Eight Strategies To Control Information Forensic Costs

April 12, 2011

I’m often told that the biggest barrier to introducing information forensics to a potential case is the cost of doing so, and I believe it.  It is hard to explain to a client that they may expend resources with no return on the expenditure, and yet effective use of information forensics can be a valuable part of case strategy.  Here are eight strategies to effectively control information forensic cost:

  1. Prioritize Systems. In cases where there are multiple computer systems, hard drives or electronic devices involved, try to identify which ones are more likely to contain key evidence or facts in the case.  Your expert should be willing and able to help you do this, based on the facts of the case and the role of the devices involved.
  2. Image and Hold. Perform forensic imaging of the systems and devices involved to preserve them, but unless there are other factors involved you may not need to do analysis on ALL the systems at once.  Start with the high priority systems, and then see if there is likely to be value on the other systems or devices involved.  “Image and Hold” can also be an effective early strategy for a single computing device as well.
  3. Be Selective. We are often approached with multiple cell phones and hard drives.  One of the first questions I ask is if the cell phones were potentially backed up on one of the computer systems.  If so, then we can often process the backup (or “synch”) of the cell phones just as though we had the cell phone itself.  This helps to prevent duplicating cost.
  4. Evaluate Before Analyze. Full disclosure: This is a self-serving statement, in that Vidoc Razor runs a flat-rate evaluation service, but that doesn’t make it any less true.  Your expert must be able to provide an evaluation of the computer systems involved to identify which devices are useful to a case, versus ones that are redundant or don’t contain case useful information.  Make sure that the evaluation is  in context with the case, and not a simple cookie-cutter print-out of log files.
  5. Look for Flat-Rate Services. I have heard many complaints of forensic costs that run wild because of hourly rates.  It isn’t hard for a forensic service to provide cost-effective, flat rates that still provide high-quality results.  Your expert should be interested in looking for a long-range relationship as part of your legal arsenal, rather than getting rich off of a single big case.
  6. Understand the Differences Between Data, Information, and Intelligence. This seems like semantics, but it really isn’t.  Data is a stream of un-evaluated, un-interpreted symbols.  Information is what data becomes once it is useful (in context).  Intelligence is what information becomes once it becomes fact.  Once you stop thinking about “data forensics” and start utilizing “information forensics” you can find all three in a variety of places beyond the hard drive, or as a supplement to the evaluation or analysis performed on a hard drive or cell phone.
  7. Know Your End-Game. It is easy to get caught in the flood of information that can open up in the effective use of information forensics.  It is equally easy to chase down information that doesn’t necessarily support your overall case strategy.  For each new  tributary that opens up to you, ask yourself if it is actually something that supports your end-strategy, or potentially alters it.  If not, then why spend resources to chase it?
  8. Take a Deep Breath. If I had a nickel for every time I have heard the phrase “I am completely computer illiterate”, I would be living on easy street.  In a Yogi Berra-esque way: “This ain’t rocket surgery.”  For some reason the mere exposure to electronic investigation causes people to shut down.  While information forensics can be very technical, I promise you that the average attorney has dealt with much more complicated issues.  Take a deep breath and enjoy the new strategies and brand new streams of information that open up to you and your client and augment your ability to argue your cases.

Next Post:  Effective Information Forensic Strategy

A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.