Hello!
I'm new to the forums here and new to forensics in general.
A little background on me
I'm an A+ certified technician working for a Juv. Court. I have an associates in C.I.S. with a focus in User Support. I've been a computer hobbyist and gamer for more than a decade but have only been working professionally in the IT field for 4.5 years.
I was approached a few weeks ago by a coworker and offered an opportunity to help a lawyer with a case. I've been asked to serve as an expert witness and help determine if pictures have been deleted off a laptop and if an SD card has been plugged into the computer previously. I accepted the request and the lawyer presented the same credentials to the Judge who has accepted me.
I thought I was just about ready to start looking at the computer in question, and then I stumbled upon these forums. I'm confident in my general IT abilities, however I'm not entirely sure that I have the tools that I should have. I don't want to go in unprepared, so I was hoping maybe some of you wonderful folks might be willing to give me a few pointers (some jeering as well if you want.)
I've been told I'm working on a laptop and it has a card reader built into it. I've done a little research and found where the Registry stores hardware id's for SD cards when they're plugged in. I verified the process by plugging a couple of SD cards into my laptop and watched the entries appear. I plugged the same cards into another laptop and the same entries showed up, so I'm pretty sure I'll be able to tell from that by loading the registry file and seeing if the entry for the card in question exists. I'm not entirely sure about getting the hardware id for the actual SD card. Would it be realistic to think that I'd be able to plug the card into my own laptop to get an entry in my registry to match it to?
As for looking for deleted files, I was thinking that I'd probably want to use some sort of live boot media such as Windows PE or a variety of linux boot media and then run some sort of hard drive scanner from there. Does anyone have any suggestions on any particular tools to use?
I'm not trying to just jump into the field, but for this one particular instance I'd like to do a thorough enough job that I won't cause anyone any grief. Can anyone help me out? Thank you in advance for your assistance.
I'd like to do a thorough enough job that I won't cause anyone any grief. Can anyone help me out?
I suggest you find a mentor locally and not proceed until you do.
Seriously, I can assure you that you are in over your head. IT knowledge is only part of the equation, and while an A+ is a good start what is your experience with Registry structure, file header and footer information, etc. If you are just learning the tools you may miss some evidence or think you found something that is misleading. Also you MUST know proper evidence handling procedure and how to document your process.
Also consider that if you get into court and opposing counsel discredits your work and your client sues you for malpractice what will you do?
Depending on the court and tech level of the Judge, you could with a high degree of probability be declared not an expert. Which in the future line of questioning for up and coming cases if you are asked Have you ever been found not qualified to be an expert, you would have to answer yes.
Being an IT person doesn't qualify anyone for this type of work, having a degree in something also doesn't qualify anyone. It's a merge of skill-sets as well as having investigative knowledge.
That being said, I am not a fan of how a lot of Fed agencies do their work
i.e. one person images, one person examines, one person testifies, etc.
If you want to learn it all, then you need to work on it all, but not without training in what you need to do.
Please understand that I don't mean this to sound harsh. Everyone needs to start somewhere and you are no exception. And you didn't say whether the case was Federal or local jurisdiction, which can make a difference.
You may get lucky and the opposing side may stipulate to the contents of your report and/or testimony in which case, congratulations!
But I'd caution you against offering yourself as an "expert" on the basis of your first case for no other reason than if you are ever disqualified as an expert, you'll find it hard to ever be qualified.
BitHead is right, you might want to subcontract with someone who has the credentials and the credibility on the stand. In qualifying you as an expert the opposing side will want to know such things as
How many cases have you handled, before?
Have you ever given testimony related to your findings as a forensic scientist?
Have you ever been qualified to testify as an expert in court?
How many other cases can you cite where you performed similar work?
and so on.
10-15 years ago, you probably could have qualified on the basis of your IT experience but, today, digital forensics is a recognized discipline apart from general IT knowledge and you'll have a tough time convincing a savvy judge that your experience is sufficient.
In addition, as BitHead says, you run a substantial risk of liability for an adverse outcome, including malpractice and fraud. In fact, in posting to this group the fact that this is your first case, you have opened the door to opposing counsel disqualifying you.
Do yourself and your potential client a favor and recommend to them that they engage a qualified forensic examiner for this purpose. Tell them that you'll assist in finding one and would be willing to oversee their performance and review their findings as someone who is qualified in IT. They trust you so work that to your advantage.
But don't try to do this, yourself, even if you find the resources that you need to do what you want to do.
By the way, I grew up in Canton, home of Thurman Munson who played for the Yankees for 10 years winning a couple of Golden Gloves. He was homesick for Canton and took flying lessons so he could fly home when he wanted. In the summer of 1979 he bought a Cessna Citation, which he was totally unqualified to fly and on August 2, he crashed it while practicing touch and goes.
Being experienced in IT is necessary for digital forensics but it isn't sufficient.
Get qualified help.
Thank you guys for your experienced thoughts on the matter. I have no problem admitting that this is the first time I've ever done something like this.
I had originally been thinking that I would just lend whatever help I could in the matter. I hadn't thought of the malpractice implications on the matter. This is a local jurisdiction case, but I still wouldn't want to possibly provide an incorrect analysis based on my inexperience and lack of training. I'm going to give the lawyer a call on Monday, apologize, and recommend he find a qualified forensic scientist.
Do you guys have any suggestions about where to locate someone in my area which I could pass along to the lawyer?
Do you guys have any suggestions about where to locate someone in my area which I could pass along to the lawyer?
Check for Personal Messages as some people may not want to make recommendations publicly.
Of course I may be completely wrong, but what I would do would be
- try doing the work you think fit (i.e. what you would have done WITHOUT the advice from here), read related material, learn
- call yourself a suitable expert in the field who is willing to help you
- submit him the theoretical work you have done, as if it was an exam paper
- pay yourself his initial consulting fee
- propose him to cooperate with you
You may lose some money, but on the other hand you might lose an occasion to test your actual skills and knowledge and an opportunity to start in this field.
If you tell the solicitor that you are not an expert, and that he should go somewhere else, he will "mentally record" this fact and you willl never be called again, no matter how much learning and certifications and experience you will get in the future.
If you tell him you will yourself take care of the matter but that you will work teaming with a qualified forensic expert as the matter is delicate and you want to provide a work that will be foolproof, I don't think he will object.
In other words, most probably you are not ready for "prime time", but you will never know unless you measure yourself against the challenge and the judgement of an expert/tutor and you somehow "start".
jaclaz
Jaclaz,
I like your idea. I think my chief concern on the matter right now is that the lawyer is waiting for a phone call from me to schedule my time with the computer in question and I don't have a toolset put together for analyzing a hard drive yet, nor do I know anything about forensic or evidence handling procedures.
I don't yet know if pursuing an actual career in computer forensics is something I want to do, but I am considering it as well as programming.
At this point I think that what's going to be best for the lawyer and his client is for me to offer to help find a more qualified individual to perform the forensic analysis and offer to assist as an IT consultant if I can be of help.
I agree with the sentiments and the notion that we all have to start, somewhere. My recommendation would be, however, that someone not "start" as an expert witness giving testimony. There is much more to being an expert witness than being able to do an adequate job on the forensics and being disqualified could, forever, haunt you as one of the questions that you are asked during a challenge is "Have you ever been disqualified as an expert?"
In addition, in Ohio you are required to have a PI license to do computer forensics. It would be a risk to accept the evidence for analysis unless the OP had a PI license.
Of course I may be completely wrong, but what I would do would be
- try doing the work you think fit (i.e. what you would have done WITHOUT the advice from here), read related material, learn
I am not suggesting that the OP can't learn, quite the contrary, but there are pitfalls. For example, not all live Linux distros are forensically sound and some are downright dangerous. Sure, you could read about this. But make a mistake and you are done. Also, you'll be questioned by the other side on your evidence handling procedures, why you did this instead of that, etc. There is an awful lot to learn about the business and none of us is likely to learn it all or well with the first case.
- call yourself a suitable expert in the field who is willing to help you
- submit him the theoretical work you have done, as if it was an exam paper
- pay yourself his initial consulting fee
- propose him to cooperate with you
Again, there may be problems with this. For instance, if the attorney retains you and you retain a third party then, in many cases, the conversations between you and the third party are not entitled to protection under the Work Product Doctrine.
Also, most firms that I know would not want to risk losing their fees in the event that the prime contractor was excluded from giving evidence or, worse yet, sued for malpractice. So, the actual forensic expert would likely want to have a contract directly with the client and not with you. That would make your role, essentially, superfluous.
If the gentleman who posted really wants to get into forensics, I would start by reading and practicing on my own system. There are also images out there which are used for various tests/competitions that could be researched. Assuming that I could qualify for whatever licenses would be required in my jurisdiction I would start with something a bit smaller; something that might not end up in criminal or expensive civil litigation.
Trial by fire works for some types of experiences but it isn't a good practice if you are going to charge someone for your services and their outcome depends upon how good you are.
If you tell the solicitor that you are not an expert, and that he should go somewhere else, he will "mentally record" this fact and you willl never be called again, no matter how much learning and certifications and experience you will get in the future.
In my experience, being an "expert" means knowing your limitations as well. In particular, the attorney may not know what constitutes a digital forensics expert (many don't), may not understand what background is required (e.g., PI license) nor what can and cannot be determined by a forensics examiner. But, as you are accepting a fee to do a job, not for the attorney but on behalf of the client, your duty is to do what is best for the client.
Sure, things "could" go your way. But what if they don't?
Suppose a friend asked me if I could do brain surgery and I said "Well, I've read about it and I know how to handle a scalpel." Would the advice be the same?
If you tell him you will yourself take care of the matter but that you will work teaming with a qualified forensic expert as the matter is delicate and you want to provide a work that will be foolproof, I don't think he will object.
I suggested something slightly different for the reasons mentioned, above. Direct the client to an appropriate expert and volunteer to assist the attorney in understanding any technical issues that arise from the work. You get the opportunity to partiicpate in the analysis and learn what is done and why, but you have no responsibility for the outcome.
Hey seanmcl, would you happen to have a url for the Ohio PI requirement handy somewhere? I'm having trouble locating it. I'd like to present it to the attorney I can't work with.
I think the reason I was asked if I wanted to help was because the attorney's budget for assistance is much much lower than what a qualified forensic scientist would charge for their services.