Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
What Judges Need to Know About Computer <strong>Forensics</strong><br />
<strong>Craig</strong> <strong>Ball</strong> 1<br />
© 2008<br />
Courts increasingly see moti<strong>on</strong>s by litigants seeking access to an opp<strong>on</strong>ent’s computers for<br />
the purpose of c<strong>on</strong>ducting a computer forensic examinati<strong>on</strong>. The impetus may be allegati<strong>on</strong>s<br />
of discovery abuse, stolen intellectual property, spoliati<strong>on</strong>, forgery, network intrusi<strong>on</strong>, child<br />
pornography, piracy, discriminati<strong>on</strong> or a host of other claims.<br />
When bits and bytes are involved, it can be hard to know if the proposed examinati<strong>on</strong> is<br />
reas<strong>on</strong>able and necessary or an abusive fishing expediti<strong>on</strong>.<br />
This article looks at some of the fundamentals of computer forensics to help judges weigh the<br />
need and burden of acquisiti<strong>on</strong> and examinati<strong>on</strong>. It addresses, inter alia, what computer<br />
forensics can and cannot accomplish and flags comm<strong>on</strong> errors made by parties and the<br />
courts in ordering such examinati<strong>on</strong>s.<br />
Table of C<strong>on</strong>tents<br />
How Does Computer <strong>Forensics</strong> Differ from Electr<strong>on</strong>ic Discovery?................................. 89<br />
When to Turn to Computer <strong>Forensics</strong> ............................................................................ 90<br />
Balancing Need, Privilege and Privacy........................................................................... 90<br />
Who Performs Computer <strong>Forensics</strong>? ............................................................................. 91<br />
Selecting a Neutral Examiner ......................................................................................... 92<br />
What Can Computer <strong>Forensics</strong> Do?............................................................................... 92<br />
What Can’t It Do? ........................................................................................................... 92<br />
Supervisi<strong>on</strong> of Examinati<strong>on</strong>............................................................................................ 93<br />
Forensic Acquisiti<strong>on</strong> & Preservati<strong>on</strong>............................................................................... 93<br />
Exemplar Acquisiti<strong>on</strong> Protocol........................................................................................ 93<br />
Forensic Examinati<strong>on</strong>..................................................................................................... 95<br />
1. File Carving by Binary Signature ............................................................................ 96<br />
2. File Carving by Remnant Directory Data................................................................. 96<br />
3. Search by Keyword................................................................................................. 96<br />
Better Practice than “Undelete” is “Try to Find” .............................................................. 97<br />
Eradicati<strong>on</strong> Challenges .................................................................................................. 97<br />
Exemplar Examinati<strong>on</strong> Protocol ..................................................................................... 98<br />
Problematic Protocols .................................................................................................... 99<br />
Crafting Better Forensic Examinati<strong>on</strong> Orders ................................................................. 99<br />
Hashing ........................................................................................................................ 100<br />
Frequently Asked Questi<strong>on</strong>s About Computer <strong>Forensics</strong>............................................. 101<br />
How do I preserve the status quo without ordering a party to stop using its systems?<br />
.................................................................................................................................. 101<br />
A party wants to make “Ghost” images of the drives. Are those forensically sound?101<br />
Do servers need to be preserved by forensically sound imaging, too?..................... 101<br />
What devices and media should be c<strong>on</strong>sidered for examinati<strong>on</strong>? ............................ 102<br />
1 The author gratefully acknowledges the invaluable editorial c<strong>on</strong>tributi<strong>on</strong>s of his spouse, Diana <strong>Ball</strong>, and of<br />
esteemed colleagues, Shar<strong>on</strong> Nels<strong>on</strong> and John Simek of Sensei Enterprises, Inc., for their helpful suggesti<strong>on</strong>s.<br />
<strong>Page</strong> 88