Digital forensics can be pretty technical, but there are a few things that attorneys working with digital evidence need to know.
We’ve compiled a list of some of the most important technical concepts in digital forensics and why they’re relevant to attorneys.
Verified Forensic Image –a special kind of “copy” of all the contents of a hard drive, flash drive, etc. Rather than copying “files”, a forensic image copies all the underlying 1s and 0s that represent the information (visible and invisible) on a target drive. A forensic examiner can then verify that the forensic image is exactly the same as the original using what is called a “hash value”. (see next term).
Attorneys should care about a verified forensic image for two reasons. First, it preserves original evidence in case the forensic analysis needs to be repeated. Second, until a verified forensic image is created, there is no guarantee that the information on a hard drive won’t be modified (purposely or accidentally). If you need a digital forensic analysis for your case, try to get a verified forensic image created as soon as possible.
Hash Value – a unique identifier that is used to validate that a forensic image (or any kind of digital copy) is an exact replica of the original. Any digital file or hard drive is at its core a set of 1s and 0s. Forensic experts use a special algorithm to create a numeric code, called a hash value, that is unique to the exact set of 1s and 0s on a specific drive. If a single 1 or 0 on the drive changes, then the hash value is completely different. In practice, an examiner generates a hash value for the original device, creates a forensic image and then validates that the hash value of the image matches the original.
Attorneys should care about a hash value because the digital evidence on a hard drive is not just the list of files that are easy to copy. If you get a plain old copy of a hard drive that didn’t verify matching hash values on the original and the copy, you could be missing some critical evidence in the case.
Write Blocker – a specialized piece of hardware that forensic examiners use to access digital evidence without modifying it. Any time you connect to a hard drive, flash drive, etc, you run a risk that your computer’s operating system will make changes to that drive inadvertently. By using a write blocker, a digital forensic examiner removes that risk.
Attorneys should care about write blockers because if you hire an IT expert (instead of a certified digital crime lab) to examine your digital evidence and that person doesn’t use a write blocker, you could actually be destroying the digital evidence instead of securing it.
JTAG / Chip-Off Forensics – two methods of accessing digital evidence on mobile devices, especially when the device is damaged or password locked. They require very specialized equipment and only a few labs can typically perform these types of acquisition. You can read a more technical explanation of these methods here.
Attorneys should care about JTAG and Chip-Off methods because they may be your only way to recover digital evidence from a cell phone that has been physically damaged or is password locked.
Forensic Protocol – In the context of a legal case, the forensic protocol is an explicit set of steps that a digital forensic examiner will take to acquire and analyze a specific device or set of devices. Usually, this protocol is documented and agreed to by both parties in a case.
Attorneys should care about forensic protocol to eliminate potential questions about digital evidence especially in contentious cases or if there are questions about what data is relevant and producible for the case. A good digital forensics partner can help you draft the forensic protocol.
Allocated vs Unallocated Disk Space – This is really the difference between “free” space and “used” space on a hard drive. The “allocated” space contains all the files and programs that a typical user can see. This includes things like documents, spreadsheets, emails, programs, browsing history, etc. The “unallocated” space is all the other disk space on your drive. Unallocated space includes empty space but also includes files that are deleted but have not been overwritten. A digital forensic examiner can analyze the unallocated space on a drive to possibly recover deleted files and recreate a history of activities on the device.
Attorneys should care about unallocated disk space because it can contain lots of “hidden” digital evidence like deleted files that most users can’t see.
Accredited Digital Crime Lab – Private digital forensics labs aren’t required to be formally accredited, and many labs are not accredted. The most widely recognized certifying body is the ASCLD, which certifies FBI and state crime labs. The accreditation process is exhaustive. It validates that a lab has and consistently follows generally accepted processes and procedures for securing, preserving, handling and analyzing digital evidence. You can read more about ASCLD accreditation processes here.
Attorneys should care about using an accredited digital crime lab because it ensures that any findings from the lab’s analysis will hold up in court. More importantly, using a lab that is not accredited can be an invitation for opposing counsel to question the forensic findings.
If you need help with digital evidence for a case involving IP theft, family law or other criminal or civil issues, contact Flashback Data today. We work with attorneys, DAs and law enforcement across the country and our digital crime lab is accredited by the ASCLD.
CALL 866-786-5700 FOR A FREE CONSULTATION!
Why You Need a 2nd Opinion on Digital Evidence in Criminal Cases
/in Digital Forensics /by Russell ChozickWhy would defense counsel in a criminal case hire their own forensic examiners to review evidence that’s already been examined by an accredited lab?
Here are the 3 most common scenarios we’ve seen in working with criminal defense attorneys.
1. Help me understand what this forensic evidence actually means?
The output of a digital forensic analysis is a formal report of findings, and sometimes those reports are not exactly written in layman’s terms. One of the most common services we provide to criminal defense attorneys is to help translate the digital evidence they received from the DA into plain English. As an accredited digital crime lab that supports both attorneys and law enforcement, we can ensure that defense counsel understands any digital evidence, especially any unique technical aspects of the findings report.
2. Could this digital evidence support an alternate version of events that my client claims?
The goal of any forensic analysis is to reconstruct a sequence of past events, and in some cases two different events can leave a very similar digital trail. We’re often asked by defense attorneys whether the digital evidence presented could support an alternative version of events. In some cases, we can answer this question by simply reviewing the existing evidence. In other cases, we may need to actually perform our own analysis of the evidence to validate the findings and uncover additional information that could support an alternate scenario.
3. I want to dispute the evidence presented by the DA and want a lab I can trust to perform a new analysis.
When cases are expected to go to trial, we’re often asked to perform a detailed review of the chain of custody, forensic procedures and findings of the digital evidence in the case. Our digital crime lab is accredited under the same program as state labs and the FBI, so we have the credentials and experience to perform a comprehensive analysis of any digital evidence and either confirm the findings or identify any potential issues in how the evidence was handled or in the conclusions that were drawn.
If you need an expert second opinion on the digital evidence in a criminal case, contact Flashback Data, LLC. Our digital forensics lab is accredited under the same program as state and federal crime labs, and we’re experienced in working with attorneys in criminal cases across the country.
CALL 866-786-5700 FOR A FREE CONSULTATION!
Digital Forensics Terms for Attorneys
/in Digital Forensics /by Russell ChozickDigital forensics can be pretty technical, but there are a few things that attorneys working with digital evidence need to know.
We’ve compiled a list of some of the most important technical concepts in digital forensics and why they’re relevant to attorneys.
Verified Forensic Image –a special kind of “copy” of all the contents of a hard drive, flash drive, etc. Rather than copying “files”, a forensic image copies all the underlying 1s and 0s that represent the information (visible and invisible) on a target drive. A forensic examiner can then verify that the forensic image is exactly the same as the original using what is called a “hash value”. (see next term).
Attorneys should care about a verified forensic image for two reasons. First, it preserves original evidence in case the forensic analysis needs to be repeated. Second, until a verified forensic image is created, there is no guarantee that the information on a hard drive won’t be modified (purposely or accidentally). If you need a digital forensic analysis for your case, try to get a verified forensic image created as soon as possible.
Hash Value – a unique identifier that is used to validate that a forensic image (or any kind of digital copy) is an exact replica of the original. Any digital file or hard drive is at its core a set of 1s and 0s. Forensic experts use a special algorithm to create a numeric code, called a hash value, that is unique to the exact set of 1s and 0s on a specific drive. If a single 1 or 0 on the drive changes, then the hash value is completely different. In practice, an examiner generates a hash value for the original device, creates a forensic image and then validates that the hash value of the image matches the original.
Attorneys should care about a hash value because the digital evidence on a hard drive is not just the list of files that are easy to copy. If you get a plain old copy of a hard drive that didn’t verify matching hash values on the original and the copy, you could be missing some critical evidence in the case.
Write Blocker – a specialized piece of hardware that forensic examiners use to access digital evidence without modifying it. Any time you connect to a hard drive, flash drive, etc, you run a risk that your computer’s operating system will make changes to that drive inadvertently. By using a write blocker, a digital forensic examiner removes that risk.
Attorneys should care about write blockers because if you hire an IT expert (instead of a certified digital crime lab) to examine your digital evidence and that person doesn’t use a write blocker, you could actually be destroying the digital evidence instead of securing it.
JTAG / Chip-Off Forensics – two methods of accessing digital evidence on mobile devices, especially when the device is damaged or password locked. They require very specialized equipment and only a few labs can typically perform these types of acquisition. You can read a more technical explanation of these methods here.
Attorneys should care about JTAG and Chip-Off methods because they may be your only way to recover digital evidence from a cell phone that has been physically damaged or is password locked.
Forensic Protocol – In the context of a legal case, the forensic protocol is an explicit set of steps that a digital forensic examiner will take to acquire and analyze a specific device or set of devices. Usually, this protocol is documented and agreed to by both parties in a case.
Attorneys should care about forensic protocol to eliminate potential questions about digital evidence especially in contentious cases or if there are questions about what data is relevant and producible for the case. A good digital forensics partner can help you draft the forensic protocol.
Allocated vs Unallocated Disk Space – This is really the difference between “free” space and “used” space on a hard drive. The “allocated” space contains all the files and programs that a typical user can see. This includes things like documents, spreadsheets, emails, programs, browsing history, etc. The “unallocated” space is all the other disk space on your drive. Unallocated space includes empty space but also includes files that are deleted but have not been overwritten. A digital forensic examiner can analyze the unallocated space on a drive to possibly recover deleted files and recreate a history of activities on the device.
Attorneys should care about unallocated disk space because it can contain lots of “hidden” digital evidence like deleted files that most users can’t see.
Accredited Digital Crime Lab – Private digital forensics labs aren’t required to be formally accredited, and many labs are not accredted. The most widely recognized certifying body is the ASCLD, which certifies FBI and state crime labs. The accreditation process is exhaustive. It validates that a lab has and consistently follows generally accepted processes and procedures for securing, preserving, handling and analyzing digital evidence. You can read more about ASCLD accreditation processes here.
Attorneys should care about using an accredited digital crime lab because it ensures that any findings from the lab’s analysis will hold up in court. More importantly, using a lab that is not accredited can be an invitation for opposing counsel to question the forensic findings.
If you need help with digital evidence for a case involving IP theft, family law or other criminal or civil issues, contact Flashback Data today. We work with attorneys, DAs and law enforcement across the country and our digital crime lab is accredited by the ASCLD.
CALL 866-786-5700 FOR A FREE CONSULTATION!
Common Mistakes In Selecting A Digital Forensics Partner
/in Digital Forensics /by Russell ChozickDigital forensics is an increasingly common part of IP theft, family law and criminal and civil cases. If you’re looking for a digital forensics partner to help with your case, don’t make these common mistakes:
MISTAKE #1: Hiring the IT Guy
Some attorneys are tempted to hire a sharp, knowledgeable IT expert to help them with the digital evidence in their case. However, technical expertise is only a part of what you need to analyze the digital evidence for your case. You also need to ensure that the analysis will actually hold up in court. That’s where an accredited digital forensics lab comes in.
A certified digital forensic examiner at an accredited lab will:
The real question you need to ask yourself about a forensic expert is not whether that person can get the data from the device, but whether their analysis will hold up in court.
MISTAKE #2: Misunderstanding Certifications for Expertise
Certifications are a crude way to judge the expertise of a digital forensics examiner. Some certifications, like ‘EnCE’ and ‘ACE’, are offered by forensic software vendors to certify knowledge of how to use specific software tools. In the legal world, this is like being a certified expert on Lexis/Nexis. It’s valuable and it may be necessary, but it doesn’t mean you’re a good lawyer.
If you want to look at certifications, make sure one of them is ‘CFCE’ – Certified Forensic Computer Examiner. The IACIS offers this certification that focuses on core digital forensics competencies and processes rather than just the tools.
Beyond certifications, you might want to ask about:
MISTAKE #3: Not Allowing Enough Time for the Analysis
By far the biggest mistake that we see attorneys make is to underestimate the time it takes to complete a proper digital forensic analysis. There are parts of the digital forensics process that can be expedited and parts that can’t. This is by design.
The goal of a professional digital forensic examiner is to complete a transparent, repeatable forensic process based on a comprehensive analysis of the available data, and deliver an understandable set of findings that can stand up in court.
For example, you may want to hire a forensic expert to produce a set of communications between two parties. At some level, this seems simple, but that involves creating a forensic image of each device in question so that the analysis can be repeated if necessary. Then, the examiner needs to analyze every bit and byte on the digital media to ensure that they find all the relevant communication.
Regardless of how tightly scoped the engagement, the process is largely the same in order to satisfy the requirements of the court system.
If you need the support of an experienced, accredited digital forensics lab for a family law case, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.
CALL 866-786-5700 FOR A FREE CONSULTATION!
Digital Forensics for Family Law
/in Digital Forensics /by Russell ChozickThe sheer volume of digital evidence available to attorneys in family law cases can be overwhelming. An experienced digital forensics partner can help an attorney focus on the specific data that is critical to the dispute while ensuring that any evidence and forensic analysis can stand up in court.
Flashback Data LLC has supported literally hundreds of family law cases as an accredited digital forensics lab. While every case is a little different, here’s how we typically support attorneys in family law:
SO MUCH DATA
Our engagements begin with a brief call to discuss the case in order to define a specific scope of work that addresses the data needs and timeline of the case. This is particularly important in family law cases because the volume of potentially producible data is so large.
Of all the kinds of cases that Flashback Data supports (IP theft, criminal defense, civil law, family law), family law cases have by far the most producible data. After excluding any privileged attorney-client communications, pretty much everything else can be producible for a family law case. More specific direction up front helps our clients save money and get the answers they need faster.
FORENSIC PRESERVATION
We often support attorneys in defining which devices need to be part of a preservation order as well as defining the forensic protocol to deliver any producible data. Once we know which devices are involved and generally what we’re looking for, the formal forensic process begins.
The foundation of any digital forensic analysis is a structured, documented approach to preserving data by creating a forensic image of every mobile device, computer or external hard drive that is relevant to the case. Even if you don’t expect the evidence to be contested, a structured, repeatable forensic process is required for any analysis to hold up in court.
OBJECTIVE VS. SUBJECTIVE DATA
When working with a digital forensics lab in support of a family law case, it’s important to know when you’re looking for objective vs. subjective information. A good examiner can help an attorney with both.
Questions about travel, location data or even assets and income can usually be answered objectively. Travel and location data can be pulled directly from cell phone history or indirectly from email or text communications or even metadata on digital images. Asset and income data can usually be found in financial software, spreadsheets or email communications.
Other questions are much more subjective. In family law, the most common example is the question of infidelity. Other than the occasional “smoking gun”, a digital forensic analysis rarely produces objective proof of infidelity. To help with questions of infidelity, a forensic examiner’s job usually involves finding all the written communications (email, SMS text, etc.) and call records between the two parties, even if those records have been deleted. A forensic examiner won’t (and shouldn’t) make a subjective judgment about the content of those communications.
An experienced forensics partner will work with you to understand what kind of information is critical to your case and whether or how that information can be objectively captured and validated via forensic analysis.
TESTIMONY
The final step in the process is providing expert testimony in a deposition or court. All the work we do up to this point was done specifically to make this part of the process as straightforward and unremarkable as possible. Our certified, experienced examiners and accredited lab mean that our expertise is readily accepted. Our examiners are comfortable presenting (and defending) their credentials, their forensic process and their findings under oath.
GETTING HELP
If you need the support of an experience, accredited digital forensics lab for a family law case, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.
CALL 866-786-5700 TODAY FOR A FREE CONSULTATION!
Mass File Deletion Isn’t Always Malfeasance
/in Digital Forensics /by Russell ChozickA recent civil case we supported reminded me of the difference between a cursory technical analysis and a full forensic analysis of a digital device. The issue in question was whether evidence of mass file deletion was evidence of malfeasance. Opposing counsel’s “expert” said it was, we disagreed.
Our Initial Analysis
In this case, we were working with an attorney whose client was accused of having many files that he was not supposed to have on his computer. The computer was placed under a preservation order by the courts, and he was prohibited from deleting any files on his computer.
We were asked to perform a forensic analysis of the computer to look for any files that the person wasn’t supposed to have or for any evidence that he had deleted files. Our examination turned up nothing of interest and no evidence that this person had deleted any files.
Opposing Counsel’s Expert Disagrees
On a Sunday night, after we had done our examination, we received a frantic call from the attorney. Opposing counsel’s forensic computer expert had written a report stating that he had found considerable proof that “hundreds of files” were deleted. Our client emphatically maintained that he had not deleted anything, so we reassured him that we would look into the report from the opposing expert.
The opposing expert stated that he had found an “evidence eliminator” that was used to destroy hundreds of files. We were shocked; our senior examiner had done a thorough examination and had found no evidence of malfeasance. We felt confident that our client had not deleted any files, and quickly returned to our lab re-open the case.
Upon Further Analysis – The Whole Truth
The first thing our examiner found was there were indeed around seven hundred files that had been deleted. How could we have missed that? We then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to our astonishment there it was, as we say in Texas, “Bigger than Dallas!” Wow, we started to doubt our findings. Before losing all hope, we quickly ran a Google search for “SymEraser.”
It turns out that “SymEraser” is a file included in Norton Antivirus, Symantec Antivirus, and various other Norton and Symantec packages that include antivirus software. It is not an “evidence eliminator”, it was a virus eliminator. OK, that’s not too bad, but what about all those files? There were definitely hundreds of deleted files. We re-examined them. They were all deleted from a folder called “virdef.” They were in fact, virus definition files. Our client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions! This was not the blatant act of a human malfeasance, but rather an automatic function of a piece of software.
We had done our forensic examination, and had not found anything malicious or suspect. Opposing side’s expert had done his examination, and had found quite a lot. So what was the truth? The truth was that files were deleted during a time that our client was not supposed to delete files. The truth was that there is a software program called SymEraser, which eliminates things. That was the truth. Fortunately for our client, it was not the whole truth!
If you’re in need of digital forensics support for a case involving IP theft, family law or criminal law, contact Flashback Data today. We’re the first private digital crime lab accredited under the same program as the FBI. We’ve helped hundreds of attorneys to preserve, analyze and understand the digital evidence in their case.
CALL 1-866-786-5700 TODAY FOR A FREE CONSULTATION
THIS POST WAS UPDATED AND REPOSTED IN 8/7/18
Digital Forensics for IP Theft Cases
/in Digital Forensics /by Russell ChozickCases involving theft of intellectual property often hinge on the findings of a digital forensics analysis of specific digital media or devices. If your client suspects IP theft or has been accused of IP theft, here’s how an accredited digital forensics lab can help you with the case.
Flashback Data, LLC has supported plaintiff and defense attorneys on literally hundreds of IP theft cases. Based on our experience, a digital forensics lab may assist attorneys in a variety of ways.
Plaintiff’s Counsel
Step 1: Consultation
Our first involvement with a potential IP theft case is typically a phone consultation (30 – 60 minutes) to get an overview of the suspected theft, what evidence exists, what information was accessed or stolen and what media and devices are available for forensic analysis.
The most common example is a company suspects that a former employee downloaded a client list before leaving. We’ll want to know if the company still has that employee’s computer and/or cell phone, along with information about which system or systems contain the client list in question. This information will help us and you understand how a digital forensic analysis could support the case.
Step 2: Secure and Preserve The Evidence
Assuming there are digital devices or media to analyze, we’ll want to secure those devices as soon as possible. In the context of a digital forensics analysis, securing a digital device is more than just having physical control of it. We’ll also need to isolate that device from any computer networks, Bluetooth devices and wireless and cellular internet access. This should be done as quickly as possible to preserve any files that may be altered over time (purposely or not).
Step 3: Forensic Analysis
Our certified forensic examiners will analyze the devices in question to look for the specific evidence or activities that we discussed in the initial consultation. Depending on the devices, this can take anywhere from a few days to a few weeks.
Even if your in-house IT team has found evidence of theft, you may still need a certified forensic examiner to perform an analysis, especially if you expect the employee to contest the claims. A certified digital forensics examiner will proceed with the intent of creating a forensic report that is transparent, repeatable and can hold up in court. That means preserving evidence, following defined procedures and strictly documenting every step in the analysis.
Step 4: Report on Findings
We’ll prepare a formal report of findings that are clear and understandable to you, your client and any other parties in the case, including the judge.
Step 5: Litigation Support (as necessary)
As we noted above, one of the greatest values of a professional digital forensic analysis, especially from a certified crime lab, is that it can hold up in court even through adversarial cross-examination. Our examiners are experienced in explaining and defending their analysis in a formal deposition.
Defense Counsel
The main difference in supporting defense counsel vs plaintiff’s counsel is that an assessment has typically already been completed by the plaintiff.
Step 1: Technical Analysis / Consultation
Our initial focus with defense counsel in IP theft is to review any existing claims and help them understand the technical details of the evidence. Some common issues that we discuss with defense counsel are:
Step 2: Forensic Analysis
Depending on how well the initial claims are substantiated, the defense may want to perform their own digital forensic analysis. In that case, we normally begin by helping counsel justify such an analysis and any associated discovery needs to the court. This includes things like helping to define what data is related to the case (producible) and what isn’t. We also help to define the “forensic protocol” for the analysis. This is a codified document agreed to by both parties that describes the series of steps that the forensic examiner will perform. Once we receive the device(s) in question, we follow a similar path to what we described above.
GET HELP TODAY!
If your client is involved in an IP theft case, Flashback Data can help. We were the first private digital crime lab accredited under the same program as the FBI and state labs and we offer experience examiners, personalized service and fast turnaround times.
We’ve completed thousands of digital forensics exams for hundreds of attorneys in IP theft, family law and other criminal and civil cases. Contact us for a free consultation about your case today.
CALL 1-866-786-5700 FOR A FREE CONSULTATION TODAY!
The Major Differences Between Digital Forensics and eDiscovery
/in Digital Forensics /by Russell ChozickAlmost every litigation now involves some sort of digital evidence, whether it’s a criminal case, IP theft or even family law. Depending on the unique details of the case, there are two different ways that digital evidence can be obtained, analyzed and used – eDiscovery and digital forensics. Electronic discovery will be used in almost every case. Digital forensics is used when you need to dig deeper into the digital evidence.
Electronic Discovery
Electronic discovery or eDiscovery generally collects active data. Active data is classified as information and data that is easily available through file storage and program managers utilized by a business or individual.
When collecting data through electronic discovery, the data usually goes to the legal counsel who then performs his or her own review on the data. The professionals collecting this data are simply transferring information and do not discuss the intent of the user or business. They also do not provide legal advice. Electronic discovery is useful when the only information needed involves easily accessible files such as email, calendars, documents, and databases.
If some of the information required by eDiscovery has been deleted or if there is a suspicion that it has been tampered with or altered in some way, then you’ll need to engage the assistance of a digital forensics expert.
Digital Forensics
A forensic analysis of data is needed when the litigation requires a deeper look at the information on a digital device, especially if there is a suspicion that digital evidence has been deleted or altered in some way.
A digital forensics examiner uses specialized tools and interfaces to analyze both the visible and “invisible” data on a specific piece of digital media. The “invisible” data includes things like deleted or edited files, old emails, deleted browsing or social media history, etc. In some cases these old files may not be recoverable, but a digital forensic expert may be able to demonstrate that certain files were actually deleted by a specific user at a specific time and may also uncover programs that are frequently used to encrypt, hide or delete data that a user wants to keep secret.
Common examples of data that can only be retrieved through digital forensics are:
Digital forensic experts are brought in to produce more than data for a case. They analyze that data in hopes of finding evidence that can be used for a client. Typically, they partner with a legal team to determine what type of data they are seeking before the forensic examination takes place. Digital forensic experts are often active throughout a case and can be called on in legal proceedings to defend their claims about the information.
Maintaining Data Integrity
Regardless of what method of data collection is used, it is important that the data remains protected. When collecting data through electronic discovery, large amounts of information are transferred from the original source. Copies of the relevant files should be made to ensure that no changes are being made to the original files.
Maintaining data integrity requires more specialized tools and processes in the world of digital forensics. By definition, you’re focusing on data that is not easy to find and is often controlled by background processes on a computer. Digital forensics experts use tools to ensure that information is accessed safely. They also create what is called a “verified forensic image” of a specific device or piece of media. Unlike a standard file copy, a forensic image is a bit for bit copy of all of the contents of a drive, even the data that is hidden from users. Maintaining a verified forensic image is a critical component of professional forensic exam that can hold up in court.
When to Consider Digital Forensics
The use of digital forensics in IP theft, family law and criminal cases is increasing rapidly. As digital devices become a constant fixture in our lives, any investigation of a person or entity’s activities must include an investigation of their digital footprint.
Courts are less willing to grant blanket access to all the data associated with a person or company and require details of the specific information that will support a specific case.
If you expect your case to be contentious or you suspect that data has been altered or deleted, it helps to bring in a digital forensics expert as soon as possible. They can help preserve data from the start and find deleted data or evidence of deleted data to help make your case.
The experts at Flashback Data have helped hundreds of law firms in the areas of IP theft, family law and criminal defense. Our digital crime lab is accredited under the same program as the FBI and state labs and we offer fast turnaround time to support the needs of your case. Contact us for more information or
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
UPDATED 7/16/18; ORIGINALLY POSTED 6/30/17
Choosing The Right Private Digital Crime Lab
/in Digital Forensics /by Russell ChozickThe 6-18 month backlog at most RCFLs and state digital crime labs is forcing law enforcement and DA’s to consider alternatives to handle their growing need to analyze digital evidence. Private digital crime labs offer a compelling alternative to the RCFL or state lab with the ability to recover evidence from a wider range of devices and to deliver much faster turnaround times.
If you’re considering working with a private lab, here are a few suggestions to help you make the right choice for your department.
1) Lab Accreditations
Before you hire a private lab, you will obviously need to believe that they’re experts in the field of digital forensics. However, the question you should be asking is not whether YOU believe they’re experts but whether a COURT would believe they’re experts in the face of an adversarial cross-examination.
The most objective way to determine if a digital crime lab has institutional expertise is to look for 3rd party accreditations like those used by the FBI and state crime labs. The most well known of these accrediting bodies is the ASCLD/LAB International. This type of accreditation verifies that the lab follows procedures that produce accurate, consistent and reproducible findings. If you’re going to hire a private crime lab, you should consider such an accreditation as a minimum requirement.
2) Concise, Readable Reports
Expertise is obviously important, especially if a case goes to trial, but the ability to communicate a set of forensic findings clearly and concisely is almost more important. After all, not ever case goes to trial, but every case with digital evidence will have a forensic findings report. If a lab’s typical findings report can’t be easily understood by officers, detectives and attorneys then it has little value. Ask to see a few sample reports from prospective labs to see how clear and concise they actually are.
3) Budget Predictability and Flexibility
Cost is obviously a primary concern when hiring an outside lab. Rather than focusing on the hard dollar costs or an hourly rate, think about how you can structure an agreement that can give you a mix of predictability and flexibility. You’d like to fix the costs (predictability) and still have the ability to handle any of the wide range of digital devices your officers may encounter (flexibility). Some labs package their services in predefined “units” based on common device types so you can purchase a block of “units” and then use them in whatever combination you need.
4) Litigation Support
A final consideration is a lab’s ability to provide expert testimony via deposition or in court as necessary. While you may need this type of support only on occasion, it’s important to understand how well a lab can support and defend their analysis. Ask potential lab partners about their experience testifying in court and their availability to do so. You’ll also want to ask about the specific certifications that the examiners maintain. The accreditation of a lab is important to ensure consistency but if an examiner has to take the stand, you’ll also want to know that he or she has sufficient individual credentials as well.
If you’re considering hiring a private digital crime lab to support your department, contact Flashback Data. We work with law enforcement and DA’s around the country and are accredited under the same program as the FBI and state crime labs. We provide digital forensics services from pre-seizure planning through litigation, and offer a range of convenient packages that give you predictable costs and flexible service options.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Most Popular Digital Forensics Posts
/in Digital Forensics /by Russell ChozickWe’ve assembled the 5 Digital Forensics posts that have been most popular with our readers in the law enforcement community. Check them out.
1. 3 Words Never To Use in a Courtroom
2. Top 3 Mistakes Made On Scene with Digital Evidence
3. Forensic Options for Locked or Broken Mobile Devices
4. Securing Digital Evidence in a Water Emergency
5. Forensics on Digital Images: Worth More Than 1,000 Words
If you or your team want help training officers on dealing with digital evidence on scene or you need help with forensic analysis of digital evidence, contact Flashback Data.
We help law enforcement and DA’s around the country with digital forensics analysis and are the first private digital crime lab accredited under the same program as the FBI and state labs.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Most Popular On-Scene Digital Forensics Tips
/in Digital Forensics /by Russell ChozickDigital devices present unique challenges to officers who may need to secure evidence from those devices. Decisions made by officers during the first few moments on scene can have far-reaching effects on the department’s ability to secure that evidence and eventually made a case.
Don’t miss our most popular on-scene tips to help officers protect and secure digital evidence.
1. Top 3 Mistakes Made On Scene with Digital Evidence
2. Securing Digital Evidence in a Water Emergency
3. On-Scene Tips for Securing Computers for Forensic Analysis
If you or your team want help training officers on dealing with digital evidence on scene or you need help with forensic analysis of digital evidence, contact Flashback Data.
We help law enforcement and DA’s around the country with digital forensics analysis and are the first private digital crime lab accredited under the same program as the FBI and state labs.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.