Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
lack the skill and tools to identify, preserve and extract latent computer data; so the statement<br />
“it’s not there” is, at best, “it’s not where we looked, and we haven’t looked thoroughly.”<br />
By the same token, it’s not reas<strong>on</strong>able to expect a resp<strong>on</strong>ding party to hire a computer<br />
forensic examiner and perform a thorough search for latent data in every case. It’s too<br />
expensive, time-c<strong>on</strong>suming and not always certain to lead to the discovery of relevant<br />
evidence. Neither can the requesting party’s forensic expert be granted unfettered access to<br />
an opp<strong>on</strong>ent’s computers absent steps to protect the c<strong>on</strong>fidentiality of proprietary, privileged<br />
or just- downright-embarrassing material. A balance must be struck between the potential for<br />
discovery of relevant evidence and the potential for unwarranted intrusi<strong>on</strong> at great expense.<br />
The most obvious instance where forensic examinati<strong>on</strong> is indicated is a matter involving a<br />
credible allegati<strong>on</strong> of negligent or intenti<strong>on</strong>al spoliati<strong>on</strong>, or c<strong>on</strong>cealment, of electr<strong>on</strong>ic<br />
informati<strong>on</strong> or its paper counterpart. Another is a circumstance where it appears likely that<br />
relevant and discoverable data exists, but is accessible <strong>on</strong>ly through the use of forensic<br />
restorati<strong>on</strong> techniques. Other instances include matters where computers have allegedly<br />
been employed to perpetrate a crime, fraud or tort, such as theft of trade secrets, workplace<br />
harassment, c<strong>on</strong>cealment of assets, hacking, theft of service, electr<strong>on</strong>ic vandalism, identity<br />
fraud, copyright infringement, etc.<br />
Forensic Imaging Should Be Routine<br />
Since it’s not always possible to ascertain the need for computer forensic analysis at the<br />
<strong>on</strong>set of a dispute and with computer data being so volatile and fluid, how can a litigant<br />
preserve the status quo and protect potentially discoverable data? The best answer seems<br />
to be to act decisively to enforce the obligati<strong>on</strong> to preserve while deferring disputes<br />
c<strong>on</strong>cerning the obligati<strong>on</strong> to produce. At least with respect to the computer systems used by<br />
key players, if an opp<strong>on</strong>ent is unwilling to immediately remove them from service and secure<br />
them against tampering, loss or damage, then it is imperative that the hard drives for each<br />
computer be duplicated in a forensically-sound fashi<strong>on</strong> and secured. They may never be<br />
used but, if needed, there is no better mechanism to dem<strong>on</strong>strate diligence in the<br />
preservati<strong>on</strong> of discoverable data. The same prudence applies to other media which may<br />
later be claimed to have c<strong>on</strong>tained relevant and discoverable data, including pers<strong>on</strong>al digital<br />
assistants, e-mail servers and <strong>on</strong>line repositories. Caveat: Routine file back up to tape,<br />
floppy disks, recordable CDs, thumb drives or other media using virtually any off-the-shelf<br />
back up applicati<strong>on</strong> will not produce a forensically sound cl<strong>on</strong>e of the data, rendering some or<br />
all latent data unrecoverable in the future, ripe for a charge of spoliati<strong>on</strong>.<br />
Answers to Frequently Asked Questi<strong>on</strong>s about Forensic Imaging<br />
What is a “forensically-sound” duplicate of a drive?<br />
A “forensically-sound” duplicate of a drive is, first and foremost, <strong>on</strong>e created by a method<br />
which does not alter data <strong>on</strong> the drive being duplicated. Sec<strong>on</strong>d, a forensically-sound<br />
duplicate must c<strong>on</strong>tain a copy of every bit, byte and sector of the source drive, including<br />
unallocated “empty” space and slack space, precisely as such data appears <strong>on</strong> the source<br />
drive relative to the other data <strong>on</strong> the drive. Finally, a forensically-sound duplicate will not<br />
<strong>Page</strong> 37