Over the last couple of weeks we have given you a peek inside of the digital forensic analysis process. Starting with identifying the potential sources of data to preserving those items and then to the analysis. Now that the digital forensic analysis is done, what do you do with the results?
Understanding what the forensic results are and how they play on your situation is quite possibly the most important part of the analysis. For example, in the earlier days of forensics when the concepts were still new to our clients and their counsel, Vestige worked a matter once where the end result was reporting to outside counsel that the operator of the computer had wiped the data on the hard drive prior to turning it over to us and therefore it was going to be impossible for us to tell counsel what was done on the computer during the relevant time frame. Counsel responded with “well, I guess you guys tried your best, we will have to look elsewhere”. We then politely suggested that counsel may have a spoliation claim based on the results. More light bulbs than there are on a Christmas tree went off in outside counsel’s mind.
While that scenario likely would not happen today because most attorneys are very familiar with spoliation and computers, my point was to illustrate that it is important to convey in the right format the significance of the forensic results (whether or not the client understands it despite the best of your abilities is another topic similar to a horse and water). The format might be a verbal report of findings, written reports or testimony.
Typically Vestige starts with a verbal report where allowed (sometimes protective orders require a written report provided to both sides). The goal of the verbal report is to explain what was found, what wasn’t found, the importance of the results and suggestions for moving forward, if needed. The benefit of this approach is two fold. First discoverable information in the form of a written report is not created. Second, more time, effort and cost come with written reports, if one isn’t needed, why go through that expense.
As part of the computer forensics investigation process, there comes a time when Vestige is asked to provide a written report. Maybe it is a memo, a report of findings or an expert report for submission to state or federal court. The digital forensic investigation report is often written by a senior analyst or higher. The report might be written by multiple staff members overseen by a more senior individual. The report is quality checked before sending onto the client. What is that written report going to look like? I will tell you what it won’t look like. It won’t look like the junk Vestige often is provided from other examiners that simply lists some files with some dates or maybe some registry keys but with no opinion or conclusion drawn from those findings. There are some examiners out there that put out “reports” that really should be considered nothing more than a regurgitation of data on a computer—usually accompanied by a child-like grin bearing “hey, look at all the stuff I recovered for you”…but with zero insight for the lay person to even begin understanding.
Typically a written report will start with some basic facts about the device(s) analyzed and what the goal of the analysis* is (finding evidence of data theft, determining computer usage in an employment matter, etc.). The report may include the strategy of why certain areas on the computer were considered while others were not and then discuss software used, keywords ran and other background information. The report then typically will provide the findings. What files were found, important registry keys examined, applications run and other forensic artifacts. Those findings may be too large or cumbersome to be in the body of a report and therefore might be an appendix or exhibit. Sprinkled among those findings, but even more important than the findings themselves, are the conclusions that were derived from the findings. What do those findings mean? Was data really taken and if so by what user account or entity, when and how. What activities were being performed on the computer on a specific day (and often time). This reporting is no different then when you go to a doctor for a checkup. The doctor may provide you your cholesterol numbers, weight, white blood cell count and a whole host of other facts (findings). But what you really want to know from the doctor is what does all of that mean, are you healthy, sick or need medicine or a procedure. Are more tests needed and what is the likelihood that those tests are going to provide a better picture of what is going on. It’s that insight and Expert opinion that holds all the value – and that’s what Vestige strives for in each and every matter.
* If you are interested in seeing examples of our digital forensics process or forensic reports, please feel to CONTACT US and we will discuss providing a suitable (sanitized of client and case particulars, of course) sample for your consideration. We have found that when individuals see a concrete example, it can often provide a much deeper insight.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer
Vestige Digital Investigations