Eight Strategies To Control Information Forensic Costs

April 12, 2011

I’m often told that the biggest barrier to introducing information forensics to a potential case is the cost of doing so, and I believe it.  It is hard to explain to a client that they may expend resources with no return on the expenditure, and yet effective use of information forensics can be a valuable part of case strategy.  Here are eight strategies to effectively control information forensic cost:

  1. Prioritize Systems. In cases where there are multiple computer systems, hard drives or electronic devices involved, try to identify which ones are more likely to contain key evidence or facts in the case.  Your expert should be willing and able to help you do this, based on the facts of the case and the role of the devices involved.
  2. Image and Hold. Perform forensic imaging of the systems and devices involved to preserve them, but unless there are other factors involved you may not need to do analysis on ALL the systems at once.  Start with the high priority systems, and then see if there is likely to be value on the other systems or devices involved.  “Image and Hold” can also be an effective early strategy for a single computing device as well.
  3. Be Selective. We are often approached with multiple cell phones and hard drives.  One of the first questions I ask is if the cell phones were potentially backed up on one of the computer systems.  If so, then we can often process the backup (or “synch”) of the cell phones just as though we had the cell phone itself.  This helps to prevent duplicating cost.
  4. Evaluate Before Analyze. Full disclosure: This is a self-serving statement, in that Vidoc Razor runs a flat-rate evaluation service, but that doesn’t make it any less true.  Your expert must be able to provide an evaluation of the computer systems involved to identify which devices are useful to a case, versus ones that are redundant or don’t contain case useful information.  Make sure that the evaluation is  in context with the case, and not a simple cookie-cutter print-out of log files.
  5. Look for Flat-Rate Services. I have heard many complaints of forensic costs that run wild because of hourly rates.  It isn’t hard for a forensic service to provide cost-effective, flat rates that still provide high-quality results.  Your expert should be interested in looking for a long-range relationship as part of your legal arsenal, rather than getting rich off of a single big case.
  6. Understand the Differences Between Data, Information, and Intelligence. This seems like semantics, but it really isn’t.  Data is a stream of un-evaluated, un-interpreted symbols.  Information is what data becomes once it is useful (in context).  Intelligence is what information becomes once it becomes fact.  Once you stop thinking about “data forensics” and start utilizing “information forensics” you can find all three in a variety of places beyond the hard drive, or as a supplement to the evaluation or analysis performed on a hard drive or cell phone.
  7. Know Your End-Game. It is easy to get caught in the flood of information that can open up in the effective use of information forensics.  It is equally easy to chase down information that doesn’t necessarily support your overall case strategy.  For each new  tributary that opens up to you, ask yourself if it is actually something that supports your end-strategy, or potentially alters it.  If not, then why spend resources to chase it?
  8. Take a Deep Breath. If I had a nickel for every time I have heard the phrase “I am completely computer illiterate”, I would be living on easy street.  In a Yogi Berra-esque way: “This ain’t rocket surgery.”  For some reason the mere exposure to electronic investigation causes people to shut down.  While information forensics can be very technical, I promise you that the average attorney has dealt with much more complicated issues.  Take a deep breath and enjoy the new strategies and brand new streams of information that open up to you and your client and augment your ability to argue your cases.

Next Post:  Effective Information Forensic Strategy

Leave a Comment » | Forensics Beyond the Hard Drive, Inforensics Opinion, Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.

Leave a Comment » | Cases, Investigation | Tagged: , , , , | Permalink
Posted by inforensics

Aguilar v. Immigration & Customs – Beyond Blatant Commercialism

January 14, 2009

I have seen many references to the Aguilar v. Immigration & Customs Enforcement Div. of U.S. Dep’t of Homeland Sec. case, specifically to the judgement filed in November 2008.  All of the accounts I have read seem to simply be focused on the fact that metadata should be preserved.  While this is great for certain forensic companies that have a product to hawk, it is in no way the most interesting discussion about metadata in this case.

In fact the “need” to preserve and produce metadata has been addressed in such cases as:

Shirley WILLIAMS, et al. v. SPRINT/UNITED MANAGEMENT COMPANY, 2005, and

Ryan v. Gifford, 2007

Both of which address the need to produce and preserve intact metadata.

In reading through Aguilar  I find the extended definitions of metadata and the issue of timing of the request to be the most interesting aspect.

This case stemmed from allegations of unlawful search and seizure.  Plaintiffs filed their initial discovery request in Feb. 2008.  Their request failed to address manner of production – specifically metadata.  In late March the plaintiffs filed a more specific request for certain documents to be produced in TIFF format with separate files documenting metadata fields and text, while others were to be produced in native format (spreadsheets and databases).

In mid-July the defendants objected.  As it turned out they were already well into assembling the requested documents in searchable PDF format.

In ruling on the case Judge Frank Maas takes time to define the different types of metadata using the Sedona Principles:

  • Substantive metadata – Created upon generation of a file by an application and reflective of changes made by a user.
  • System metadata – Information created by the user or the organizations IT structure.
  • Embedded metadata – Information not visible that becomes part of a native file.

He then refers to Federal Rules of Civil Procedure and states:

“Metadata is not addressed directly in the Federal Rules of Civil Procedure but is subject to the general rules of discovery.  Metadata thus is discoverable if it is relevant to the claim or defense of any party and is not privileged.”

He adds:

“[f]or good cause, the court may order discovery of any matter [including metadata] relevant to the subject matter involved in the action.”

He goes on to note that metadata is subject to the balancing test introduced by Rule 26(b)(2)(c) that would require a court to weigh probative value against burden.

This is all pretty standard stuff, and seems to be where a lot of the various forensic firms have stopped in their analysis of this case.  Too bad!  All of this has already been established in other cases (for instance the two I noted above).  There IS more, though, and it is interesting.

The judge states that metadata “has become the ‘new black,’ with parties increasingly seeking production in every case, regardless of size or complexity.”  And then he notes the time difference between the plaintiffs initial request (which did not specify manner of production) and when they actually specified the requirement for metadata.  By this time the defendants “collection efforts were largely complete” and didn’t include the metadata.  Because of this he observes that the plaintiff is essentially requesting a second production and faces an increased burden.

Even this ruling, though, has been well established in many cases – and Judge Maas cites a number of them in his decision.

The real interesting part that seems to be missed in most of the write-ups is what Judge Maas does with this “build-up”.

Relating to the emails to be produced a second time with metadata he rules that since the defendants had previously indicated a willingness to produce the emails with metadata intact that they would be ordered to produce emails that had not already been identified (about 300) with metadata.  It is interesting to me as a forensic examiner that the judge notes that “forwarding” emails kills the original metadata – someone noticed!

In addressing the Back up tapes Judge Maas applies the balance principle in Rule 26(b)(2)(B) and rules against the plaintiff.

Judge Maas addresses “Word processing documents and Powerpoint Presentations” by acknowledging the value of metadata in these documents to establishing timelines, but rejected the plaintiffs argument that metadata is required to efficiently search the documents.  He acknowledges that the probative value of metadata related to these documents outweighs the burden of production.  With this he ordered the defendants to produce the Word and Powerpoint documents with metadata intact with the provision that the plaintiff would bear the cost of production.

Regarding spreadsheets Judge Maas makes an interesting observation.  He states “the relevance of metadata depends upon complexity and purpose.”  While the spreadsheets in question did have formulas, they computed a simple sum and were not complex.  Stating that the plaintiffs had no evidence or reason to think fraudulent manipulation had occurred he found that the arguments of the plaintiff had no “relevance to claims or defenses in this case.”  Regardless, since the defendants had expressed a willingness to produce the spreadsheets in native format prior he ordered their production.

The last type of metadata addressed by Judge Maas relates to the defendants databases.  Previously the parties had agreed to review one of the databases in a live demonstration.  The plaintiff had demurred for lack of an expert to assist in the review.  The judge ruled that lack of an expert was no longer a cause for extension and ordered a date by which the plaintiffs must complete the review.

It is the many facets of metadata addressed that make this case interesting and useful.  I have no idea why others are focusing solely on the “need” to preserve and produce metadata, we already knew that.  Judge Maas has provided us with a fascinating study in metadata that goes beyond need.

Leave a Comment » | Cases, Production | Tagged: , , , | Permalink
Posted by inforensics