Digital evidence. It’s everywhere. Consider the ubiquitous nature of electronics: in our society, interaction with electronic devices is inevitable. Most of us interact with them hundreds, if not thousands, of times a day. And most of those devices are “smart” enough to retain information about who you are, and where you were, when you interacted.
Add to this the massive amounts of digital information office workers deal with every day: emails, the web, calendars, word processors, spreadsheets, and security systems. It’s a vast amount of information. And, all of these systems collect “digital fingerprints” when they are used. This leads to large amounts of “indirect” information available to anyone who knows to look for it.
Knowing to look
Imagine the time before we knew fingerprints were unique. Crime scenes held fingerprints and other forensic information, which was all literally overlooked. Footprints and blood evidence were examined. But since science didn’t know about blood types until about 100 years ago, even this important evidence was missed.
This is the current state of much digital evidence. It might be there, it might not. Most people vaguely consider its usefulness. And since this is new technology, many people are frequently clumsy in their methods of dealing with it.
But in almost all cases, the digital evidence is there. And we must be careful in handling it, because it is more fragile than other evidence. Even the simple act of turning a computer “on” can change and possibly destroy potentially useful digital evidence.
What’s the rush?
Only someone who knows technology and the law can adequately protect that valuable digital forensic evidence.
You need to get that computer into the hands of a digital forensics expert ASAP. And unlike many other tasks related to preparing the case, time is critical. Any delay leaves that evidence vulnerable. It would be like not putting up the police tape around a physical crime scene. If you let people walk through, your evidence gets compromised or lost.
But we’re trying to limit our costs!
Until you know you’re going to court, of course you don’t want to spend much money. The case might settle, money could be saved.
But, consider this: if the opposing counsel sees an immediate, aggressive move to gathering as much digital forensic evidence as possible, you’re more likely to get a settlement offer. A proactive digital forensics strategy clearly demonstrates that you are not only serious, but you’re aware of the importance of digital evidence. If your opposition is also up-to-date on the role of digital forensics, they will appreciate your savvy. If they are not technically inclined, they will likely be unclear, perhaps even intimidated, about what digital evidence there is, and what may be done with it. It’s a bit of a win-win for you.
The Digital Forensics Collection
There is a prudent way to limit costs early on, however: Digital forensic collection. This means collecting the evidence first, while leaving the detailed data analysis for later, when it becomes clear the case will likely go to trial.
Most digital forensic evidence is drawn from the hard disk drives of the computers in question. A “bit-level” image of a hard drive is an exact duplicate of the drive at the time the image is taken. You can take a bit-level image early, and use it later, if necessary. This phase of a digital forensic investigation is usually less than one quarter of the overall cost.
But, how broad do you cast your digital net? Is imaging all the office computers sufficient? What if home computers were involved? What about online backups, web searches, and mail servers? How far do you go?
Well, the answer comes from the cost ratio mentioned previously: If there is a 25% chance that a system could carry relevant digital forensic evidence, then capture an image of it. You can defer the decision to analyze the data until later.
Who you gonna call?
The best way to protect all involved is too seek the guidance of a digital forensic specialist at the earliest sign of possible litigation.
Your chosen digital forensics consultant needs to be qualified across many platforms: Windows, Mac, Linux, servers, web services, and even security systems. A digital forensics expert who is certified on just one product may not be “expert” enough to do the job thoroughly. You need depth on your bench.
The other role for your forensics consultant is as trusted advisor: Prudent advice about the timing of forensic collection and analysis will always be needed. And there will probably come a time when you need guidance regarding your own firm’s handling of electronic data.
Lastly, your digital forensics consultant should be someone you’d be comfortable presenting in court as an expert witness.
As is often the case, price may not be indicative of quality. So, you should consider these questions when evaluating any digital forensic consultant:
- Do they have their own dedicated digital forensics lab?
- Do they know the law?
- Do they follow the accepted protocols and procedures?
- Are they able to keep and present an acceptable chain of custody?
- Are they able to balance the costs against the various parameters of timing and scope involved in a digital forensic investigation?
- Can they deal with the wide scope of systems and hardware?
- Have they ever served as an expert witness?
- How long have they been in business?
- How quickly are they able to react?
- Are they familiar with discovery and preservation strategies and case law?
At the end of the analysis, you need to chose your digital forensic examiner very carefully. Using the information above will help avoid the most common errors.