Cybercrimes have become more frequent and sophisticated, and the tools used to investigate them have also evolved. While attorneys may recognize this change in the evidentiary landscape, they may not recognize how it can impact their casework. As a result, many still group digital forensics with more traditional evidence analytics, when they should be incorporating the assistance of digital forensic examiners throughout the process. This can result in significant evidence gaps that may expose a client to greater liability or weaken a prosecutor’s case against cybercriminals. To solve this problem, legal teams must rethink the role of digital forensic examiners.
Collection and Analysis in Digital Forensics
In both the private and public sectors, there are two main phases in the forensics process: collection and analysis. In most forensic disciplines, evidence is physically collected at a scene, then brought to a lab for analysis. In other areas—like forensic accounting—evidence is collected as part of the discovery process, and analysis begins during document review.
However, from the time digital evidence is gathered until it is presented in court, many variables can disrupt the traditional approach. Data can be stored in many locations and formats, meaning it can be accessed or processed in countless ways, leaving massive amounts of complex, relevant data vulnerable.
Legal and investigative teams must have a full understanding of these variables at every stage to avoid missing key evidence. Placing the collection and analysis of digital evidence in separate silos or bringing in digital forensic examiners only during the analysis phase may lead to something important being missed.
Common examples include:
- Smartphones – Evidence on smartphones is highly volatile and can easily be deleted before it is handed over as evidence. But there may be smartphone backups available in the cloud or elsewhere. It is not always easy to determine where copies are likely to be stored or how to access them.
- Access logs – Proprietary systems and cloud services can usually be accessed from multiple devices and locations. Most systems keep detailed records to identify when someone has logged on and what device they used, but these records may not be available for long. Locating and interpreting such information can sometimes make or break a case.
A Better Approach
For any case centered around digital evidence—whether it’s private litigation or a criminal investigation—attorneys should consult with digital forensic examiners at every stage. In some cases, it may be beneficial to include such experts as members of the legal team.
In the collection phase, a digital forensics examiner can assist in identifying and sorting through any complicated variables. They will know what questions to ask and what types of information to seek in discovery requests or warrant applications. Once evidence is gathered, a digital forensics examiner will perform the necessary analysis and help attorneys identify and locate missing information.
A trained examiner can also be an asset at trial by providing expert testimony and restoring evidence for presentation. Their value at each stage increases if they’ve been closely involved with the case from the beginning.
While most agencies that investigate and prosecute cybercrimes have access to digital forensic examiners, private companies do not usually keep such experts on staff. Kroll’s Cyber Risk team includes experienced digital forensic examiners who understand the complexities and variables associated with this type of evidence. They use this expertise to assist clients at all stages of litigation or investigation. Ultimately, legal teams dealing with digital evidence are best served by consulting with these kinds of experts throughout the process.
About the Author: Amanda Rankhorn is a Senior Vice President with Kroll, Cyber Risk, and a retired Special Agent/Senior Forensic Examiner of the Federal Bureau of Investigation. During her time with the FBI, she conducted or supported investigations of a wide variety of violations, including computer intrusions, terrorism, espionage, investment fraud and health care fraud, and was assigned to the San Diego, Washington Field Office and Louisville divisions. While in Louisville, she conducted digital evidence examinations as part of the Kentucky Regional Computer Forensics Laboratory (KRCFL), where she also served as Operations Manager, Deputy Director and Acting Director.