By Michael Shufeldt, J.D. VP Legal Operations TERIS/Phoenix
Within the last decade, use of digital forensics has drastically increased. The reasons for this are numerous, from mining to investigation to simple preservation as an insurance policy against future litigation. According to Michael Shufeldt, J.D., Vice President Legal Operations TERIS/Phoenix, “To understand when and where to spend money on digital forensics, it is important to understand first what you are buying, then understand when it should be used.”
This is a very brief treatment of those questions.
Digital forensics occurs in stages and understanding which stages need to occur in a given case is important and potentially will save you or your client from overspending. “A digital forensic investigation commonly consists of 3 stages: acquisition…analysis, and reporting.” Casey, Eoghan, Digital Evidence and Computer Crime, Second Edition.
Acquisition (collection) “involves creating an exact sector level duplicate (or “forensic duplicate”) of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate.” Maarten Van Horenbeeck. “Technology Crime Investigation”, May 2008. Targeted forensic collections can also occur that net specific data such as email. Targeted collections are the most common and often the most useful scenario.
Acquisition is the most common digital forensic procedure because it leads to others by necessity. This is also generally the least expensive stage. Even if stages two or three are never reached, collection can provide an excellent insurance policy or negotiation tool to parties who are or could possibly become involved in litigation.
Recommendation: If you are or expect to be involved in litigation, by all means do either a targeted or full forensic collection as circumstances warrant. This is a fairly low cost hedge against spoliation or loss of important data that could be critical to your cause. Targeted collections, if they are sufficient for the matter, are preferable.
Stages 2 and 3
Stages 2 and 3 are treated together because analysis without reporting is not particularly helpful. Analysis is the process by which forensic experts utilize a variety of techniques and technologies to recover data and interpret the results. This goes beyond your typical ediscovery processing of known and obvious data and is a specialized service only done by very skilled professionals—ideally.
“The evidence recovered is analyzed to reconstruct events or actions and to reach conclusions, work that can often be performed by less specialized staff. When an investigation is complete the data is presented, usually in the form of a written report, in lay persons’ terms.” M Reith, C Carr, G Gunsch, “An examination of digital forensic models”. International Journal of Digital Evidence.
Recommendation: This is an expensive service. Before purchasing, be sure that you cannot gain the same results through “standard” ediscovery processing and review. If you find that you do need this service, carefully consider your provider for proper qualifications and certifications. An important heuristic if you move forward with analysis is to narrow the scope as much as possible. Carefully consider which custodians and devices should be analyzed. While you do not want to miss anything important, irrelevant or repetitive information can cause costs to soar to astronomical levels.
Mobile devices is not a “stage” but they are a special consideration. Mobile devices can provide a wealth of unique information such as GPS and location tracking, call logs, SMS information, pictures and other data that may not be available elsewhere. Mobile data in the form of SMS aided in the exoneration of Patrick Lumumba in the murder of Meredith Kercher. Eoghan Casey. ed. Handbook of Digital Forensics and Investigation.
Recommendation: Mobile device collection is very costly yet the data contained on them is very elusive. If there is a reasonable chance that there is unique data you will need then an image of the device is recommended.
Download our free white paper: