±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36096
New Yesterday: 7 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Interviews

2009

Interviews - 2009

Sean McLinden, Outcome Technology Associates, Inc.


  Posted Friday February 17, 2012 (18:42:50)   (1272 Reads)
Sean, can you tell us something about your background?

My first exposure to computers was as an undergraduate when I saw an episode of the PBS series Nova about artificial intelligence (AI). Since I was headed to the University of Pittsburgh to begin a graduate study in Medicine I hooked up with the team of Jack D. Myers, MD, and Harry E. Pople, PhD., who were researching the development of programs which could mimic the actions of human diagnosticians. Their laboratory was kind of a skunkworks which not only explored artificial intelligence, but also computer networking, hardware design and operating systems. Everyone who worked there was expected to be well versed in computer design and applications and innovative and there were a lot of opportunities for creativity and independent action. That model became my model for building collaborative teams in which people are encouraged to think independently, question conventional wisdom and be self-motivating.

Following completion of medical training I was recruited to become the head of MIS for what would become a university affiliated teaching hospital. Whereas in the research lab, sharing was the norm, in a patient care setting, the security of the information is paramount. This experience also taught me how production IT operations work, including the human element, an understanding of which is critical to cost-effective enterprise forensics.

From there, I chaired a university graduate program in IT management and then directed a clinical outcomes research group before starting Outcome Technology Associates in 1998.


What type of work is Outcome Technology Associates, Inc. engaged in? What does your role as president involve?

Outcome Technology Associates began as an organization that developed software and refined practices for the health care industry. Specifically, we did data analysis for patient clinical trials and helped to design systems for the sharing of patient information via data networks. Because our work involved a high degree of confidentiality, we were retained by law firms which had the need not only for data capture and analysis, but also the ability to be discrete. At that time, computer forensics was unheard of and so, "experts" were drawn from the academic and business units where IT practices were the area of specialization.

Our first cases involved simple data recovery, preservation and analysis for use in civil and criminal legal proceedings. The paper record was still the standard for courtroom evidence and most computer forensics involved the detection of traces of the paper record on computers. In 1995, we were consulted by attorneys for the plaintiff on a very large case involving tens of thousands of electronic documents, including e-mail, which was thought to contain evidence of an intentional breach of contract by the defendant. The outcome of the case was a $30 million judgment in favor of our client, and that was the start of our full-time business.

Today we are involved in any and all types of civil and criminal investigations in which the preparation, storage or transmission of information in electronic format is involved. I can say, in all honesty, that each of our cases has had one or more features which is/are unique among all of our clients, so it would be hard to pin us down as specializing in one form of computer forensics.

For example, one of our cases involved multiple defendants who were part of an integrated health care system which had failed to alert a patient's physician to an abnormal test result. As a consequence, a treatable condition became an untreatable condition. There was a lot of finger pointing and accusations were flying everywhere. We were retained to help assess, based upon the forensic evidence, the degree to which each defendant may have had responsibility for the mis-communicated results; in essence, it was a joint and several liability determination. This case involved not only acquisition of data from various devices but also an analysis of the plaintiffs' systems for redundancy, accuracy and appropriateness in identifying urgent results so there was a operational assessment in addition to the forensics, itself.

In addition to responding to new and emerging incidents, we also help organizations to be pro-active with respect to threat mitigation, intrusion and extrusion detection, document retention, electronic discovery and data de-duplication. While many of the cases that we have had have started with a similar request, the direction and outcome of our investigation has been dictated by the facts as we discover them, rather than by a preconceived approach.

Part of what guides our approach is the expertise of our professional staff. Each Associate has at least 10 years of practical experience in IT management, network design and security, programming, intrusion detection, etc. This helps us to address not only the client's perceived needs, but also the future needs that we anticipate as a result of our experience. As a result, we are better able to assist our client in anticipating not only the outcome of an investigation, but also the ultimate cost.

As President, my job is to attract and retain staff, solicit new clients, determine if the client's issue is suited to our abilities and interests, prepare an approach to that problem if we determine that it fits with our abilities, arrange a referral if it doesn't, and ensure that the outcome exceeds the client's expectations without exceeding their budget.


What are the biggest changes you have seen in computer forensics work over the last 10 years?

Ten years ago, most of our cases were small cases, i.e., less than 40 person hours of work. Today, even the smallest case tends to evolve into much larger case because the computer forensics is, no longer, the end point of the investigation but simply one or more bits of evidence in support or refutation of one or more larger issues.

For example, we were recently involved in a case where an organization discovered that one of its members had viewed contraband materials on the organization's computers. We were asked to determine if the individual had viewed this content on other machines. In the course of the analysis we were able to determine that not only were there widespread violations of the organization's Acceptable Use Policy, but that there was also conclusive evidence that certain of the systems were participating in BOTNETS and had been victimized via backdoor type exploits. As a result, we not only assisted the organization in pursuing the criminal complaint against one member, we were also able to help the organization mitigate the possible effects of HR actions against offending personnel as well as assisting them in revamping the IT practices and policies so as to make such risks less likely moving forward.

To reframe the answer, one of the biggest changes that we have seen is how participation of systems in a network has completely altered the landscape in terms of what might be discovered during an investigation. This carries with it not only a responsibility to the client, but a responsibility to society and, possibly, law enforcement, as well.

Other changes that we have seen which, I am sure, are obvious to many, is the proliferation of embeddable systems capable of storing and transmitting data, greater availability and use of electronic privacy enhancing tools including Internet anonymizers such as the Onion network, an inability to accurately assess the impact of malware on the value of evidence obtained in an investigation (leading to, among other things, the Trojan Defense), and the impact of the use of social networks on our ability to conduct a thorough investigation. This is particularly important in a civil investigation because relevant information may be outside the scope of a civil subpoena.


What do you think are the biggest challenges facing computer forensics professionals today?

There are quite a few, actually. In the US, the Electronic Communications Privacy Act insulates ISPs from many types of civil subpoenas. While protecting the ISPs from frivolous requests for information this also stymies the ability of the private sector to investigate activities pertaining to security, theft of intellectual property and theft of personal identifying information. Consider what happens if Google OS makes the desktop little more than software as a service (SaaS) and then claims all of the content to be e-mail?

In some circumstances, even greater privacy protections apply to residents of EU countries making multinational civil and even criminal investigations problematic. One only has to look at the history of US-EU cooperation on airline passenger data to understand how difficult it can be to get international agreement on support for criminal and civil actions where electronic data are involved.

Most of what we have seen in our practice involves predominantly civil actions although some have involved or resulted from illegal conduct. In a recent investigation with serious implications for the financial sector, we found leads in three different countries in Europe, two in EU member countries and one with which the US has no formal treaty for data sharing in investigations of this type. In each case, civil authorities were unable to cooperate in the civil investigation and it could not be proved that activity in those countries, which resulted in significant financial problems for our client, were illegal. While I can't describe, in detail, what happened I can say that the problems that hampered that investigation remain and continue to pose a threat to the security of online financial transactions both in the US and abroad.

Many types of computer crime have a global component. Easy accesses to BOTNETS for rent, web proxies and anonymizing sites have made it possible for bad actors working locally to exploit global resources for their own nefarious objectives. In some cases, there exist no treaties between countries which would allow investigations to proceed without diplomatic intervention. Moreover, it seems apparent to me that that the current global distrust of US financial markets has, at least for the moment, made it even more difficult to appeal for help, overseas, in investigating security breaches involving the financial sector in spite of the huge interdependence of these interests on each other.

Increasingly, major businesses are relying on call centers, application hosts and customer support organizations which may be beyond our ability to reach them via civil or law enforcement approaches. One of our clients experienced a theft of credentials which allowed the thieves to access an application hosted by an unaffiliated service provider to that client. With this access, the thieves were able to reroute the data destined for our client to systems hosted in countries where US law enforcement has little or no support.

We were asked to determine how the credentials were stolen and by whom. As part of our investigation, we learned that the service provider's call center, which had access to account information, was located in a country which had much less stringent privacy protections than in the US. More importantly, however, while we were able to determine that security was lax at the call center, we had no standing or jurisdiction for legal discovery of the call center's operations. The service provider had standing by virtue of their relationship to the call center, but had no interest in admitting to a potential systemic flaw in their processes. In essence, we were at an impasse neither able to confirm or refute the hypothesis that a breach at the call center could have been responsible.

Another challenge which faces all of us in computer forensics is the miniaturization of storage media and the rapid proliferation of privacy tools which protect files and even user interactions. For example, the DemocraKey coupled with technologies such as the Tor anonymizer and TrueCrypt, can make the use of a computer for e-mail and web viewing practically impossible to discover. Nearly all thumb drives sold, today, come with some type of privacy protections. MicroSD chips make PDAs and cell phones data acquisition devices. These and other systems for encryption and obfuscation can make it very difficult, if not impossible, to extract information in a time sensitive manner.

The ubiquity of wireless access points and rogue access points is another concern, especially in light of common or default settings on some zero configuration wireless services.

Finally, one of the biggest challenges facing computer forensics professionals, especially in the US, are misguided attempts to protect consumers through state licensing requirements which are inconsistent, lack reciprocity and fail to take into account the differences between computer forensic and civil and domestic investigations.


What would you most like to see changed or improved in the digital forensics world?

What I would most like to see is greater cooperation between the public and private sectors in the investigation of computer crime and compromise. Others have proposed, and I support, the idea of creating a kind of clearinghouse whereby companies and other entities can contribute what information they might have about a past, ongoing or future, crime or compromise, and know that they are indemnified against damages or adverse publicity that might be associated with such a disclosure.

In the last couple of cases that we have had involving financial institutions, we have requested that clients allow us to share with certain, trusted, colleagues, detailed information about the means in which they were exploited so that we could compare these to other, documented, exploits in an attempt to detect whether there was a pattern of interest. Our clients were, rightfully, concerned about the damage to their shareholders and customers if this information was disclosed and refused to allow it. This is completely understandable but unfortunate. By sharing information about exploits we can better determine if there is a common origin or purpose.

What is needed is a forum where private entities can share information with private and government investigators without the threat that this information, or the exploit, itself, will be exposed. Of course, this will require rigorous control of who has access to this resource. But without, we'll continue to see what appear to be isolated exploits when, from the right perspective, these might be seen as coordinated attacks.

We also need to see greater cooperation between the private sector and government and law enforcement. The fact is that most electronic crime and compromise is targeted in the private sector not government. Many investigations begin through private sector initiatives, some of which may lead to criminal investigation and some which may not. But many tools available to law enforcement are not available to the forensics community as a whole. In some cases, this may be justified, but it also hinders the ability of private organizations to effectively monitor the activity which is occurring on their networks.

A simple example is in the area of child pornography (CP). Law enforcement has access to CP hashsets some of which are not available to non-LE. On a couple of occasions we have been retained because there was or was suspected to be CP on a network. In one case, the FBI requested that our client complete an audit of their network to determine if there were other computers involved. We used a number of standard as well as proprietary technologies to automate this process but one gap in our investigation was access to up to date CP hashsets. It wouldn't even be necessary to have the sets if an Internet service could be provided which could look up hashes to determine if they are suspect.

Another example is PII theft. We had a case where a stolen disk drive belonging to a software developer was suspected to contain names and valid Social Security Numbers (SSNs) used as test data for a developing application. Indeed, using the Social Security Administration's guidelines, more than 90% of the numbers met the criteria for SSNs and 10% could have easily been transpositions.

State reporting and notification requirements vary and the process is expensive for the client who has had the data stolen. We needed to determine whether these name/number pairs were valid SSN data, not just possibly valid. The Social Security Administration web site has an online bulk SSN verifier but, by law, it can only be used by employers to verify the status of employees or hires. I spent a good deal of time in e-mail and phone conversations with the Office of the Inspector General of the Social Security Administration but the answer was always the same; the verifier can only be used for employment verification purposes, not investigations of PII or identity theft.

Currently, ISPs in the US are only required to retain user data for 90 days. This, in my humble opinion, is too short a time to enable an investigation to reach the point where a subpoena can be issued. ISPs are no longer the small, risk-taking, innovating businesses that they were a decade or more ago and they don't need the same degree of government protection. They are multibillion dollar businesses and they provide a key infrastructure which is both essential to and simultaneously a threat to the global as well as national and personal economies. Laws related to their retention and monitoring policies and practices have not kept abreast of the significance of threats to their misuse and need to be changed. It is possible to protect privacy while maintaining accountability and vigilance at the same time.

Thus, in spite of all of the attention paid to the threat of cybercrime by this and the last administration, my current view is that our preparedness and ability to investigate cybercrime incidents is about where the state of the intelligence community was prior to 9/11. There is a lack of cooperation between key constituents, both domestic and foreign, and a lack of coordinated response to incidents when they occur.


What advice would you give to a computer forensics examiner preparing to testify in court for the first time?

First of all, your job is to present your findings and opinions related to the computer forensics aspects of the case. In most cases, there may be one or two other people in the courtroom who know as much as you do or more; probably not the attorneys. Stick to what you know. Don't try to give a legal opinion; that is not your area of expertise and not only will you be called on it, it may be used to suggest bias.

Never exaggerate, vacillate or make up things. My grandmother used to say "if you never lie, you'll never have to remember what you said." The Court, however, will remember what you say and opposing counsel will pour over every statement that you make looking to find something to discredit you. In some cases, you'll discover through your testimony or the testimony of others, that you have overlooked or missed something. Don't try to rewrite the past by saying something that isn't true. There is nothing worse than being demonstrated to be a liar in court.

Never interrupt the interrogator; the question that he/she is asking may not be the question that you are anticipating. Let the attorney make his/her case, not you. Give the shortest, simplest, most straightforward answers, possible. If you are asked to elaborate, do the same; make it short and sweet. You never want to say more than the minimum which you need to say to respond to the question. At this point, you have gotten to the stand which means that your credentials have, at least tentatively, been accepted.

Don't try to use your direct or cross examination to pad your resume or impress the Court with your abilities and keen understanding. The case is not about you, it is about your client. Remember that you can only hurt yourself by testifying, not by shutting up. So each time that you open your mouth, you have only to lose. This is especially true of cross examination where it is imperative that you make the opposition work for your testimony.

Never answer the same question more than once, even if it is asked in a different way. You can only say something that varies from your previous answer and that will get you in trouble. Instead, you can say "I believe that I have already answered that question." which will force the examiner to ask in a different way. Now you are in control.

Never answer a question that you don't understand; you can always ask the attorney to repeat or rephrase the question. That is also a good way to regain control of the examination if you think that things are getting out of hand.

Don't answer a yes or no question if it can't be answered "yes" or "no" but if you must (as in the case where the question has so simplified the facts as to be meaningless), you can always qualify your answer with "in the limited context of your question, the answer would be ..." This gives you client's counsel the chance to address your reservations on redirect or re-cross.

Be careful of "Do you agree" or "Would you agree" questions which, when asked by the opposition, are usually an attempt to get you to contradict yourself. For example, if you are asked something like: "Do you agree that a pattern of zeros on the drive could be an indication of wiping?" you can qualify your answer by ending with the phrase "with reservations" or "in a limited number of circumstances", if this is more correct.

Along those lines (and in the context of my last point), remember that anything that you have written down or posted to a forum can be requested in discovery. I, once, asked a forum if the members had ever seen a large pattern of zeros written to specific places on a hard drive and one respondent who was also a well respected forensic expert replied "Have you considered wiping?" I had and I was looking for others' experiences with alternative explanations as I was contending that the drive had not been wiped. On the stand I was asked whether a pattern of zeroes could indicate wiping. I could hardly say "no" but I didn't want to leave it at "yes" so I responded "Under certain circumstances, it could, but not all." Although I knew that he wasn't going to ask the follow up question, my answer left the follow up open to redirect.

Never show contempt or disdain for opposing counsel unless it is appropriate (i.e., the person is palpably contemptible) and don't be goaded into responding to contempt that opposing counsel may show toward you. Judges and juries have a sense of fairness that sees through that nonsense. If you are being mistreated, they'll see that and adjust their sympathies, accordingly.

Remember that the easiest way to discredit your testimony is to discredit you so don't be surprised if opposing counsel's attacks seem personal. The more personal they seem, the more likely it is that they can't shoot holes in your testimony so they are going at you, instead.

As I noted, previously, don't be surprised to find postings to this and other forums as part of the cross examination, especially, postings where you say "I'm new at this, can someone tell me..." As the expression goes, anything you say (or write) may be used, against you. You don't want to be sitting in the courtroom reading aloud the message that you wrote saying "I'm a newbie so please be patient with me".

Don't inflate your experience or credentials. A famous investigator in the UK was disqualified after it was discovered that he lied about having a degree in spite of the fact that he had testified in many cases.

Listen to all of the testimony (if you are allowed), not just yours. It will help you to understand the facts of the case and the arguments of counsel for each party. This will help you in choosing how to express yourself and it will also allow you to establish who is more believed.

And, finally, remember that you only need to be disqualified as an expert, once, to be out of the game forever. So make sure that you have documented your process for the handling and preservation of the evidence, your investigational methods, etc. It helps if you have a rough outline of a standard operating practice, including identification of evidence, chain of custody, etc.


Are there any aspects of computer crime legislation which you feel could be improved?

Well, of course, this forum has members from many countries so I'll try to be as generic while precise.

As Benjamin Franklin is alleged to have written, "Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety". Any legislation must consider the protection of personal liberties and privacy. That having been said, it is interesting that the clause with the phrase "temporary safety" suggesting that different consideration should be given to changes which could result in permanent increases in safety.

The Internet is not like other utilities. While, in many places, you can sell power that you generate at home back to the service providers, you need to meet certain standards. You can't, insofar as I am aware, start pumping gas from a home well back into your gas service to be sold to other customers. But once attached to the Internet, you can pretty much push out whatever you want in terms of content and there isn't much to stop you.

The problem is that this same infrastructure is used for other purposes, including legitimate and important purposes, and the use of that resource crosses international boundaries.

Thus, we need to consider how to best manage that infrastructure so as to protect the integrity of the information that flows through it.

I think that laws related to the retention policies of Internet Service Providers need to be reconsidered in light of the problem of investigating an incident long after it has occurred. Storage is cheap whereas losing information that might be essential to an investigation can be quite expensive.

We need to revise the notion of what is protected and what is not protected from a civil subpoena. Certainly we do not want to create hardships for service providers that would make it impossible for them to deliver services at a price that many can afford, but we also need to be able to investigate incidents in which the ISP or hosting service may be neither the perpetrator nor the victim but is still a party to the action.

In the US the December 2006 revision of the Federal Rules of Evidence had many important improvements to the collection, handling, storage and analysis of electronic information, but individual state laws are much more varied and less explicit. A problem can arise when a legal action is moved from a state court to the Federal court system. State legislatures need to give some consideration to basing their rules of evidence on the Federal standard.

We need legislation which provides a greater degree of protection non-LE forensic examiners from prosecution for performing the duties required for which they have been retained, in particular, if I image a computer which turns out to have CP on it, I don't want to be in violation of Federal law simply because I possessed and transported that image.

Many of the incidents that we have investigated cross state, or even national, borders. That is the nature of business, today. As a physician, there is not a state in the Union that would prevent me from testifying as an expert witness in medicine simply because I was not licensed to practice in that state. Further, no state would criminalize my appearing as an expert witness simply because I lacked the license to practice medicine in that state. Yet, in many states, I could be fined or even jailed for appearing as a witness in state court without a PI license. This only limits the opportunities that clients in these states have to obtain the best forensic experts they can.


Have we, broadly speaking, struck the right balance between investigatory powers and the protection of individual privacy?

In my opinion, this will always be somewhat of a moving target as technology makes possible things that we can't imagine, today. One of the fundamental assumptions made by the framers of the US Constitution was the ability of the collective to resist the tyranny of the few as long as individual liberties are protected. In 1776 there existed no weapons of mass destruction except armies and armadas.

That has all changed and I fear that we are going to see even more horrendous demonstrations in the future. Hopefully, such demonstrations will not push us to act, hastily, and without appropriate consideration of the consequences.

It is also, I think, a myth to assume that we have any real privacy with our dependence on technology for communication and entertainment. While it is true that most forms of electronic eavesdropping are illegal, they are neither impractical nor expensive. I managed to pick up one side of my neighbor's telephone call on my son's wireless baby monitor. Who knows what my neighbor managed to pick up from us?

So the issue is not so much whether we have privacy as it is can we protect ourselves from the misuse of information to which we cannot prevent access?

On the flip side, the same technology which makes it virtually impossible for someone to decrypt my data can hinder law enforcement and intelligence from protecting my security.

Common to both views is the fact that technology is amoral and nearly ubiquitous. Bad people will use it to do bad things and good people will not. There exists, right now, a general reluctance on the part of most people to utilize sophisticated encryption techniques by default. I'd venture to say that if everyone started using BitLocker and TDM or TrueCrypt, tomorrow, many of us would be out of work and the intelligence community would be far less able to protect us from real threats.

This is not, I am afraid, a problem that can be won with laws which restrict indivdual liberties, quite the contrary. I was against certain features of the FISA Reauthorization Act of 2008 because they eliminated the need for accountability. I am against immunity for telecomm operators for disclosing my data without a court order. As a subscriber they have a responsibility to me to protect my information from disclosure except under court order. It is in the nation's best interests that they require such an order.

Governments are faced with a slippery slope (and I think that they are close to the fall). Fail to protect their citizens from the unauthorized use of their personal information and communications (including access by the government, itself), and users will react by employing encryption on most or all of their data. If law enforcement and intelligence are no longer able to protect the public because they have scared the public into encrypting even the most innocent communicatoin, what can only happen, next, is further suppression of the rights of citizens to freedom of expression and privacy.


One of the questions we're often asked at Forensic Focus is "how do I get started in a computer forensics career?" What advice would you give? What qualities do you think are most important for work in this field?

Obviously, quality number one is personal integrity; lack it and you might as well hang it up. To a certain degree, everyone must have a certain amount of intelligence, a willingness to work hard and to learn and enough education and experience to conduct an investigation and accurately describe his or her findings and impressions. An essential feature of the profession, in my experience, is curiosity. I have worked on cases where even when presented with unexplained facts which suggested a different approach to an investigation, fellow investigators have been too focused on preconceived theories to change the direction of the investigation, often with disappointing consequences.

I believe that it has been an asset to have worked in and managed production IT settings where I have had the opportunity to learn how technology is used in the real world. This is especially true in enterprise investigations where the costs could skyrocket if a heuristic approach were not followed in pursuit of the evidence. All civil investigations weigh the benefits of discovery and analysis against the hardship to the client. Recommending a surgical approach to the investigation can help to save costs and minimize waste and such recommendations require experience.

A lawyer once told me that the bane of all lawyers was the client. In medicine, we tend to follow the axiom that patients will never be completely honest with you about drugs, alcohol, eating, sex or psychiatric illness. What this means is that as an investigator, you need to understand what your clients want, but not always believe what they say, not because they are intending to dupe you, but because all of us, including clients, want to be seen in the best possible light, even when we are asking for help.


What do you make of the current state of computer forensics education?

I can't comment too much on this because I have little experience with it.

I can say that, as I noted before, issues with the confidentiality of many cases means that real and important case studies may never make it into the textbooks where they can be used to instruct forensic practitioners, at least as it affects the private sector. Also, having started an academic program in information management, myself, I can opine that new college programs tend to be market driven and the market is not always the potential clients but, in fact, the potential students, especially when the demand for entry into the profession comes from the students, themselves.

A forensic pathologist I know complained to me that juries expect forensics to be like what they see on TV; every problem is resolved within 53 minutes. If the curriculum of the forensics program has advisors from the public and private sectors who are able to articulate the needs of the constituency, and the program is able to address those needs through the recruitment of the proper personnel, then I see no reason why an academic program cannot be one route of entry into the profession. But that is a big if.


What are your plans for the future?

Honestly, I don't know what the future will hold. I started out modeling medical decision making using a computer and graduated to the practice of medicine, then running a hospital IT operation and a research unit until ending up in IT forensics. I have no idea what I'll be doing, tomorrow. I've already mentioned some of the "threats" to our profession, namely, encryption which is impractical to thwart. There are others.

Many IT organizations are now internalizing their IT forensics operations as part of a risk management strategy. While this is not a bad idea, there are benefits to independent forensic experts who are not beholden to the company management and who are able to face their clients with objectivity and knowledge of the facts as they may be interpreted by others. But not all companies face this need.

Many of the big accounting and other firms are now getting into the act with their scripted approaches to what I feel must be an individualized approach based upon the features of the case and the objectives of the client.

Some of the vendors of forensics software have now started their own consulting units, a bad idea in my mind because it can result in undercutting your primary customers; independent and corporate investigative teams. I won't mention any names but my regard for one such firm fell when I requested special pricing for a one-time use of their "enterprise" software and they responded by trying to sell me the services of their consulting business.

There are still a good many opportunities to automate some of the processes which can only be done manually, today. We are working on some standalone products and plugins which, we hope, will speed both the process of analysis and discovery. It is always good to be able to offer a product in addition to a service.

But, ultimately, the market will decide whether there is demand for our services. Perhaps I'll throw all caution to the wind and write up some of those cases studies which are good examples of what can go right and wrong in an investigation. But that would betray my clients' confidence so I guess I'll have to carry those secrets to the grave and think of something else to do.


What do you do to relax when you're not working?

I have a 2 year-old son so relaxation is luxury.

But he and my wife, who is also one of the partners in the business, live in an 110 year old Victorian house on a river and have a 85 foot long sternwheeler built in 1928 which is a second home to us, which is good, because the house is being renovated. Between the son, my beautiful wife, the house, the boat and the river, I have enough to keep myself occupied. It isn't always relaxing but it is never uninteresting.


Sean can be reached as follows:

Sean McLinden, MD
Outcome Technology Associates, Inc.
PO BOX 53
Sewickley, PA 15143
412.741.9000
[email protected]

 

  Printer Friendly Format