Digital Forensics for Attorneys

Top Forensics Posts for Attorneys

We’ve assembled the 5 Digital Forensics posts most popular with attorneys and the legal community. Check them out…

  1. Digital Forensics Terms for Attorneys
  2. Why You Need a 2nd Opinion on Digital Evidence in Criminal Cases
  3. Mass File Deletion Isn’t Always Malfeasance
  4. The Major Differences Between Digital Forensics and eDiscovery
  5. Digital Forensics for IP Theft

If you need the support of an experienced, accredited digital forensics lab for a case involving IP theft, family law, criminal defense or civl law, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.


Digital Forensics and the Case Timeline

How To Align Your Forensics Support to Your Case Timeline

“We go to trial in 2 days and I need this digital forensic analysis done tomorrow!”

We get requests like this frequently and we do our best meet our clients’ case timelines if we can.

If your case needs the support of digital forensics, it’s important to understand how to align your forensic needs to the timeline of the case. There are some parts of a typical forensics exam that can be expedited and some that can’t.

Here’s what’s typically involved in a forensics examination and how long it takes.


The forensic protocol is the agreed upon set of steps that the forensic lab will follow to acquire, segregate and analyze the information that is relevant and producible for the case. It typically specifies what is and isn’t producible from a technical perspective.

For example, an IP theft case may require a forensic analysis of a home computer. The forensic protocol would specify dates and types of information that could be included in the analysis.

We usually help our clients draft the forensic protocol, which is actually the easy part. The part that takes time is sharing that proposal with opposing counsel and/or the judge and coming to a final agreement. In some cases, this can take weeks, but in most cases the entire process takes anywhere from two days to a week.


We’ll assume that we’re already in possession of the device(s) in question. Obviously, if this isn’t the case, then there is some time involved in actually transporting the device via overnight mail or courier.

In forensic terms, “acquisition” is about getting the data from the original device into our lab environment so it can be properly analyzed. We create a verified forensic image of the entire drive or media. This step is required for the forensic analysis to hold up in court and there are no shortcuts.

The length of time required for acquisition depends on the size of the drive and how easily accessible the data is. The quickest and easiest would be a standard unlocked mobile device, which normally takes a few hours. Large storage arrays or devices that are physically damaged or password locked can easily take a few days.


Once we have a forensic image, we can begin the formal analysis of that data. The time required for this is wholly dependent upon the scope of the analysis (ie. what we’re looking for) and can be complicated by the forensic protocol. This process can take 1-5 days.


After the forensic lab has completed its findings, an attorney must then review them in the context of the overall case strategy. In our experience, this is the one part of the process that attorneys most often forget about or underestimate.

If the digital evidence answers an objective yes or no question, this is easy. However, if the digital evidence is a transcript of conversations, then this review can take several days.

The best example is a family law case that hinges on a question of infidelity. The digital forensics lab will be asked to produce a transcript or log of communications between two parties. A typical 40 year old adult sends and receives over 1,500 text messages every month, so these transcripts can be lengthy. The attorneys must then review the content of the transcripts to draw any relevant conclusions about intent or relationships.

Don’t forget to leave yourself plenty of time to review and understand the digital evidence in the case.

If you have a case that includes digital evidence, contact Flashback Data today. We have supported attorneys in IP theft, family law and other civil and criminal cases for over a decade, and our digital forensics lab is accredited under the same program as the FBI and state crime labs.


Digital Forensics Terms for Attorneys

Digital Forensics Terms for Attorneys

Digital forensics can be pretty technical, but there are a few things that attorneys working with digital evidence need to know.

We’ve compiled a list of some of the most important technical concepts in digital forensics and why they’re relevant to attorneys.

Verified Forensic Image –a special kind of “copy” of all the contents of a hard drive, flash drive, etc. Rather than copying “files”, a forensic image copies all the underlying 1s and 0s that represent the information (visible and invisible) on a target drive. A forensic examiner can then verify that the forensic image is exactly the same as the original using what is called a “hash value”. (see next term).

Attorneys should care about a verified forensic image for two reasons. First, it preserves original evidence in case the forensic analysis needs to be repeated. Second, until a verified forensic image is created, there is no guarantee that the information on a hard drive won’t be modified (purposely or accidentally). If you need a digital forensic analysis for your case, try to get a verified forensic image created as soon as possible.

Hash Value – a unique identifier that is used to validate that a forensic image (or any kind of digital copy) is an exact replica of the original. Any digital file or hard drive is at its core a set of 1s and 0s. Forensic experts use a special algorithm to create a numeric code, called a hash value, that is unique to the exact set of 1s and 0s on a specific drive. If a single 1 or 0 on the drive changes, then the hash value is completely different. In practice, an examiner generates a hash value for the original device, creates a forensic image and then validates that the hash value of the image matches the original.

Attorneys should care about a hash value because the digital evidence on a hard drive is not just the list of files that are easy to copy. If you get a plain old copy of a hard drive that didn’t verify matching hash values on the original and the copy, you could be missing some critical evidence in the case.

Write Blocker – a specialized piece of hardware that forensic examiners use to access digital evidence without modifying it. Any time you connect to a hard drive, flash drive, etc, you run a risk that your computer’s operating system will make changes to that drive inadvertently. By using a write blocker, a digital forensic examiner removes that risk.

Attorneys should care about write blockers because if you hire an IT expert (instead of a certified digital crime lab) to examine your digital evidence and that person doesn’t use a write blocker, you could actually be destroying the digital evidence instead of securing it.

JTAG / Chip-Off Forensics – two methods of accessing digital evidence on mobile devices, especially when the device is damaged or password locked. They require very specialized equipment and only a few labs can typically perform these types of acquisition. You can read a more technical explanation of these methods here.

Attorneys should care about JTAG and Chip-Off methods because they may be your only way to recover digital evidence from a cell phone that has been physically damaged or is password locked.

Forensic Protocol – In the context of a legal case, the forensic protocol is an explicit set of steps that a digital forensic examiner will take to acquire and analyze a specific device or set of devices.  Usually, this protocol is documented and agreed to by both parties in a case.

Attorneys should care about forensic protocol to eliminate potential questions about digital evidence especially in contentious cases or if there are questions about what data is relevant and producible for the case.  A good digital forensics partner can help you draft the forensic protocol.

Allocated vs Unallocated Disk Space – This is really the difference between “free” space and “used” space on a hard drive.  The “allocated” space contains all the files and programs that a typical user can see.  This includes things like documents, spreadsheets, emails, programs, browsing history, etc.  The “unallocated” space is all the other disk space on your drive.  Unallocated space includes empty space but also includes files that are deleted but have not been overwritten.  A digital forensic examiner can analyze the unallocated space on a drive to possibly recover deleted files and recreate a history of activities on the device.

Attorneys should care about unallocated disk space because it can contain lots of “hidden” digital evidence like deleted files that most users can’t see.

Accredited Digital Crime Lab – Private digital forensics labs aren’t required to be formally accredited, and many labs are not accredted.  The most widely recognized certifying body is the ASCLD, which certifies FBI and state crime labs.  The accreditation process is exhaustive.  It validates that a lab has and consistently follows generally accepted processes and procedures for securing, preserving, handling and analyzing digital evidence.  You can read more about ASCLD accreditation processes here.

Attorneys should care about using an accredited digital crime lab because it ensures that any findings from the lab’s analysis will hold up in court.  More importantly, using a lab that is not accredited can be an invitation for opposing counsel to question the forensic findings.

If you need help with digital evidence for a case involving IP theft, family law or other criminal or civil issues, contact Flashback Data today.  We work with attorneys, DAs and law enforcement across the country and our digital crime lab is accredited by the ASCLD.


Common Mistakes image

Common Mistakes In Selecting A Digital Forensics Partner

Digital forensics is an increasingly common part of IP theft, family law and criminal and civil cases. If you’re looking for a digital forensics partner to help with your case, don’t make these common mistakes:

MISTAKE #1: Hiring the IT Guy

Some attorneys are tempted to hire a sharp, knowledgeable IT expert to help them with the digital evidence in their case. However, technical expertise is only a part of what you need to analyze the digital evidence for your case. You also need to ensure that the analysis will actually hold up in court. That’s where an accredited digital forensics lab comes in.

A certified digital forensic examiner at an accredited lab will:

  • Follow an explicit, repeatable process to secure, preserve and analyze the data
  • Prepare a report of findings that can be easily understood by a non-technical attorney or judge
  • Can effectively defend his or her findings in the face of a contentious cross-examination

The real question you need to ask yourself about a forensic expert is not whether that person can get the data from the device, but whether their analysis will hold up in court.

MISTAKE #2: Misunderstanding Certifications for Expertise

Certifications are a crude way to judge the expertise of a digital forensics examiner. Some certifications, like ‘EnCE’ and ‘ACE’, are offered by forensic software vendors to certify knowledge of how to use specific software tools. In the legal world, this is like being a certified expert on Lexis/Nexis. It’s valuable and it may be necessary, but it doesn’t mean you’re a good lawyer.

If you want to look at certifications, make sure one of them is ‘CFCE’ – Certified Forensic Computer Examiner. The IACIS offers this certification that focuses on core digital forensics competencies and processes rather than just the tools.

Beyond certifications, you might want to ask about:

  • Lab accreditations
  • Sample findings reports (redacted)
  • Experience testifying in court

MISTAKE #3: Not Allowing Enough Time for the Analysis

By far the biggest mistake that we see attorneys make is to underestimate the time it takes to complete a proper digital forensic analysis. There are parts of the digital forensics process that can be expedited and parts that can’t. This is by design.

The goal of a professional digital forensic examiner is to complete a transparent, repeatable forensic process based on a comprehensive analysis of the available data, and deliver an understandable set of findings that can stand up in court.

For example, you may want to hire a forensic expert to produce a set of communications between two parties. At some level, this seems simple, but that involves creating a forensic image of each device in question so that the analysis can be repeated if necessary. Then, the examiner needs to analyze every bit and byte on the digital media to ensure that they find all the relevant communication.

Regardless of how tightly scoped the engagement, the process is largely the same in order to satisfy the requirements of the court system.

If you need the support of an experienced, accredited digital forensics lab for a family law case, contact Flashback Data today.  Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.


Digital Forensics for Family Law

Digital Forensics for Family Law

The sheer volume of digital evidence available to attorneys in family law cases can be overwhelming. An experienced digital forensics partner can help an attorney focus on the specific data that is critical to the dispute while ensuring that any evidence and forensic analysis can stand up in court.

Flashback Data LLC has supported literally hundreds of family law cases as an accredited digital forensics lab. While every case is a little different, here’s how we typically support attorneys in family law:


Our engagements begin with a brief call to discuss the case in order to define a specific scope of work that addresses the data needs and timeline of the case. This is particularly important in family law cases because the volume of potentially producible data is so large.

Of all the kinds of cases that Flashback Data supports (IP theft, criminal defense, civil law, family law), family law cases have by far the most producible data. After excluding any privileged attorney-client communications, pretty much everything else can be producible for a family law case. More specific direction up front helps our clients save money and get the answers they need faster.


We often support attorneys in defining which devices need to be part of a preservation order as well as defining the forensic protocol to deliver any producible data. Once we know which devices are involved and generally what we’re looking for, the formal forensic process begins.

The foundation of any digital forensic analysis is a structured, documented approach to preserving data by creating a forensic image of every mobile device, computer or external hard drive that is relevant to the case. Even if you don’t expect the evidence to be contested, a structured, repeatable forensic process is required for any analysis to hold up in court.


When working with a digital forensics lab in support of a family law case, it’s important to know when you’re looking for objective vs. subjective information. A good examiner can help an attorney with both.

Questions about travel, location data or even assets and income can usually be answered objectively. Travel and location data can be pulled directly from cell phone history or indirectly from email or text communications or even metadata on digital images. Asset and income data can usually be found in financial software, spreadsheets or email communications.

Other questions are much more subjective. In family law, the most common example is the question of infidelity. Other than the occasional “smoking gun”, a digital forensic analysis rarely produces objective proof of infidelity. To help with questions of infidelity, a forensic examiner’s job usually involves finding all the written communications (email, SMS text, etc.) and call records between the two parties, even if those records have been deleted. A forensic examiner won’t (and shouldn’t) make a subjective judgment about the content of those communications.

An experienced forensics partner will work with you to understand what kind of information is critical to your case and whether or how that information can be objectively captured and validated via forensic analysis.


The final step in the process is providing expert testimony in a deposition or court. All the work we do up to this point was done specifically to make this part of the process as straightforward and unremarkable as possible. Our certified, experienced examiners and accredited lab mean that our expertise is readily accepted. Our examiners are comfortable presenting (and defending) their credentials, their forensic process and their findings under oath.


If you need the support of an experience, accredited digital forensics lab for a family law case, contact Flashback Data today. Our digital forensics lab is accredited under the same process as the FBI and state crime labs and can support the timing and information needs of your family law case.