A computer or smart phone under forensic examination is like a sprawling metropolis of neighborhoods, streets, buildings, furnishings and stuff–loads of stuff. It’s routine for a single machine to yield over a million discrete information items, some items holding thousands of data points. Searching so vast a virtual metropolis requires a clear description of what’s sought and a sound plan to find it.
In the context of electronic discovery and digital forensics, an examination protocol is an order of a court or an agreement between parties that governs the scope and procedures attendant to testing and inspection of a source of electronic evidence. Parties and courts use examination protocols to guard against compromise of sensitive or privileged data and insure that specified procedures are employed in the acquisition, analysis, and reporting of electronically-stored information (ESI).
A well-conceived examination protocol serves to protect the legitimate interests of all parties, curtail needless delay and expense and forestall fishing expeditions. Protocols may afford a forensic examiner broad leeway to adapt procedures and follow the evidence, or protocols may tightly constrain an examiner’s discretion, to prevent waiver of privilege or disclosure of irrelevant, prejudicial material. A good protocol helps an examiner know where to start his or her analysis, how to proceed and, crucially, when the job is done.
As a litigator for over 35 years and a computer forensic examiner for more than 25 years, I’ve examined countless devices and sources for courts and litigants. In that time, I’ve never encountered a forensic examination protocol of universal application. “Standard” procedures change over time, adapted to new forms of digital evidence and new hurdles–like full-disk encryption, solid-state storage and explosive growth in storage capacities and data richness. Without a protocol, a forensics examiner could spend months seeking to meet an equivocal examination mandate. The flip side is that poor protocols damn examiners to undertake pointless tasks and overlook key evidence.
Drafting a sensible forensic examination protocol demands a working knowledge of the tools and techniques of forensic analysis so counsel doesn’t try to misapply e-discovery methodologies to forensic tasks. Forensic examiners deal in artifacts, patterns and configurations. The data we see is structured and encoded much differently than what a computer user sees. The significance and reliability of an artifact depends on its context. Dates and times must be validated against machine settings, operating system functions, time zones and corroborating events.
Much in digital forensics entails more than meets the eye; consequently, simply running searches for words and phrases “e-discovery-style” is far less availing than it might be in a collection of documents.
If you can conceive of taking the deposition of a computer or smart phone, crafting a forensic examination protocol is like writing out the questions in advance. Like a deposition, there are basic inquiries that can be scripted but no definitive template for follow-up questions. A good examiner–of people or computers–follows the evidence yet hews to relevant lines of inquiry and respects boundaries. A key difference is, good advocates fit the evidence to their clients’ narrative where good forensic examiners let the evidence tell its own story.
If you’ve come here for a form examination protocol, you’ll find it; but the “price” is learning a little about why forensic examination protocols require certain language and above all, why you must carefully adapt any protocol to the needs of your case. Continue reading