these rarely represent reality and some are outright false.  The more intriguing or interesting the field, the more pervasive these falsehoods can be.  Digital Forensics is no different than any other industry in this respect.  The reality is that TV and movies have sensationalized what we do to the point where there are several misconceptions about the practice of digital forensics, which run the gamut of the various sub-sets of the practice and affect those in law enforcement, private sector litigation support, incident response and government contractors.  While Hollywood has tried to make the profession “sexy”, there are some realities to this field, including the long hours spent staring at a computer monitor, developing a script or researching an application.  While not overly exciting, those are activities in which any practitioner worth their salt needs to engage on a regular basis… But it doesn’t make for good TV.

In order to dispel some common myths about our field, three of these misconceptions are discussed in this article.  This selection of industry myths has been garnered through discussing and working cases with people outside the industry over the combined time in law enforcement and private sector practice of digital forensics for the past 12 years.

Myth #1:  Nothing Is Ever Truly Deleted

I wish this were true.  However, the reality is that it is not.  Not only are there anti-forensics methods readily available to users on the market (i.e., Hillary Clinton and “BleachBit”), but increasingly there are measures being put in place at the manufacturing level for both mobile devices and higher-end computer systems that make deletion of data a permanent state.  To be more accurate, the security over the stored data is such that when and item is deleted, it is often not recoverable.  

For example, on an iPhone, data is stored in the same basic way for most applications.  However, if an item is deleted from the phone, depending on the type of item (i.e., picture or video vs. text message), the item is sent to free space on the phone memory, which is encrypted and not accessible through the forensic process.  The image may not be gone, per se, but it is not accessible or viewable.  On newer Mac computers and other devices equipped with solid-state memory (i.e., not a spinning hard drive), there is a process in place called “Trim” which also helps clean up the free space of the memory and makes recovery of deleted items extremely difficult, if not impossible.  In the era of heightened data security, these measures are becoming more commonplace.  Deleted text messages that were once partially recoverable are now increasingly unavailable, even with the most state-of-the-art forensic tools.  

There are almost always alternative storage methods, however.  Hard backups (computer-based) or copies or cloud-based data can all be potential areas where valuable evidence can exist, but the reality of the digital consumer marketplace is that if all we have is the device and nothing else, we may not get your deleted data.  

Myth #2:  If It’s Deleted, It’s Gone

I know this sounds totally contradictory to the previous comments and Myth #1, but just because it’s deleted, doesn’t mean the evidence you need is gone.  Indeed, this is and always has been at the heart of the forensic process.  We utilized industry-standard methods to acquire, analyze, recover and report about the data.  The emphasis with this myth is the recovery part.  I tell potential clients and attorneys all the time, the data is *usually* stored in more than one place.  The aforementioned cloud-based data storage being the most ubiquitous, but there can also be additional data stored in some surprising places.  The more data we can get our hands on that is related to the matter at-hand, the more success we will have in getting you some evidence that will help confirm or refute your assertions in the case.  There are also methods of analysis that a trained, competent examiner will attempt to incorporate in many cases, including partial recovery of valuable data from places like file-slack (leftover space where a file may have previously existed) or volume shadow copies that are automatically created in Windows.  

In most cases, the proverbial smoking gun is not a realistic possibility.  We have certainly worked and seen cases where the smoking gun has come about and it has always met with great success, but the reality of our practice is that we will likely find *something* to help you, but it may not be the one piece of evidence that will confirm or refute the matter at-hand.  Will it add value?  Most likely.  The real value comes in with the examiner’s ability to articulate what they did, how they found what they did and to explain these findings in non-technical terms that everyone can understand.  

Tools don’t do the work.  They present the data for the analyst to do the work, so make sure your analyst is knowledgeable and not afraid of doing the work.

Myth #3:  It’s Just A Phone… What’s The Big Deal?

It’s not unlikely that the origination of this myth is rooted in our innate perception of the fact that the size of things should equal more cost.  Bigger vehicles cost more than smaller vehicles.  Bigger houses cost more than smaller ones, and so on.  So why should a device that fits in my pocket be more of a challenge to acquire and analyze data than my laptop or desktop computer?  

In recent years, the marketplace has demanded that phones be more complex, store more data and be much more secure than your computer.  Apple comes out with a new iteration of iPhone every year, and they usually (and much more quietly) update their computer hardware and software as well, but the emphasis since the inception of the iPhone has been on the mobile device.  So what’s so problematic about it?

As I tell attorneys and their clients frequently, many times we are acquiring the data that Apple allows us to have.  To be clear, this is almost always more than what the user could do themselves and in a forensically sound manner appropriate for evidence presentation, but Apple can be quite restrictive for non-law enforcement to obtain data.  We get the basics – messages, photos, videos, web history, and supported app data.  Many times we can also analyze unsupported app data as well.  But much of the deleted data is unavailable.  In recent years, more advanced methods for acquiring iPhone data have come about, but they are only available on certain iterations of the iPhone hardware and software.  But to be clear, we always try to get as much data as possible.

Android phones are increasingly problematic as well.  Last year, we had a Samsung Galaxy S20 in for acquisition and analysis.  I was amazed at how little data we obtained, despite multiple attempts at multiple different methods of acquisition.  Fortunately, the mobile forensic tool developers are always coming out with newer ways to get more data for our use and analysis, but it’s a constant game of catch-up.  

A final point about the volume of data that can be analyzed on phones, Apple currently has up to 512 GB of storage on an iPhone.  Some Android phones are pushing to 1TB or more worth of storage.  That may not seem like a lot when you’re using the phone, but it’s A LOT of data.  And the more we have to search that mountain of data, the longer it takes.  These are not the Nokia flip phones we all had in the mid-2000’s.  They’re not even the Blackberry Pearl you had and thought was so cool.  These are complex computer devices with as much storage capacity as many commonly used computer systems, with many enhanced security measures.  They may be small, but they’re mighty!

Wrapping It Up

The myths discussed here are a small sample of the push-back we sometimes get when it comes to the length of time and the cost associated with acquisition, analysis and reporting about the data on these devices.  For those in law enforcement, phones are seized daily and sometimes the means by which to simply acquire the data are challenging and time-consuming (if not impossible).  We are not miracle workers, but we do try to get you data that you can use in your case to help confirm or refute your suspicions or claims.  Just know, it’s not always easy, it’s not always quick and it’s unfortunately not always possible.  Sometimes, we just don’t know until we get into analyzing the data!

Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business servicing litigators and their clients, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/ 

Three FAQs About Digital Forensics as a Service

 June 8, 2021

Three FAQs About Digital Forensics as a Service

There are many tentacles to the practice of digital forensics.  As explored in a previous article, there can be two main tracks to the practice of digital forensics:  Incident Response & Litigation Support.  Along the same vein, there are practitioners both in the public sector (law enforcement, government contractors, etc.) and the private sector.  While the practice is essentially the same across both sectors, the types of cases called upon to work and the complaints or inquiries received can be vastly different.  

When I was a law enforcement examiner, my time was spent mainly investigating criminal incidents involving child sex abuse material (CSAM) and other crimes, such as fraud, cyber-stalking, etc.  After transitioning to the private sector, I found the case inquiries and cases worked to be quite different.  Sure, there’s a minority percentage of cases in the criminal realm, but many of our cases span family law, corporate law, intellectual property theft and other civil disputes.  One of the most notable areas that the shift has occurred has been in the types of inquires receive.  The three questions explored and answered here are designed to provide those would-be clients with answers that they can readily access without the need to contact a forensic service provider and to help provide guidance for some in our industry as a whole.  These questions are taken directly from inquiries we receive weekly.

FAQ #1:  I think someone (estranged spouse, other person) is “hacking” me.  Can you find out who it is?

This is probably the most frequent question we receive and it eats up a ton of time.  Indeed, there are many reasons why someone might feel they’ve been “hacked”, but at a 30,000-foot level, it’s not likely.  Why isn’t it likely?  Well, the first question anyone needs to ask themselves is WHY would someone hack your devices on purpose?  Jeff Bezos’ iPhone was hacked.  He’s also the CEO of a multi-billion dollar corporation and he was targeted with a very specific electronic exploit by a quasi-trusted source in a coordinated event and the means to hack his device were engineered specifically for that purpose.  Let’s be clear:  No one is likely doing that to YOU.  The time, effort, resources and level of technical sophistication needed to hack an individual’s devices at that level are so advanced and multi-faceted that no one with a standard or mid-range knowledge of computers or cell phones would be able to do that to you.

And just because they “work in I.T.” doesn’t mean they have any advanced coding knowledge to be able to hack your devices.

Most of these allegations surround mobile devices, but to be more specific, an iPhone is quite difficult to “hack”, at least to the level where one would be reading your text messages or tracking your location or listening to your calls.  Everything on the phone needs to run in an application and there are no applications on the Apple App Store which allow this type of activity.  This is why iPhones are generally considered more secure than Android devices – because you *have* to run everything as an app and the only place to get an app is the App Store and Apple has tight controls over what they allow on the App Store. 

What is likely the case in roughly 99.9% of instances is that access was granted by the iCloud account holder (i.e., iPhone owner) to the alleged hacker at some point prior to the “hacking” and they are using utilities like Find my iPhone and iMessage syncing to track these locations and activities.  Also not unlikely is that a formerly-trusted source knows your standard passwords and accessed your account using one of those, and may even have 2-factor authentication access from an older device.  Change your iCloud login and password and make the password strong and unique.  Also, disconnect older devices from your iCloud.  Finally, don’t use public wi-fi.

Android devices, while theoretically easier to “hack” than iPhones, still require some access for 99.9% of users to be able to track location, read messages, etc.  Apple, Samsung, LG, etc. don’t make money and keep customers by making their devices easy to exploit to any sort of hacking activity.  If that were the case, we’d all be walking around with hacked smart phones.  The security on these devices, particularly the newer models, is strong enough to ensure that the vast majority of people to whom access is not granted to the data, cannot access the data… And with each new generation of device, the security gets stronger.  

The reality is that we are all bleeding our location, purchase history, check-in activity, life events and much more on our mobile devices every day without even realizing it.  Google has more data on you than the NSA and they exploit it to make money.  Does hacking of an iPhone or Android phone happen? Yes.  But it is very, very unlikely for 99.9% of users.

As a final note, I tell all potential clients that call with this complaint, hacking in many forms is a crime.  If you have evidence you’ve been hacked, report that to the authorities and initiate a criminal investigation.  They work for you and you pay them with your tax dollars.  They also have the power to issue things like subpoenas and search warrants, which any private practitioner does not.  In short, they can help you much more than we can.

FAQ #2:  Someone is sending me harassing text messages anonymously.  Can you identify who it is?

The short answer to this is, probably not.  If the only evidence we are afforded are the text messages from the phone of the person receiving them, there isn’t much evidence for us to investigate from the device itself.  The existence of the text messages is not in dispute, the origin is what is sought.  Most of these numbers are issued through a third-party and purposely anonymous at a practical level, so our ability to track down the number to a specific person is very limited.  

In order to track the number to a person, litigation needs to be in place or a criminal investigation needs to be undertaken.  This will provide the power of subpoena or search warrant to help track down and follow the bread-crumb trail to who may be responsible.  Even still, this can require multiple levels of subpoena, which can take time and often be a dead-end in the investigation.

Harassing text messages and/or calls are annoying.  They may even be illegal, depending on where you live.  But it’s much easier and less expensive to change your phone number and let trusted friends & family know you’ve changed your number than it is to try to dig down into the rabbit-hole that is a chain of subpoenas to try and track down who is responsible.  As a wise man once said to me, “the juice isn’t worth the squeeze”.

FAQ #3:  I suspect my spouse or significant other is cheating. Can you analyze their phone to let me know if this is true or not?

We get this question a lot.  And it’s usually followed up with a statement by the would-be client that “the account is in my name”.  The problem is, the data isn’t in your name, and the data is what you’re asking us to analyze.  The issue of marital ownership of property can get a bit murky, particularly when one feels their trust is being violated.  

I know a lot about the law, but I am not a lawyer.  Generally, we refer people who ask for this service to consult an attorney and the natural rebuttal is “I want proof that something is going on before I get an attorney”.  At that point, we gracefully exit.  Why?  Because past instances have taught us that getting involved in domestic issues where there is no litigation is messy and fraught with complications.  In short, we’re not going to be the reason you get a divorce.

Aside from that, there are technical issues which can arise in this.  The first is access to the data.  For all modern cell phones, we need the pass code in order to obtain the data.  Period.  There are no notable exceptions to this for private sector practitioners.  Oh, you have the pass code?  Great.  We still won’t do it.  Modern mobile forensic tools also extract authentication keys for social media and other cloud accounts, which is a very powerful tool, particularly if used in the wrong hands.  By accessing the data on the phone and/or the data on the cloud without proper authorization, we are breaking the law.  There is no client or any amount of money who would convince us that our professional integrity and reputation is worth one case.  Finally, if we engaged in this practice and the case did go to litigation, we’d have to testify about how we accessed the data and by what authority.  That would be a tough question to answer.

Are there digital forensic practitioners who will do this?  Absolutely.  Please contact them and let me know how their testimony goes.

Wrapping It Up

The FAQs discussed here are just a sampling of some of those we receive quite regularly.  And while the answers may have a bit of pointed clarification in them, they also touch on a wider theme of ethical practices in private sector digital forensics.  When you are researching a digital forensic service provider, please ask yourself 1) is what you’re asking them to do within the bounds of the law and/or ethical practices and 2) if they agreed to do it for you, what does that say about their ethical standards?   The training, tools and ability to do what we do are all extraordinarily powerful and if used by the wrong type of practitioner, could lead to drastic consequences.  Violations of what could be termed “standards of practice” will affect the industry as a whole.  Let’s all work together to ensure that doesn’t happen.

Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/