Tuesday, 10 June 2008

Computer forensics 101

Sometimes clients tell me about how their ex might have an interest in porn, or have hidden extensive documents about their finances on their computer.

It's at moments like these, once I have talked to clients about the issues, that I often recommend that my client use the services of a forensic IT consultant.

Sometimes you will get not particularly much from the computer, but on other occasions you will strike gold, and the chance of striking gold can make it all worthwhile. From my clients' perspective, while there is always an element of risk in hiring a forensic IT consultant, the chances can be so high that the risk is worth it.

The other issue I discovered a couple of years ago was to let both the lawyers and the forensic IT consultants have the time to analyse what has been found. The IT people had effectively one work day to extract the information from the hard drive, and produce it in a report, due to a very strict deadline set by the court. I got the report at about 6pm,and discovered that there were about 1200 pages of Yahoo log to be analysed!

Needless to say it was not all analysed that night, even with my having little sleep that night. When I had the opportunity to analyse it (which was several hours over the weekend a couple of days later),and then swore an affidavit as to what it all meant, the other side were critical of me for not having sworn an affidavit earlier and for introducing evidence which I should have disclosed before!

I recently came across an article by Jon Berryhill,from Berryhill Computer Forensics who I was told about by a California lawyer as being an expert in the field. When I read Jon's article, it struck a chord- so here 'tis...[thank you Jon]

Jon Berryhill

Having a Computer Forensics Expert in your Corner

By Jon Berryhill


What if opposing counsel informs you they’re calling a computer forensics analyst as an expert? Even if you don’t need an expert to analyze computer data, it can pay to have one in your hip pocket.


Computer forensics and eDiscovery can involve computers belonging to your client and/or the opposing side. If there were computer evidence (or the potential for evidence) germane to a case, you would be best served to have an experienced computer forensics analyst look at the data. A computer forensics expert can work as a special master or can sign a non-disclosure agreement in order to protect confidential information. If opposing counsel hires an expert, you will want to have their analysis and conclusions reviewed by your own expert. Occasionally, opposing counsel will share the imaged (copied) hard drives from computers involved in the discovery.


If you are deposing opposing counsel’s computer forensics expert, it can be extremely valuable to have your own expert in attendance. Often, they can identify flaws in the other expert’s answers, or suggest a line of questioning. We recently provided this service to a client. During the depositions, the other side’s experts essentially refuted much of what was in their own analysis. Before the case ever went to trial, opposing counsel had withdrawn its computer forensics experts.


Have you ever considered acting as your own computer forensics expert? A few years ago, a defense attorney contacted our company and asked to rent (use) our forensics equipment to view and analyze a hard drive image of his client’s computer made by investigators. As experienced professional computer forensic experts, we were concerned about this request, and offered our analysis services, which this defense attorney declined. The attorney paid for the use of our equipment, and until recently, we had not heard what became of the case.


Unfortunately for his client, this attorney lost the case. His client spent the next few years in jail as a result. We were approached on this case after the client had secured a new attorney to handle an appeal. The original trial judge provided a declaration expressing his opinion that the defendant had been poorly represented. Our company was the only other party asked to provide a declaration, which we did, stating our professional opinion that the computer forensics evidence was incomplete and not conclusive. Perhaps if the attorney had not tried to act as his own expert, his client might have been spared prison time.




How do you go about finding an experienced computer forensic analyst? One way is to ask colleagues who have used a computer forensics expert. You can also search the web, including various expert witness listings. But make sure to properly investigate any expert you are considering. Most importantly, check their references.




References can be a great resource when investigating computer forensics experts. While there are reputable experts, some may exaggerate their credentials. Some may provide historical client lists, but none of these clients are willing to accept your call. When asking for a reference list, make sure it is a list of people willing to take a call from you. Call the references, and ask questions such as, “Were you happy with the work product? Would you hire them again? How did their work impact your case?”


Be wary of claims boasting of years of experience or an “alphabet soup” of letters after someone’s name. Some experts may exaggerate their years of experience by including experience with computers and/or computer data recovery, rather than actual forensic analysis. Various certification courses exist, but there are no standards. Real case experience, having things go right and wrong in the field, generates layers of tried and true expertise. To best understand the importance of hiring a seasoned expert, consider the parallel you can draw between new attorneys and seasoned veterans who have tried many cases. The depth of real case experience can’t be taught in any classroom, as every case is unique. Ask the expert “How many years have you actively worked on computer forensics cases? How many cases have you personally worked on? Have you ever testified in court? How has your work impacted cases?”


Occasionally there may be a need for multiple analysts from the expert company to assist in the recovery, imaging, and processing of data. Ask for details about the number of analysts actually working on your case. Ask, “What are their qualifications? What is their experience with actual computer forensics work? On how many cases have they worked? Will they be available during analysis to discuss whether further analysis will be needed? Is the person doing the analysis the one who will be available to testify?” Keep in mind that there are no formal requirements in place to be labeled as a computer forensics expert. That is why reference checks and asking the right questions are critical to protect your small firm and clients.




Computer forensics is the acquisition, analysis and presentation of computer evidence, and a good expert must be skilled in all three of these areas. For every finding presented by the expert, demand the facts to support the conclusion. It is valid for an expert to express opinions, but to stand up in court; opinions must be supported by facts. It won’t do your case any good if the expert only uses “geek speak.” Having an expert who can’t effectively present the facts or communicate conclusions based on fact (both verbally and in writing) may blow gaping holes in your case. Experts with exceptional communication skills can explain findings in terms understood by the watchful, critical (and not necessarily technically savvy) eyes of the judge, opposing counsel, opposing expert, and the jury.


Rates can vary, and some experts may charge a flat fee for common tasks. There are some common computer forensics tasks that don’t vary considerably in terms of time or work required.


Common Computer Forensics Tasks Approximate Time Required*
Forensic quality image of hard drive
40 – 200 minutes per 100 GB
(Depending on size and age of hard drive)

Duplicate set of hard drive image files (a copy of the raw material)
30-60 minutes per 100 GB
Keyword search of image
1-4 hours for 10 keywords on a 100 GB drive
(Varies based on size of drive, how full the drive is, and number of keywords; does not include time required to analyze hits.)

Extract active files, recover deleted files, create file listing, and provide copy on optical or magnetic media
1-2 hours

* These are approximate times. Many variables can affect these tasks, but if you’re dealing with a healthy drive, the time should not vary from these ranges too much.



About Jon Berryhill, President and COO of Berryhill Computer Forensics

Jon Berryhill has led over 600 computer forensic investigations spanning the past 14 years. He has served as a Special Agent in the U.S. Air Force Office of Special Investigations and worked extensively with the California Department of Justice Advanced Training Center. He has been certified in California State Court and Federal courts as an expert witness in computer crime.

No comments: