Digital Forensics Terms for Attorneys

Digital Forensics Terms for Attorneys

Digital forensics can be pretty technical, but there are a few things that attorneys working with digital evidence need to know.

We’ve compiled a list of some of the most important technical concepts in digital forensics and why they’re relevant to attorneys.

Verified Forensic Image –a special kind of “copy” of all the contents of a hard drive, flash drive, etc. Rather than copying “files”, a forensic image copies all the underlying 1s and 0s that represent the information (visible and invisible) on a target drive. A forensic examiner can then verify that the forensic image is exactly the same as the original using what is called a “hash value”. (see next term).

Attorneys should care about a verified forensic image for two reasons. First, it preserves original evidence in case the forensic analysis needs to be repeated. Second, until a verified forensic image is created, there is no guarantee that the information on a hard drive won’t be modified (purposely or accidentally). If you need a digital forensic analysis for your case, try to get a verified forensic image created as soon as possible.

Hash Value – a unique identifier that is used to validate that a forensic image (or any kind of digital copy) is an exact replica of the original. Any digital file or hard drive is at its core a set of 1s and 0s. Forensic experts use a special algorithm to create a numeric code, called a hash value, that is unique to the exact set of 1s and 0s on a specific drive. If a single 1 or 0 on the drive changes, then the hash value is completely different. In practice, an examiner generates a hash value for the original device, creates a forensic image and then validates that the hash value of the image matches the original.

Attorneys should care about a hash value because the digital evidence on a hard drive is not just the list of files that are easy to copy. If you get a plain old copy of a hard drive that didn’t verify matching hash values on the original and the copy, you could be missing some critical evidence in the case.

Write Blocker – a specialized piece of hardware that forensic examiners use to access digital evidence without modifying it. Any time you connect to a hard drive, flash drive, etc, you run a risk that your computer’s operating system will make changes to that drive inadvertently. By using a write blocker, a digital forensic examiner removes that risk.

Attorneys should care about write blockers because if you hire an IT expert (instead of a certified digital crime lab) to examine your digital evidence and that person doesn’t use a write blocker, you could actually be destroying the digital evidence instead of securing it.

JTAG / Chip-Off Forensics – two methods of accessing digital evidence on mobile devices, especially when the device is damaged or password locked. They require very specialized equipment and only a few labs can typically perform these types of acquisition. You can read a more technical explanation of these methods here.

Attorneys should care about JTAG and Chip-Off methods because they may be your only way to recover digital evidence from a cell phone that has been physically damaged or is password locked.

Forensic Protocol – In the context of a legal case, the forensic protocol is an explicit set of steps that a digital forensic examiner will take to acquire and analyze a specific device or set of devices.  Usually, this protocol is documented and agreed to by both parties in a case.

Attorneys should care about forensic protocol to eliminate potential questions about digital evidence especially in contentious cases or if there are questions about what data is relevant and producible for the case.  A good digital forensics partner can help you draft the forensic protocol.

Allocated vs Unallocated Disk Space – This is really the difference between “free” space and “used” space on a hard drive.  The “allocated” space contains all the files and programs that a typical user can see.  This includes things like documents, spreadsheets, emails, programs, browsing history, etc.  The “unallocated” space is all the other disk space on your drive.  Unallocated space includes empty space but also includes files that are deleted but have not been overwritten.  A digital forensic examiner can analyze the unallocated space on a drive to possibly recover deleted files and recreate a history of activities on the device.

Attorneys should care about unallocated disk space because it can contain lots of “hidden” digital evidence like deleted files that most users can’t see.

Accredited Digital Crime Lab – Private digital forensics labs aren’t required to be formally accredited, and many labs are not accredted.  The most widely recognized certifying body is the ASCLD, which certifies FBI and state crime labs.  The accreditation process is exhaustive.  It validates that a lab has and consistently follows generally accepted processes and procedures for securing, preserving, handling and analyzing digital evidence.  You can read more about ASCLD accreditation processes here.

Attorneys should care about using an accredited digital crime lab because it ensures that any findings from the lab’s analysis will hold up in court.  More importantly, using a lab that is not accredited can be an invitation for opposing counsel to question the forensic findings.

If you need help with digital evidence for a case involving IP theft, family law or other criminal or civil issues, contact Flashback Data today.  We work with attorneys, DAs and law enforcement across the country and our digital crime lab is accredited by the ASCLD.