Archive for category: Digital Forensics

iOS exploits and their impact on digital forensics

Last September, the iOS hacking community got a big surprise when a security researcher named axi0mX released a ‘game changing’ exploit called ‘checkm8’.  What makes checkm8 so unique is that unlike previous exploits, it is a Boot ROM exploit. This means that on affected devices, there is no way for Apple to patch it via software updates.

To be clear, this exploit is not a remote threat, as the physical device must be tethered to a computer. Further, it does not allow someone to bypass your PIN or Touch/FaceID. The exploit is also non-persistent.  Meaning that once the device is rebooted, the exploit is removed.

The affected devices are and iPhone and other iOS models such as iPad running Apple’s A11 chip or earlier.  Which basically means, any iOS device before and including the iPhone X. The iPhone XR, XS, 11, and Pro models are not included in this exploit.

How can this new exploit help us in digital forensics? 

The checkm8 exploit now allows us to obtain an entirely new level of device data extraction which, up to this point, was impossible. Previously, on Phones newer than the iPhone 4, we were essentially only able to get what equates to an iTunes backup of the device. In many cases, this is fine.  However, over the years Apple has made it increasingly difficult to recover deleted information from chat databases and other application data by using a vacuum-like function that cleans up databases more frequently than earlier iOS versions.

Checkm8 allows a forensics examiner to exploit the device, collect the file level decryption keys and then extract the entire active file system of the device including the keychain and other valuable data previously unattainable by earlier extraction methods. Previously, we were only able to get parts of the data which were approved to be included in iTunes backups. The aforementioned non-persistence is great because no user level data is altered, and we no longer even have to boot the device into the native iOS.

For example, below are the results from a test iPhone in our lab on which we performed two separate extractions: Advanced Logical vs Checkm8.   The first screenshot from Cellebrite Physical Analyzer shows what was retrievable via the traditional Advanced Logical extraction, about 8.5 gigabytes of data.

The next screenshot, below, shows the data which resulted from the checkm8 full file system extraction of the exact same iPhone:

The difference in readable data obtained is staggering! The full file system extraction pulled approximately 36 GB of data, vs the 8.5 GB obtained via the advanced logical method. With Chat messages alone we were only able to obtain 251 messages and 9 deleted messages via the old method. With the exploited method we recovered 3228 messages and 75 deleted messages.

Another key area is that the phone stores logs that are usually inaccessible to the users. These logs store massive amounts of data related to how a user interacts with a device as well as tons of extra location data.  There is a treasure trove of information that we are still just discovering.

Think about the implications of this extra data in a criminal investigation or traffic accident cases.

Digital Forensics for Attorneys

Top Forensics Posts for Attorneys

We’ve assembled the 5 Digital Forensics posts most popular with attorneys and the legal community. Check them out…

  1. Digital Forensics Terms for Attorneys
  2. Why You Need a 2nd Opinion on Digital Evidence in Criminal Cases
  3. Mass File Deletion Isn’t Always Malfeasance
  4. The Major Differences Between Digital Forensics and eDiscovery
  5. Digital Forensics for IP Theft

If you need the support of an experienced, accredited digital forensics lab for a case involving IP theft, family law, criminal defense or civl law, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.


Digital Forensics and the Case Timeline

How To Align Your Forensics Support to Your Case Timeline

“We go to trial in 2 days and I need this digital forensic analysis done tomorrow!”

We get requests like this frequently and we do our best meet our clients’ case timelines if we can.

If your case needs the support of digital forensics, it’s important to understand how to align your forensic needs to the timeline of the case. There are some parts of a typical forensics exam that can be expedited and some that can’t.

Here’s what’s typically involved in a forensics examination and how long it takes.


The forensic protocol is the agreed upon set of steps that the forensic lab will follow to acquire, segregate and analyze the information that is relevant and producible for the case. It typically specifies what is and isn’t producible from a technical perspective.

For example, an IP theft case may require a forensic analysis of a home computer. The forensic protocol would specify dates and types of information that could be included in the analysis.

We usually help our clients draft the forensic protocol, which is actually the easy part. The part that takes time is sharing that proposal with opposing counsel and/or the judge and coming to a final agreement. In some cases, this can take weeks, but in most cases the entire process takes anywhere from two days to a week.


We’ll assume that we’re already in possession of the device(s) in question. Obviously, if this isn’t the case, then there is some time involved in actually transporting the device via overnight mail or courier.

In forensic terms, “acquisition” is about getting the data from the original device into our lab environment so it can be properly analyzed. We create a verified forensic image of the entire drive or media. This step is required for the forensic analysis to hold up in court and there are no shortcuts.

The length of time required for acquisition depends on the size of the drive and how easily accessible the data is. The quickest and easiest would be a standard unlocked mobile device, which normally takes a few hours. Large storage arrays or devices that are physically damaged or password locked can easily take a few days.


Once we have a forensic image, we can begin the formal analysis of that data. The time required for this is wholly dependent upon the scope of the analysis (ie. what we’re looking for) and can be complicated by the forensic protocol. This process can take 1-5 days.


After the forensic lab has completed its findings, an attorney must then review them in the context of the overall case strategy. In our experience, this is the one part of the process that attorneys most often forget about or underestimate.

If the digital evidence answers an objective yes or no question, this is easy. However, if the digital evidence is a transcript of conversations, then this review can take several days.

The best example is a family law case that hinges on a question of infidelity. The digital forensics lab will be asked to produce a transcript or log of communications between two parties. A typical 40 year old adult sends and receives over 1,500 text messages every month, so these transcripts can be lengthy. The attorneys must then review the content of the transcripts to draw any relevant conclusions about intent or relationships.

Don’t forget to leave yourself plenty of time to review and understand the digital evidence in the case.

If you have a case that includes digital evidence, contact Flashback Data today. We have supported attorneys in IP theft, family law and other civil and criminal cases for over a decade, and our digital forensics lab is accredited under the same program as the FBI and state crime labs.


Spoliation of Digital Evidence

Spoliation of Digital Evidence in Civil Cases

The most common issue in digital forensics for civil cases is spoliation.  Any evidence that one party negligently or intentionally destroyed or modified relevant information can have a huge impact on the outcome of a case.

Here’s how a digital forensics lab can help attorneys in cases where spoliation of digital evidence is suspected.

Secure the Evidence and Establish Chain of Custody

The first step in any forensic analysis is to secure the specific device or media.  In civil cases we’re often asked to collect digital devices at a company or residence.  Regardless of whether we’re collecting a desktop, laptop, mobile device or flash drive, our first step is to isolate the device from any network, cellular or Bluetooth connections.  We want to ensure that the devices in question cannot be modified or accessed on purpose or accidentally.

We will also document each device and begin a formal chain of custody.  This is a step that many people ignore or don’t do with enough attention to detail.  Each individual device AND piece of media must be documented by unique identifier.  If a computer has two hard drives, we will document the computer serial number and the serial numbers of each individual drive.  Similarly, a cell phone with an expanded SD memory card is actually two different pieces of media from a forensics perspective.   We will also document who had access to these devices up to that point (to the extent possible) and will formally document any change of control from that point forward.

Create a Verified Forensic Image

Once we have the devices in question at our accredited digital forensics lab, we will create a verified forensic image of each piece of media.  This is technical and rigorously validated bit-for-bit copy of every piece of data on the digital media in question.  You can learn more about the term verified forensic image here.

Recovering Data and Any Changes To The Data

Once we have a forensic image, our examiners can start reviewing the data to look for information that is relevant to the case.  We can often recover files that have been deleted and identify who deleted the files and when.  We can also identify when files were updated or changed, and in some cases may be able to recover old versions of files.  In cases where we can’t recover deleted files, we may be able to document that a file was deleted by a certain person or at a certain time, which is often sufficient evidence for a spoliation claim.

We will always prepare a comprehensive report of our findings that can be easily understood by attorneys and court officials.

Devices With Physical Damage

In some cases, the devices or media in question are inoperable or inaccessible because of physical damage or password locks.  As an accredited digital forensics lab, we have extensive capabilities to recover data from damaged and inaccessible devices that most labs are unable to work with.

In one case with a failed hard drive, we were able to demonstrate that someone had used a sharp object to physically scratch the surface of an internal drive in hopes of destroying it.  In that case, we recovered the data and showed evidence of an attempt to destroy data.

Getting Help

If you need help with digital evidence in a civil case, contact Flashback Data today.  Our digital forensics lab is accredited under the same program as the FBI and state labs and we can recover data from more devices with shorter turnaround times that other labs.


Digital Forensics for Attorneys

Why You Need a 2nd Opinion on Digital Evidence in Criminal Cases

Why would defense counsel in a criminal case hire their own forensic examiners to review evidence that’s already been examined by an accredited lab?

Here are the 3 most common scenarios we’ve seen in working with criminal defense attorneys.

1. Help me understand what this forensic evidence actually means?

The output of a digital forensic analysis is a formal report of findings, and sometimes those reports are not exactly written in layman’s terms. One of the most common services we provide to criminal defense attorneys is to help translate the digital evidence they received from the DA into plain English. As an accredited digital crime lab that supports both attorneys and law enforcement, we can ensure that defense counsel understands any digital evidence, especially any unique technical aspects of the findings report.

2. Could this digital evidence support an alternate version of events that my client claims?

The goal of any forensic analysis is to reconstruct a sequence of past events, and in some cases two different events can leave a very similar digital trail. We’re often asked by defense attorneys whether the digital evidence presented could support an alternative version of events. In some cases, we can answer this question by simply reviewing the existing evidence. In other cases, we may need to actually perform our own analysis of the evidence to validate the findings and uncover additional information that could support an alternate scenario.

3. I want to dispute the evidence presented by the DA and want a lab I can trust to perform a new analysis.

When cases are expected to go to trial, we’re often asked to perform a detailed review of the chain of custody, forensic procedures and findings of the digital evidence in the case. Our digital crime lab is accredited under the same program as state labs and the FBI, so we have the credentials and experience to perform a comprehensive analysis of any digital evidence and either confirm the findings or identify any potential issues in how the evidence was handled or in the conclusions that were drawn.

If you need an expert second opinion on the digital evidence in a criminal case, contact Flashback Data, LLC. Our digital forensics lab is accredited under the same program as state and federal crime labs, and we’re experienced in working with attorneys in criminal cases across the country.


Digital Forensics Terms for Attorneys

Digital Forensics Terms for Attorneys

Digital forensics can be pretty technical, but there are a few things that attorneys working with digital evidence need to know.

We’ve compiled a list of some of the most important technical concepts in digital forensics and why they’re relevant to attorneys.

Verified Forensic Image –a special kind of “copy” of all the contents of a hard drive, flash drive, etc. Rather than copying “files”, a forensic image copies all the underlying 1s and 0s that represent the information (visible and invisible) on a target drive. A forensic examiner can then verify that the forensic image is exactly the same as the original using what is called a “hash value”. (see next term).

Attorneys should care about a verified forensic image for two reasons. First, it preserves original evidence in case the forensic analysis needs to be repeated. Second, until a verified forensic image is created, there is no guarantee that the information on a hard drive won’t be modified (purposely or accidentally). If you need a digital forensic analysis for your case, try to get a verified forensic image created as soon as possible.

Hash Value – a unique identifier that is used to validate that a forensic image (or any kind of digital copy) is an exact replica of the original. Any digital file or hard drive is at its core a set of 1s and 0s. Forensic experts use a special algorithm to create a numeric code, called a hash value, that is unique to the exact set of 1s and 0s on a specific drive. If a single 1 or 0 on the drive changes, then the hash value is completely different. In practice, an examiner generates a hash value for the original device, creates a forensic image and then validates that the hash value of the image matches the original.

Attorneys should care about a hash value because the digital evidence on a hard drive is not just the list of files that are easy to copy. If you get a plain old copy of a hard drive that didn’t verify matching hash values on the original and the copy, you could be missing some critical evidence in the case.

Write Blocker – a specialized piece of hardware that forensic examiners use to access digital evidence without modifying it. Any time you connect to a hard drive, flash drive, etc, you run a risk that your computer’s operating system will make changes to that drive inadvertently. By using a write blocker, a digital forensic examiner removes that risk.

Attorneys should care about write blockers because if you hire an IT expert (instead of a certified digital crime lab) to examine your digital evidence and that person doesn’t use a write blocker, you could actually be destroying the digital evidence instead of securing it.

JTAG / Chip-Off Forensics – two methods of accessing digital evidence on mobile devices, especially when the device is damaged or password locked. They require very specialized equipment and only a few labs can typically perform these types of acquisition. You can read a more technical explanation of these methods here.

Attorneys should care about JTAG and Chip-Off methods because they may be your only way to recover digital evidence from a cell phone that has been physically damaged or is password locked.

Forensic Protocol – In the context of a legal case, the forensic protocol is an explicit set of steps that a digital forensic examiner will take to acquire and analyze a specific device or set of devices.  Usually, this protocol is documented and agreed to by both parties in a case.

Attorneys should care about forensic protocol to eliminate potential questions about digital evidence especially in contentious cases or if there are questions about what data is relevant and producible for the case.  A good digital forensics partner can help you draft the forensic protocol.

Allocated vs Unallocated Disk Space – This is really the difference between “free” space and “used” space on a hard drive.  The “allocated” space contains all the files and programs that a typical user can see.  This includes things like documents, spreadsheets, emails, programs, browsing history, etc.  The “unallocated” space is all the other disk space on your drive.  Unallocated space includes empty space but also includes files that are deleted but have not been overwritten.  A digital forensic examiner can analyze the unallocated space on a drive to possibly recover deleted files and recreate a history of activities on the device.

Attorneys should care about unallocated disk space because it can contain lots of “hidden” digital evidence like deleted files that most users can’t see.

Accredited Digital Crime Lab – Private digital forensics labs aren’t required to be formally accredited, and many labs are not accredted.  The most widely recognized certifying body is the ASCLD, which certifies FBI and state crime labs.  The accreditation process is exhaustive.  It validates that a lab has and consistently follows generally accepted processes and procedures for securing, preserving, handling and analyzing digital evidence.  You can read more about ASCLD accreditation processes here.

Attorneys should care about using an accredited digital crime lab because it ensures that any findings from the lab’s analysis will hold up in court.  More importantly, using a lab that is not accredited can be an invitation for opposing counsel to question the forensic findings.

If you need help with digital evidence for a case involving IP theft, family law or other criminal or civil issues, contact Flashback Data today.  We work with attorneys, DAs and law enforcement across the country and our digital crime lab is accredited by the ASCLD.


Common Mistakes image

Common Mistakes In Selecting A Digital Forensics Partner

Digital forensics is an increasingly common part of IP theft, family law and criminal and civil cases. If you’re looking for a digital forensics partner to help with your case, don’t make these common mistakes:

MISTAKE #1: Hiring the IT Guy

Some attorneys are tempted to hire a sharp, knowledgeable IT expert to help them with the digital evidence in their case. However, technical expertise is only a part of what you need to analyze the digital evidence for your case. You also need to ensure that the analysis will actually hold up in court. That’s where an accredited digital forensics lab comes in.

A certified digital forensic examiner at an accredited lab will:

  • Follow an explicit, repeatable process to secure, preserve and analyze the data
  • Prepare a report of findings that can be easily understood by a non-technical attorney or judge
  • Can effectively defend his or her findings in the face of a contentious cross-examination

The real question you need to ask yourself about a forensic expert is not whether that person can get the data from the device, but whether their analysis will hold up in court.

MISTAKE #2: Misunderstanding Certifications for Expertise

Certifications are a crude way to judge the expertise of a digital forensics examiner. Some certifications, like ‘EnCE’ and ‘ACE’, are offered by forensic software vendors to certify knowledge of how to use specific software tools. In the legal world, this is like being a certified expert on Lexis/Nexis. It’s valuable and it may be necessary, but it doesn’t mean you’re a good lawyer.

If you want to look at certifications, make sure one of them is ‘CFCE’ – Certified Forensic Computer Examiner. The IACIS offers this certification that focuses on core digital forensics competencies and processes rather than just the tools.

Beyond certifications, you might want to ask about:

  • Lab accreditations
  • Sample findings reports (redacted)
  • Experience testifying in court

MISTAKE #3: Not Allowing Enough Time for the Analysis

By far the biggest mistake that we see attorneys make is to underestimate the time it takes to complete a proper digital forensic analysis. There are parts of the digital forensics process that can be expedited and parts that can’t. This is by design.

The goal of a professional digital forensic examiner is to complete a transparent, repeatable forensic process based on a comprehensive analysis of the available data, and deliver an understandable set of findings that can stand up in court.

For example, you may want to hire a forensic expert to produce a set of communications between two parties. At some level, this seems simple, but that involves creating a forensic image of each device in question so that the analysis can be repeated if necessary. Then, the examiner needs to analyze every bit and byte on the digital media to ensure that they find all the relevant communication.

Regardless of how tightly scoped the engagement, the process is largely the same in order to satisfy the requirements of the court system.

If you need the support of an experienced, accredited digital forensics lab for a family law case, contact Flashback Data today.  Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.


Digital Forensics for Family Law

Digital Forensics for Family Law

The sheer volume of digital evidence available to attorneys in family law cases can be overwhelming. An experienced digital forensics partner can help an attorney focus on the specific data that is critical to the dispute while ensuring that any evidence and forensic analysis can stand up in court.

Flashback Data LLC has supported literally hundreds of family law cases as an accredited digital forensics lab. While every case is a little different, here’s how we typically support attorneys in family law:


Our engagements begin with a brief call to discuss the case in order to define a specific scope of work that addresses the data needs and timeline of the case. This is particularly important in family law cases because the volume of potentially producible data is so large.

Of all the kinds of cases that Flashback Data supports (IP theft, criminal defense, civil law, family law), family law cases have by far the most producible data. After excluding any privileged attorney-client communications, pretty much everything else can be producible for a family law case. More specific direction up front helps our clients save money and get the answers they need faster.


We often support attorneys in defining which devices need to be part of a preservation order as well as defining the forensic protocol to deliver any producible data. Once we know which devices are involved and generally what we’re looking for, the formal forensic process begins.

The foundation of any digital forensic analysis is a structured, documented approach to preserving data by creating a forensic image of every mobile device, computer or external hard drive that is relevant to the case. Even if you don’t expect the evidence to be contested, a structured, repeatable forensic process is required for any analysis to hold up in court.


When working with a digital forensics lab in support of a family law case, it’s important to know when you’re looking for objective vs. subjective information. A good examiner can help an attorney with both.

Questions about travel, location data or even assets and income can usually be answered objectively. Travel and location data can be pulled directly from cell phone history or indirectly from email or text communications or even metadata on digital images. Asset and income data can usually be found in financial software, spreadsheets or email communications.

Other questions are much more subjective. In family law, the most common example is the question of infidelity. Other than the occasional “smoking gun”, a digital forensic analysis rarely produces objective proof of infidelity. To help with questions of infidelity, a forensic examiner’s job usually involves finding all the written communications (email, SMS text, etc.) and call records between the two parties, even if those records have been deleted. A forensic examiner won’t (and shouldn’t) make a subjective judgment about the content of those communications.

An experienced forensics partner will work with you to understand what kind of information is critical to your case and whether or how that information can be objectively captured and validated via forensic analysis.


The final step in the process is providing expert testimony in a deposition or court. All the work we do up to this point was done specifically to make this part of the process as straightforward and unremarkable as possible. Our certified, experienced examiners and accredited lab mean that our expertise is readily accepted. Our examiners are comfortable presenting (and defending) their credentials, their forensic process and their findings under oath.


If you need the support of an experience, accredited digital forensics lab for a family law case, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.


Deleting Data

Mass File Deletion Isn’t Always Malfeasance

A recent civil case we supported reminded me of the difference between a cursory technical analysis and a full forensic analysis of a digital device. The issue in question was whether evidence of mass file deletion was evidence of malfeasance. Opposing counsel’s “expert” said it was, we disagreed.

Our Initial Analysis

In this case, we were working with an attorney whose client was accused of having many files that he was not supposed to have on his computer. The computer was placed under a preservation order by the courts, and he was prohibited from deleting any files on his computer.

We were asked to perform a forensic analysis of the computer to look for any files that the person wasn’t supposed to have or for any evidence that he had deleted files. Our examination turned up nothing of interest and no evidence that this person had deleted any files.

Opposing Counsel’s Expert Disagrees

On a Sunday night, after we had done our examination, we received a frantic call from the attorney. Opposing counsel’s forensic computer expert had written a report stating that he had found considerable proof that “hundreds of files” were deleted. Our client emphatically maintained that he had not deleted anything, so we reassured him that we would look into the report from the opposing expert.

The opposing expert stated that he had found an “evidence eliminator” that was used to destroy hundreds of files. We were shocked; our senior examiner had done a thorough examination and had found no evidence of malfeasance. We felt confident that our client had not deleted any files, and quickly returned to our lab re-open the case.

Upon Further Analysis – The Whole Truth

The first thing our examiner found was there were indeed around seven hundred files that had been deleted. How could we have missed that? We then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to our astonishment there it was, as we say in Texas, “Bigger than Dallas!” Wow, we started to doubt our findings. Before losing all hope, we quickly ran a Google search for “SymEraser.”

It turns out that “SymEraser” is a file included in Norton Antivirus, Symantec Antivirus, and various other Norton and Symantec packages that include antivirus software. It is not an “evidence eliminator”, it was a virus eliminator. OK, that’s not too bad, but what about all those files? There were definitely hundreds of deleted files. We re-examined them. They were all deleted from a folder called “virdef.” They were in fact, virus definition files. Our client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions! This was not the blatant act of a human malfeasance, but rather an automatic function of a piece of software.

We had done our forensic examination, and had not found anything malicious or suspect. Opposing side’s expert had done his examination, and had found quite a lot. So what was the truth? The truth was that files were deleted during a time that our client was not supposed to delete files. The truth was that there is a software program called SymEraser, which eliminates things. That was the truth. Fortunately for our client, it was not the whole truth!

If you’re in need of digital forensics support for a case involving IP theft, family law or criminal law, contact Flashback Data today. We’re the first private digital crime lab accredited under the same program as the FBI. We’ve helped hundreds of attorneys to preserve, analyze and understand the digital evidence in their case.



Digital Forensics for IP Theft

Digital Forensics for IP Theft Cases

Cases involving theft of intellectual property often hinge on the findings of a digital forensics analysis of specific digital media or devices. If your client suspects IP theft or has been accused of IP theft, here’s how an accredited digital forensics lab can help you with the case.

Flashback Data, LLC has supported plaintiff and defense attorneys on literally hundreds of IP theft cases. Based on our experience, a digital forensics lab may assist attorneys in a variety of ways.

Plaintiff’s Counsel

Step 1: Consultation

Our first involvement with a potential IP theft case is typically a phone consultation (30 – 60 minutes) to get an overview of the suspected theft, what evidence exists, what information was accessed or stolen and what media and devices are available for forensic analysis.

The most common example is a company suspects that a former employee downloaded a client list before leaving. We’ll want to know if the company still has that employee’s computer and/or cell phone, along with information about which system or systems contain the client list in question. This information will help us and you understand how a digital forensic analysis could support the case.

Step 2: Secure and Preserve The Evidence

Assuming there are digital devices or media to analyze, we’ll want to secure those devices as soon as possible. In the context of a digital forensics analysis, securing a digital device is more than just having physical control of it. We’ll also need to isolate that device from any computer networks, Bluetooth devices and wireless and cellular internet access. This should be done as quickly as possible to preserve any files that may be altered over time (purposely or not).

Step 3: Forensic Analysis

Our certified forensic examiners will analyze the devices in question to look for the specific evidence or activities that we discussed in the initial consultation. Depending on the devices, this can take anywhere from a few days to a few weeks.

Even if your in-house IT team has found evidence of theft, you may still need a certified forensic examiner to perform an analysis, especially if you expect the employee to contest the claims. A certified digital forensics examiner will proceed with the intent of creating a forensic report that is transparent, repeatable and can hold up in court. That means preserving evidence, following defined procedures and strictly documenting every step in the analysis.

Step 4: Report on Findings

We’ll prepare a formal report of findings that are clear and understandable to you, your client and any other parties in the case, including the judge.

Step 5: Litigation Support (as necessary)

As we noted above, one of the greatest values of a professional digital forensic analysis, especially from a certified crime lab, is that it can hold up in court even through adversarial cross-examination. Our examiners are experienced in explaining and defending their analysis in a formal deposition.

Defense Counsel

The main difference in supporting defense counsel vs plaintiff’s counsel is that an assessment has typically already been completed by the plaintiff.

Step 1: Technical Analysis / Consultation

Our initial focus with defense counsel in IP theft is to review any existing claims and help them understand the technical details of the evidence. Some common issues that we discuss with defense counsel are:

  • Who performed this analysis and does it appear to be professionally done? Can we trust the findings?
  • Help me translate the findings report into layman’s terms. What is this really saying?
  • My client has a different story than the one claimed by his employer. Could these findings support my client’s version of events?

Step 2: Forensic Analysis

Depending on how well the initial claims are substantiated, the defense may want to perform their own digital forensic analysis. In that case, we normally begin by helping counsel justify such an analysis and any associated discovery needs to the court. This includes things like helping to define what data is related to the case (producible) and what isn’t. We also help to define the “forensic protocol” for the analysis. This is a codified document agreed to by both parties that describes the series of steps that the forensic examiner will perform. Once we receive the device(s) in question, we follow a similar path to what we described above.


If your client is involved in an IP theft case, Flashback Data can help. We were the first private digital crime lab accredited under the same program as the FBI and state labs and we offer experience examiners, personalized service and fast turnaround times.

We’ve completed thousands of digital forensics exams for hundreds of attorneys in IP theft, family law and other criminal and civil cases. Contact us for a free consultation about your case today.