On August 28th, 2018 ACEDS had the fortunate experience of hosting Craig Ball as he introduced the specifics of his master work, Digital Forensic Examination, Negotiating Forensic Examination Protocols. Craig has been a Texas trial lawyer for over 35 years, a computer forensic examiner for more than 25 years, an author, a blogger, and an educator. He is a principal of the Georgetown University Law Center eDiscovery Training Academy and also teaches electronic discovery and digital evidence at the University of Texas School of Law. He is often appointed as a Special Master in federal and state cases around the country. Craig continues to write his award-winning blog, Ball in Your Court.
This three-part blog will examine the why, the what and the scope of the protocols from Craig’s August 28th webinar presentation on Negotiating Forensic Examination Protocols. Craig Ball’s Drafting Digital Forensic Examination Protocols is detailed and comprehensive and is available online in PDF format.
Why do we need a protocol for a digital forensic exam? Is it really necessary? When asked these questions, Craig was quick to respond, “It’s a place in my mind and when I begin looking repeatedly at the pathways and byways of a modern computer, it becomes a place. It’s a metropolis of essentially virtual buildings and streets and homes and closets and junk much of which has to be traversed, often repeatedly going back and forth to check and double-check, cross-collaborate information. And recognizing that when you are sending someone into a metropolis like that, you need a map.”
The overriding reason is that a forensic examination yields certain commonalities from exam to exam but the differences are not only profound but distinct from eDiscovery examinations. As Craig says, “The difference between what I do as a computer forensic examiner and what I do in my role advising clients with respect to electronic discovery is very significant in that in computer forensics we are dealing with something much different from documents.”
Computer forensics deals with data, not documents. And so, the skills attorneys have learned in dealing with electronic discovery don’t necessarily apply to the realm of computer forensics. For example, the skills we learn in using keyword search or advanced analytics just don’t apply and the most mistake in devising a forensics protocol is trying to make the forensics examiner work in the same way that they’ve traditionally worked to find keywords or identify potentially responsive documents.
Craig says it quite succinctly:
Lawyers historically are trained to think of everything as being a document. When we draft our request for productions, we couch our definition of what we seek no matter what it might be as a document. But in computer forensics we are dealing with data and in particular we are dealing with artifacts and the recognition of certain patterns and the configurations of the environment, the operating system and the various applications, all about context.
Most of what we get out of an electronic discovery effort in the form of documents, whether it be a photograph that an individual may have downloaded or a document they’ve crafted, an Excel spreadsheet, a PowerPoint, most of these things are largely capable of speaking for themselves. It’s generally easyto be able to understand them without a significant amount of context.
But when you start dealing with forensic artifacts where you may have recovered them from the unallocated clusters, wholly devoid of their associated context in metadata, where you may be looking at a pattern or you are looking at a metadata value, a data value, so called MAC date modified access created date, all of these things require a certain context because there is often more to them than meets the eye.
Craig also notes that although different digital forensic examinations may have certain things in common, they are more likely to have differences based on the different devices with different operating systems as well as different cases with different issues. As he puts it, he would have different routine protocols he might use “…. if a case involves, say, allegations of data theft or if another case involves allegation of a cyber security breach.”
Furthermore, a PC might hold over a million items of potentially responsive information, a Some of those information items will, themselves, hold tens of thousands or hundreds of thousands of data points. This is much different from the structure of documents we see in traditional eDiscovery.
Craig notes that these enormous data stores often present a challenge in terms of the time limits for a protocol deployment. As he puts it, echoing his statement above about a virtual “place,” “…I often will be spending hours, days, sometimes, weeks within the environment of a single device. It begins to be very much like a place. I can close my eyes and I can walk through all the streets and stores of the little town I grew up in outside New York City called Bronxville.”
We need forensics protocols because we need precise, focused instructions for what we wish to accomplish. The variety of devices, operating systems, cases and issues makes specific instructions for their examination absolutely crucial. These may include selecting the examiner as well as specifying the devices, the media and the sources that will be examined.
More on that in our next installment, The What of Forensics Examination Protocols.