About Specialization

The professions of medicine and law are somewhat similar:  they are expensive, often painful and we hope we feel better when the procedure is over than we did when we started.

Suppose one day you went to the dentist for a filling and while you were there, you mentioned that you were scheduled for heart surgery the next week.  If he told you that he could perform your bypass, would you take him up on the offer?

In medicine, most people understand the idea that specializations exist and why.  Medicine is a complex field and it makes sense to choose someone whose expertise relates to your particular problem.  It’s not a question of whether your doctor knows what to do to fix your problem, but rather whether he knows what to do when things don’t go as planned.

It’s interesting that this same attitude does not always translate over to the law – and specifically to the field of digital examinations.  Too often we are called in to clean up a botched examination after unqualified people have “had a go” at developing evidence on a computer or mobile phone.

The field of e-discovery has many specializations.  Some of these are equipment-based:  tape restorations, outdated discs, rare or arcane operating systems or applications.  A vendor won’t be able to perform in this case because they lack the ability to connect your data to the platform they use for processing.  It is when the specialization is knowledge based, like with digital forensics, that we run into a particularly dangerous issue.

In order to properly handle, acquire and view a hard drive or other device, some specialized hardware and software is necessary.  The baseline cost for a capable complement of equipment is around $10,000 – a sum that is within reach for almost every business.  As a matter of fact, there are many people who advertise digital forensics services with little more than the baseline equipment, a week of classroom training and no practical experience in either computers or investigation.

Why has this happened?  The answer is simple:  businesspeople saw a revenue stream that they were not tapping and looked into “what is necessary” to conduct an examination on a digital device.  That week-long basics course allows them to speak about the field as if they understand it (and to sound like an expert to someone who knows nothing about the field), while the equipment adds the rarified air of being a “specialist” whose toolkit contains mystical and unusual devices.

Some examinations may be extremely simple and straightforward.  The computer has not been tampered with or mishandled, no evidence is hidden and the investigation requires no analysis or conclusions.

When a novice conducts these types of examinations, the entire process may go smoothly – adding to their client’s perception of them as an expert.  Many times, no testimony is required – or if there is testimony, no opposing expert exists to counter it.
What happens when the examination is not so straightforward?  What if the system clock was changed to backdate documents?  What if key evidence has been securely erased with a third-party application?  What if you need to correlate evidence among several related devices?  These are not investigative results you can achieve with the press of a button, or after a week’s tutoring.  Many times, modification or manipulation of data will go completely undetected by an unskilled investigator.

Another key function of an experienced professional investigator is to provide some context for the investigation.  Let us suppose that there is evidence of backdating of the system clock and it is detected.  Knowing how frequently backdating occurs in similar cases suddenly becomes vitally important.  Being able to state in court that an event is rare, based on your personal knowledge over hundreds of examinations and your discussions with other recognized experts in the field is much more powerful than saying it’s rare because you heard it in a class last week.

Being able to conduct complex analysis and provide expert opinions are hallmarks of the professional digital investigator – not the use of a particular tool or program.  Anyone can buy a hammer, but owning a hammer doesn’t make you a carpenter.

When you have important evidence on a computer or cell phone, being able to evaluate your options early can save a mountain of heartache down the road – contacting an expert first and getting an idea about the complexity and difficulty of the case will allow you to choose the best path for your investigation and to ensure that you make the best use of every dollar you spend.