Digital Forensics and the Case Timeline

How To Align Your Forensics Support to Your Case Timeline

“We go to trial in 2 days and I need this digital forensic analysis done tomorrow!”

We get requests like this frequently and we do our best meet our clients’ case timelines if we can.

If your case needs the support of digital forensics, it’s important to understand how to align your forensic needs to the timeline of the case. There are some parts of a typical forensics exam that can be expedited and some that can’t.

Here’s what’s typically involved in a forensics examination and how long it takes.

STEP 1: AGREE TO FORENSIC PROTOCOLS

The forensic protocol is the agreed upon set of steps that the forensic lab will follow to acquire, segregate and analyze the information that is relevant and producible for the case. It typically specifies what is and isn’t producible from a technical perspective.

For example, an IP theft case may require a forensic analysis of a home computer. The forensic protocol would specify dates and types of information that could be included in the analysis.

We usually help our clients draft the forensic protocol, which is actually the easy part. The part that takes time is sharing that proposal with opposing counsel and/or the judge and coming to a final agreement. In some cases, this can take weeks, but in most cases the entire process takes anywhere from two days to a week.

STEP 2: ACQUIRE DATA SO THAT IT WILL HOLD UP IN COURT

We’ll assume that we’re already in possession of the device(s) in question. Obviously, if this isn’t the case, then there is some time involved in actually transporting the device via overnight mail or courier.

In forensic terms, “acquisition” is about getting the data from the original device into our lab environment so it can be properly analyzed. We create a verified forensic image of the entire drive or media. This step is required for the forensic analysis to hold up in court and there are no shortcuts.

The length of time required for acquisition depends on the size of the drive and how easily accessible the data is. The quickest and easiest would be a standard unlocked mobile device, which normally takes a few hours. Large storage arrays or devices that are physically damaged or password locked can easily take a few days.

STEP 3: ANALYZE AND SEGMENT PRODUCIBLE DATA AND PREPARE FINDINGS

Once we have a forensic image, we can begin the formal analysis of that data. The time required for this is wholly dependent upon the scope of the analysis (ie. what we’re looking for) and can be complicated by the forensic protocol. This process can take 1-5 days.

STEP 4: REVIEW OF FORENSIC FINDINGS BY ATTORNEY

After the forensic lab has completed its findings, an attorney must then review them in the context of the overall case strategy. In our experience, this is the one part of the process that attorneys most often forget about or underestimate.

If the digital evidence answers an objective yes or no question, this is easy. However, if the digital evidence is a transcript of conversations, then this review can take several days.

The best example is a family law case that hinges on a question of infidelity. The digital forensics lab will be asked to produce a transcript or log of communications between two parties. A typical 40 year old adult sends and receives over 1,500 text messages every month, so these transcripts can be lengthy. The attorneys must then review the content of the transcripts to draw any relevant conclusions about intent or relationships.

Don’t forget to leave yourself plenty of time to review and understand the digital evidence in the case.

If you have a case that includes digital evidence, contact Flashback Data today. We have supported attorneys in IP theft, family law and other civil and criminal cases for over a decade, and our digital forensics lab is accredited under the same program as the FBI and state crime labs.

CALL 866-786-5700 FOR A FREE CONSULTATION!