Digital Forensics for Lawyers – The Electronic Commandments

What is forensic evidence in a criminal matter. It’s a near certainty in today’s mobile culture that your criminal lawyer will need to deal with traces of digital evidence somewhere in your criminal case. In cases where information is hidden, erased or altered in some way forensics allows us to discover more information, to draw additional conclusions about existing evidence and even find new material.

It’s important to know where to find the digital bread crumbs. Each day new locations for data are created, new methods of communication, new programs designed to store, encrypt, or automatically erase critical information are deployed. But where should you look? It’s important to have a checklist that is growing all the time but includes at least the following:

  • Computers: Servers, Laptops, Desktop Computers, and Tablets
  • ISPs (Internet Service Providers). Comcast, Viacom, etc.
  • Cell Phones: Smart phones, iPhones, Android devices, Blackberries (yes, they are still in use)
  • Tablets: Android, iOS (iPads)
  • Wearables: Android glasses, Google glasses, smart watches, fitness tracking devices (e.g. fitbit)
  • Cloud providers: iCloud accounts, Google docs, Dropbox, Windows Live, Social Media (LinkedIn, Facebook, Twitter, Snapchat, etc.)
  • Emails: Computer-based, mobile devices, cloud based (Gmail, etc.)

Forensic evidence may even be available from “old school” technology such as

  • Copiers. It may be hard to believe but copies have “cache” memory where documents that were “copied” may still reside. Information such as the account the copies were charged to, or the person who they were made for, can also be available.
  • Cameras. Camera’s that have flash memory can contain old pictures, and certain cameras record the date and time, and sometimes even the geo-location of where the picture was taken.
  • Backup tapes. Believe it or not companies still store large quantities of data on back up tapes. While sometimes extremely hard to access, there may be a wealth of information on these tapes.

Data may also be contained on supposedly erased or formatted hard drives. In modern computers, when a file is “deleted” the data is not actually destroyed, only the storage location for the data is marked as “available for overwrite.” What that means is the even when you click “delete” on that Word document on your computer, the actual contents of the file still reside on your hard drive, waiting for another new document to write over the storage location on the hard drive. In many cases, entire files, or partial files can be recovered by professionals who can then testify in court as to the soundness of their process for recovery.

But how do I prove that it’s authentic evidence? There are several answers:

Hash Value: A hash value is a digital fingerprint for a data file, or block of data. If hash values match there is a 99.99999% chance it is the same file, which is much more accurate than even DNA matches, and well accepted by the courts.

Following these “Electronic Commandments” will give you some peace of mind:

  • Follow chain of custody procedures
  • Report on nothing but facts, no conjecture or conclusions
  • Document the tools (software and hardware used) in the work (collection and analysis)
  • Document the protocols you followed
  • Quality control is crucial. Also double and triple-check work product
  • Make sure you can explain the results in plain English anyone can understand (even a judge)
  • Never believe what you see. Never take digital evidence at face value, don’t believe what you see
  • It’s the small stuff. Your analysis will usually only produce evidence of small events, that’s all you’re looking for.
  • Never think you’re smarter than a cyber criminal, it just doesn’t pay to be arrogant
  • The best investigators think like crooks.

Following these simple steps will help any forensic examination in your criminal case proceed much smoother with better overall results.