By Robert B. Fried, Senior Vice President, Sandline Global, Forensics & Investigations
As forensic practitioners, we must do our best to stay ahead of ever-changing technology but sometimes we are thrown curve balls. For example, taking a trip down memory lane, several years ago I was excited to take a course on the Apple file system. After a week of in-depth training to learn the HFS+ file system, Apple announced that it would soon be releasing the APFS file system! Another fond memory I often recall, I went to perform a forensic preservation of a data custodian’s phone only to discover that the phone – that was supported by the forensic tool the day before – was no longer supported, as the phone’s operating system had automatically updated overnight. When it comes to technology, things change frequently and quickly.
Collaboration Is Key
We are often engaged because something is wrong. Clients reach out because there is a matter, likely involving litigation, or an investigation, and they need expert guidance. Some clients have previously engaged a forensics practitioner, while others have not. In any case, every matter is unique, and must be dealt with in a manner where we can gather as much information as possible, from all available parties. We must take on an important role – the trusted advisor.
Legal practitioners and corporate personnel are faced with the task of identifying and ensuring that data relevant to a litigation or investigation is preserved in a forensically sound manner. The number of data sources and the volume of data are continuously increasing. Data is not always stored onsite, or in its default or designated location; this has become even more of an issue as a hybrid and remote workforce has become prevalent in recent years. Identifying and preserving data must be a collaborative effort between various teams – Legal (internal and outside), IT, business stakeholders, and forensic practitioners.
It is important that we understand the scope of the matter, taking into consideration any known complexities and sensitivities. Emotions may be running high, and knowing what to say – and how to say it – can make a difference to a client at this particularly delicate time. This includes conveying technical concepts in a manner that is clear, concise and that can be easily understood, regardless of whether the client is tech savvy or not. The tone of delivery is important; we must remain calm and confident throughout. Often, time is of the essence, and the easier it is for a client to understand the issues at hand, the more likely it will be that all relevant parties are on the same page with a path forward.
What and how we communicate is just as important as the method of delivery. Depending on the preference of the client, email may suffice. Providing updates and summaries of findings to a client via email is effective, especially when communicating to multiple stakeholders. If a matter is urgent, and if time sensitive, some clients prefer to text message or call for real-time updates. More recently, many clients are using video teleconference solutions; this has allowed for clients to not only see each other but also to screen share between attendees which can be helpful when reviewing findings or drafts of reports. No matter what method of communication is utilized, we must be transparent and provide regular updates to a client (the frequency of which can be decided upon by the client and / or the forensic practitioner).
Stay Ahead of the Curve
With over twenty years of experience in the digital forensics industry, I am continuously taking steps to attempt to stay ahead of the curve. I began my career as a Computer Crime Specialist with the National White Collar Crime Center (NW3C), where I developed courses and trained local, state, and federal law enforcement personnel on basic and advanced topics related to computer forensics – continuing education is part of my DNA. Digital forensics is a highly dynamic industry, and as forensic practitioners, we must be aware of training opportunities that may help us to stay current, properly advise clients, and advance our careers. Many professional training organizations offer onsite and on-demand courses. These courses not only allow forensic practitioners to gain knowledge but are also an opportunity to network with others. There have been several instances where I have reached out to fellow classmates, well after a course has ended, to discuss a scenario that I had encountered. Courses are not the only option when it comes to continuing education. Many vendors of forensic software and hardware offer webinars where valuable information is shared about their products or an important or trending topic. Additionally, many vendors post upcoming events in newsletters or on social media platforms.
We know that there may not be a solution for every situation encountered. Be it a forensic tool’s lack of support for a device that must be forensically preserved, or a request from a client to deliver data in a specific format, it is important to be innovative. I can recall recent matters where it was necessary to develop a customized solution to accommodate client needs; this has included the development of an automated script to convert mobile data into a format that could be utilized to ingest the data into a document review platform. Additionally, in the last two years, many workflows that my teams had utilized needed to be reviewed and revised due to the COVID-19 pandemic. Restrictions on travel, and for many, the shift to performing operations remotely, has resulted in many of us having to rethink the ways in which we complete tasks.
In recent years, there has been an increased focus on data security and data privacy. Although many of us take direction from legal counsel, it is important to be aware of such sensitivities, and be knowledgeable regarding local laws. We are often asked to address how we go about ensuring that client data in our possession is secure. Further, many data custodians are particularly sensitive about their personal data that may be commingled with work data on their devices; it may be necessary to develop customized workflows to address their concerns. It is important that everyone is comfortable, and on the same page regarding the actions that will be taken – but still ensuring that the methodologies utilized are defensible.
How can we measure the success of a client engagement? Often, once a matter starts, things move relatively quickly. Much relies on our ability to effectively execute and deliver results in an efficient, timely and defensible matter. Throughout the course of a client engagement, as each task is completed, we should take time to answer two important questions:
- Was the task completed?
- Were the results communicated with the client in a timely an effective manner?
Of course, we would like to see a successful outcome for our clients. Regardless of the outcome, at the end of a client engagement, it is important to take the opportunity to debrief with the client – this allows for continuous learning, to identify where improvements are needed, and most importantly to nurture the relationship with the client as a trusted advisor.
Robert B. Fried is a seasoned expert and industry thought-leader, with over twenty years of experience performing data collections and forensic investigations of electronic evidence. Robert leads the day-to-day operations of the Forensics and Investigations practice, overseeing the forensic services offered to the firm’s clients, including data collections, forensic analysis, expert testimony, and forensic consultation. Additionally, Robert was a Computer Crime Specialist at the National White Collar Crime Center (NW3C), where he developed and instructed computer forensic and investigative training courses for federal, state, and local law enforcement agencies. Robert attained a BS and MS in Forensic Science from the University of New Haven. Robert serves on the Board of Advisors for the Masters in Investigations program at the University of New Haven. Robert has been a guest on industry podcasts and has been published in several professional publications, including: Legaltech News, NALI’s The Legal Investigator and the International Legal Technology Association’s (ILTA) Peer to Peer Magazine. Robert is the author of PI Magazine’s CyberSleuthing Department, where he shares insightful content on topics relating to digital forensic science, eDiscovery, data privacy, and cybersecurity.