This might be too general, but any insight will be welcome. On a given case, how do you make the assessment that you have done everything you can? More succinctly, how do know when you are done?
I get the sense that as media storage grows, the time to analyze increases by an even larger factor. The result is that theoretically we can spend an a tremendous amount of time and still not be conclusively certain that we have not missed something.
Nonetheless, we have to declare at some point that we are done. What has helped you make that determination?
I'm no expert in the field, but I would think that much of what would qualify as being done would be the wording in the Court Order or Warrant? If you were just looking for images I would think you might be "done"much faster than if the wording said "any and all evidence associated with xyz?
I would also think being done would be associated with the number of tools that you had at your disposal? In the cellular world if all you had was a Cellebrite then you would be done fairly quickly, but if you had SecureView 3, Device Seizure, XRY, Oxygen, FTK, BitPim, etc..then you would be working a bit longer. I'd say this would apply to computer forensics as well.
Last I'd say you would be "done" at some point depending on your training and experience? It would seem reasonable that someone with additional training and experience could possibly take an examination/investigation a little bit farther than one that had less?
Just my two cents.
When the client sees the current billing. Sort of kidding 😉
It is important to keep in contact with the client about the progress of the case. Before you being and certainly as you progress there should be defined scope and budget (time and/or money). Famous last words from a client will be "see what you can find" and "don't worry about the budget" - always raises flags. Insist that there be a direction. For the most part depending on the suite of tools you use there should be certain benchmarks. The "average" case you will do the same set of procedures time and time again. Structure your investigation logically so that when you hit benchmarks like file, reg and Internet history parsed outputs you can focus on the meaty parts to see if that's enough or if you have to dig deeper. Your findings will have to end up in a report at some point -
Without an investigation plan at the outset you will be searching and scrolling though data forever going nowhere. Have a plan before the investigation and follow along making changes as needed.
As an aside to this - try to DISPROVE your theory instead of proving it and see what's left. This will help focus the investigation and get rid of knowns so you can spot the anomalies.
I really cant add anymore to what Doug said he cover all the points. Like he said you need a clear focus on what exactly you are looking for. The days of the shotgun approach are long gone because costs go up real fast with that method.
The work is done when you fullfilled what the scope of the analysis asked for.
Scope the project before the whole thing starts, and make sure you do everything consistently, as Doug said.
From my work, I have a laundry of static or consistently performed steps, and dynamic or as needed steps I perform.
The static tasks are non-negotiable. They are performed because they provide basis for other static tasks, but most importantly the dynamic tasks. It is super annoying to get toward the end of my analysis, just to find out I missed one more supporting source or step, that could have been done initially…
It is a laundry list, and the attorneys I work with know what are their options. They now only present what they want to prove/disprove. I make the technical suggestions, and I go from there. Sometimes they are happy with my findings (because they are proven correct), and sometimes not so happy . . .evil
I almost always follow up a phone conversation with a quick e-mail to confirm the discussion, and request acknowledgment. This is specially important when there is scope creep. It puts the attorney on notice of additional work, and associated cost. mrgreen
For me it depends on if the case I am working is criminal or civil. In the criminal cases I am looking to prove beyond a reasonable doubt. I am turning over rocks looking for more rocks to turn over.
With civil it's what the client has requested. Most of the time the almighty dollar decides those cases. The size of the claim and the implications to the client will dictate what they want done.
Hope this helps, good luck.
I think it does depend on the background of the case, the intelligence you receive from the investigation, and the envisaged outcome.
For example will it make any difference if you take the time to produce thousands and thousands of deleted graphics files if you cant say where they came from? Or do you spend hours looking for steganography on a computer of someone who you have assessed as having very low IQ or technical ability? I would suggest not.
If you are in possession of a full confession to having indecent images of children, is it worth looking for signs of distribution, or do you just charge with possession with a guilty plea envisaged? Again I would suggest not, you have to have a look.
I try to make sure that the remit of the investigation is agreed up front, either in what to look for, or a time limit or both. If you examine to that remit or investigation rationale, and something comes up during your investigation it can be further investigated, however if it comes up during the judicial process as a result of further defence disclosure for example then you are also covered.
Some of the defences that are submitted are impossible to forsee and therefore you would be stupid to draw a line at any point and say "yes I have done everything possible!"
Depends on the case, but most of the time when I've answered the investigative questions, wrote a report, and briefed a client.
OR anytime a client doesn't want to continue the case.
Totally agree with Douglas regarding scope.
Make sure you have *well formulated investigative questions*, and focus on answering them. I've seen investigations fall over because someone didn't ask the right questions during intake. People were busy for a week, trying to prove something that wasn't related to the case a waste of time and manpower..
Roland
When I can answer the following questions with a "yes" (or a "no")
Did he do it?
Are you sure he did it?
Can you prove it?
Are you happy that he hasnt done anything else that we dont know about?
Have you checked his account of what happened?
There is ALWAYS another tool to run, another search term to try, another file to open, another bit of unallocated to poke, you just have to trust your own judgement.
Truly interesting. Herein lies what I see as a problem, ad hoc, varies with the practitioner. Douglas basically identified what all practitioners need whatever the type of case. A Plan from the onset of the case. "Without an investigation plan at the outset you will be searching and scrolling though data forever going nowhere. Have a plan before the investigation and follow along making changes as needed". This also highlights the difficulty in establishing standards for the field.