Drew Sustaita reviews Rob Fried‘s latest book, Forensic Data Collections 2.0: A Selection Of Trusted Digital Forensics Content, Third Edition.
In Forensic Data Collections 2.0: A Selection of Trusted Digital Forensics Content, Third Edition, Rob Fried and his co-authors assemble a collection of articles that provide the reader with a foundational understanding of what digital evidence is, where to find it, and most importantly—its significance to an investigation. Fried does not approach the various topics discussed in an overly academic way, but rather, he explains the complexities of digital forensics and emerging technology in a way even a novice tech user can understand. The selection of articles from PI Magazine show Fried’s willingness to democratize the specialized knowledge of digital forensics.
[Fried] explains the complexities of digital forensics and emerging technology in a way even a novice tech user can understand.
Digital forensics can be an intimidating topic to discuss within the general population of users. Most of us know how to drive a car but may not know how to change the suspension components, an exhaust manifold, or even the engine oil. The point is, as an investigator, you do not need to be an expert to be effective. Fried recognizes technology’s expansion into just about every facet of our lives and provides the reader with a guide through his inclusion of things like ephemeral data, Internet of Things devices, cloud data sources, and others. Understanding that a technology exists, what it can do, and where it stores data is often more than half the battle.
I Can’t Help You, But I Know Who Can
Forensic Data Collections 2.0: A Selection of Trusted Digital Forensics Content, Third Edition does not aim to make the reader an expert but offers key considerations for investigators working with attorneys or private clients on when to involve a digital forensics expert. Fried’s first chapter, “Be That Trusted Advisor,” emphasizes the importance of staying up to date on emerging technology, communicating effectively with clients, and collaborating with skilled professionals to bridge knowledge gaps.
Being an advisor does not mean you will be able to solve the problem yourself when the phone rings. It may mean applying what limited knowledge or understanding you do have to a given issue or problem and referring the job to another capable professional. Part of being a trusted advisor is knowing when a task exceeds your skillset or, more commonly, your software capability.
I have several friends in the digital forensics community who offer private and court-appointed services. Not everyone has the same software capability or even background and experience. Engaging with a diverse group of skilled professionals allows me to expand my knowledge, refer business, and develop the trusted advisor role we all strive to achieve.
Breaking Down Silos
I once heard a saying about digital forensics: “A little technical knowledge can cause a lot of problems in an investigation.” While this is sometimes true, I wonder about the opposite—how much critical data is being overlooked every day because investigators fail to consider digital evidence?
The reality is that data is not retained forever. There is too much of it and not enough space for it to live. Investigators need to be empowered with the knowledge and confidence to identify and preserve critical aspects of an investigation that are here one minute and gone the next.
Accomplishing this is difficult, because there are certain risks involved. Mitigating these risks to their irreducible minimum requires individual buy-in and training. It also demands a shift in mindset—ensuring every investigator is equipped with a digital playbook. This is certainly a wider culture shift between investigators and experts and beyond the scope (and intention) of this book, but Fried offers a template for getting started.
In Chapter 9: “A Digital Forensics Playbook: A Living Document,” Fried and co-author Richard Perrillo break down the information silos common among investigators, particularly those from organizations where one shop performs Function A, another shop Function B, and so on. The authors challenge the reader to adopt an iterative methodology of establishing defensible and sound practices, exercising thorough documentation, and then pivoting as necessary.
It is understood that no digital forensics best practices document or model remains indefinitely relevant. As technology evolves, so too must the methods for identifying and defensibly collecting digital evidence. Organizations that are overly reliant on just a handful of experts create stovepipes of information and bottlenecks that reduce investigative efficiency. In 2025, we are beyond the days when an investigator or first line responder can only consider the physical world and never consider the digital world.
In 2025, we are beyond the days when an investigator or first line responder can only consider the physical world and never consider the digital world.
Identify, Acquire, Interpret, Report
The digital forensics process can be broken down into three easy to remember steps: Acquire, Interpret, Report (AIR). Every practitioner knows you must forensically or defensibly acquire data before you can interpret it, utilize specialized software to interpret the data, and then finally report your findings. The AIR model, in various extrapolations, is what the DFIR community tries to adhere to as a field of forensic science.
Fried stresses the need for defensible processes throughout the text, but he also adds an additional pillar to the tripod. The fourth pillar, Identify, is what can be taught to every practitioner. There is no reason, in a world as connected as this one, that only a certain few maintain the skills and knowledge to identify sources of digital media evidence. I would even posit that the Identify pillar is among the most, if not the most, critical of the four.
As a criminal defense investigator, many of the cases I get assigned are at least a year older than the time that the correlated incident occurred. This means that by the time I learn of an indictment and get handed discovery documents as part of the defense team, most of the unpreserved digital artifacts are gone. It is important to note that this time-to-live element, known as the data volatility, affects all parties seeking digital evidence for use in any court proceedings.
Disappearing data is not just something that works against the defense when requesting two-year-old video footage from a corporate security office. It can also impact evidence from a suspect’s cellphone that wasn’t placed in airplane mode or a video doorbell whose provider wasn’t contacted for a preservation request. This is why it is so important for every investigator involved in a case to understand how to identify potential sources of evidence and where that data may reside.
Slay the Dragon
Before writing this review, I consulted with Robert, because I wanted to express my concern, as a criminal defense consultant, and I wanted to remain fully transparent speaking to what I assumed would be a largely law enforcement crowd. Robert assured me that his intentions were only to establish defensible methodologies and encourage as many people as possible to start considering digital data in their investigations. I think the book proves that in spades.
What I appreciate most about this book is its enduring message: you don’t have to be an expert to contribute to a digital investigation. It offers a framework for growth, prompts internal discussions, and presents innovative solutions.
Digital forensics has long been portrayed as a dragon only a select few can slay, but that mindset is fading. Not long ago, only academically trained computer scientists could hack into secure servers—now, even high school students are doing it. As information becomes more accessible, the investigator community stands to benefit—provided leadership embraces training and education for their teams.
To learn more about Forensic Data Collections 2.0 or to place an order, visit forensicsbyfried.com/books.
Drew Sustaita is a licensed private investigator and digital forensics consultant in Texas. He primarily supports public defense attorneys in the identification and interpretation of digital media evidence. Prior to becoming an investigator, Drew served in the US Army Reserve and as an NSA analyst supporting multiple special operations units. Drew holds a master’s degree in Intelligence, Security Studies & Analysis, a bachelor’s degree in Criminal Justice, and several digital forensic certifications.
