3 Tips for Dealing With Digital Forensics Investigations
Goodbye Sam Spade, hello digital forensics specialist. Today, when you need to find the "smoking gun" (more often a smoking email or a wiped hard drive), you don't call up your private dick; instead, you meet with your forensics specialist. Digital forensics allows for the investigation and often recovery of materials from digital devices, from personal computers to cell phones to massive servers.
Digital forensics is not the same as eDiscovery. Most eDiscovery looks at active data -- information that is managed and readily available. Digital forensics searches much deeper, allowing the recovery of hidden, damaged or erased information and can reveal significant amounts of information that is otherwise not easily available.
1. Mirror Imaging or "Bit by Bit" Preservation is Still Best
Many digital forensics investigations involve creating a mirror image of hard drives or other devices that may contain relevant information. Mirror imaging allows for the creation of an exact replica of the original device, so that it can be investigated without altering or damaging other evidence. It's literally a "bit by bit" recreation.
Generally, bit by bit preservation is the preferred method for acquiring information. Alternatively, "live acquisition" allows information to be recovered via a device's normal interface -- you literally turn a computer on and begin looking around. This, however, creates a much greater risk that data will be modified or lost. Large storage devices and cloud services are making mirror imaging more burdensome, but it's still the best method in most cases.
2. Chose a Qualified Expert
Not all experts are created equal. When looking at digital forensics specialists, consider not just credentials, but actual experience. That experience should include both study and real world practice -- if that practice is specialized in a particular area, that's even better.
Remember, too, that you're forensics specialist may also be your expert witness. Familiarity with testifying, writing expert reports and explaining findings to a non-specialized audience may all be necessary.
3. Don't Go in Blind
Sure, your specialist will handle most of the nuts and bolts of a digital forensics investigation, but attorneys should have familiarity and competency with the process. There are plenty of helpful guides and overviews that will walk you through the process. Not least of these is "Software and the Law: Digital Forensic Investigations and E-Discovery," by Daniel Garrie. (Disclaimer: "Software and the Law" is published by Thomson Reuters, FindLaw's parent company.) This resource provides you with an overview of the investigation process, forensic technology, and related legal issues. Coming in at just 50 pages, it's a quick, accessible way to get expert advice before diving into a digital forensics investigation.
Related Resources:
- Connecting the Digital Dots to Catch the 'Craigslist Killer' (ABA Journal)
- What Is Metadata and How Can It Affect Your Case? (FindLaw's Technologist)
- Understanding e-Discovery Data Types and Collection Costs (FindLaw's Technologist)
- e-Discovery: Do you Know Where Your Client's Data is (or Where it's Been)? (FindLaw's Technologist)