What Attorneys Can Takeaway From the Digital Forensics 'Mindset Shift'

21 March 2023 by Anith eDiscovery digital-forensics

Takeaway: Every tiny bit of data should be treated as potential evidence that is what Digital forensics teaches us. With this basic mindset shift you will acquire basic technological skills that will supplement your legal expertise and help expand your firm.

Gathering and analyzing digital data while abiding by the law is what digital forensics is about.

Digital forensics utilizes the data to help capture those who break the law. This implies that electronically stored information (ESI) is collected, analyzed, and organized so that attorneys can use it while making their case in court. Digital forensics experts try to recreate the data usage pattern of a law-breaker utilizing specialized tools and techniques, thereby authenticating the digital footprint of the wrongdoer. This ability makes these experts invaluable for eDiscovery – which is all about the preservation, collection, processing, reviewing, and production of ESI. Digital forensics aids eDiscovery for intellectual property theft, employment disputes, industrial espionage, bankruptcy cases, fraud, and more.

That is an expert in digital forensics needs to be technically savvy.

Digital forensics needs experts who can work around technical hurdles. For example, they might be required to retrieve encrypted data without access to the password/key. Or they might be needed to get data from drives that have been scrubbed and written over. Additionally, they will be required to work fast, quickly scanning through thousands of terabytes utilizing advanced hardware with high processing speeds. And most importantly they will need to be up-to-date with the latest technological developments. Delving into and exploring new applications and operating systems as they emerge.

What we can learn from the underlying principles of the niche specialty - digital forensics.

Experts in digital forensics utilize advanced tools and techniques in addition to foundational data collection/preservation principles that we can all learn from. Let’s look at some important questions we can ask about any potentially useful data.

1. “Where is the data stored?”

During the process of evidence gathering one of the first tasks is to locate the responsive files. This means identifying all the potential data sources. So the things that are required to be identified are -

  • The devices (computers, phones, tablets, etc.) that generate the data that we are searching for
  • The format the data is in
  • The duration it will be stored untouched
  • All those who can control it and those who have access to it
  • In case the data has been viewed who and what was viewed

Therein lies the challenge, as a majority of this data is available on a network or cloud, and this means that it does not exist on just one isolated device. For example, emails exist in many inboxes and cloud archives. Additionally, there exists a chain of sources to investigate: routers, servers, mobile phones, computer applications, intrusion detection software, printer logs, database transactions, and many more.

2. “How do we access the data?”

A decision on how the data should be retrieved/accessed needs to be arrived at after the potential data sources have been identified. This should be done by coordinating with custodians, IT departments, and security teams. Retrieving the data comes with its own challenges, as most often the design of corporate systems and networks is done without consulting the corporate security team. What this entails is that the cost/effort of collecting the data needs to be weighed against the value of the hard-to-get evidence. Also, storage options and auditing tools need to be taken into consideration when designing a system, as taking this into consideration means that later on if ever required it will be easier (and cheaper) to retrieve the data. But it also means it’s worth thinking carefully about your storage options and auditing tools.

3. “Is there a chain of custody in place?”

Data can be used for a legal case or any legal issue only if it is stored and handled properly. Let’s look at a file’s metadata, it tracks when the file was created and by whom, when it was last opened/printed, and more. Unfortunately, this metadata can be easily manipulated so it is easy to lose all that contextual data by not handling the file properly. So, law firms need to evaluate their procedures to protect the chain of custody of a file. Some examples of the data that needs to be stored have been listed below -

  • Who owned or had access to the data
  • The hardware it was stored on
  • The applications used to open it
  • The security measures taken to protect it

4. “How do we respond to data breaches?”

It is of great value to have a clearly defined escalation policy in the event of any data breaches or suspicious events. What this requires is setting up a way to let you know of any unusual activity - this could mean using a content checker (that is user to track certain keywords) or setting up an intrusion detection system (to monitor suspicious network activity. Other than this, you will need to provide guidelines about -

  • When and what to escalate
  • When a ‘suspicious event’ becomes a confirmed incident
  • Who to contact about the incident
  • Collaboration procedures for IT and managers

When a data breach/security incident has been identified and escalated, a report should also be presented. This report should first and foremost contain the evidence of the incident, it should also contain information on how it affects customers/partners, what it will cost to rectify it, and the recovery plans.

Remember that each and every byte of data constitutes digital evidence.

The questions detailed above come with the mental shift of viewing every byte of data as digital evidence. To quote Dr. Edmond Locard the French forensic science pioneer ‘Every contact leaves a trace’. What this means is that in the physical realm, we need to look for fingerprints, footprints, strands of hair, cloth fibers, etc. In the digital realm, it means checking IP addresses, system logins, browser histories, emails, attachments, etc. Other than we need to comprehend the intricate workings of hard disk drives, USB drives, smartphones, digital cameras, biometric devices, and other electronic devices. This will help us in uncovering hidden evidence from regular computer files.

As you start viewing all data as possible evidence, you will start picking up the necessary technical skills to identify and utilize this evidence. These skills are soon becoming a matter of necessity. Let’s take a look at an example, suppose your client has been accused of leaking sensitive data but you have a feeling that this was actually done by a malicious ‘trojan’ software infecting your client’s device. You will need the technical knowledge to project this theory and even engage a forensic expert to look for the trojan. Take a step towards this mindset shift and see what it does for your law firm. Also with the advent of Web 3.0 and the metaverse coming into being in some form or the other, it is a shift that needs to be made.

Looking for e-Discovery software that will help you with this digital forensics mindset shift, consider trying GoldFynch.

GoldFynch is an eDiscovery service designed for small and midsize law firms. It’s compatible with any VPN service you currently use and has all the essential security tools you’ll need, plus the following bonus features:

  • It costs just $27 a month for a 3 GB case: That’s significantly less than most comparable software. With GoldFynch, you know exactly what you’re paying for: its pricing is simple and readily available on the website.
  • It’s easy to budget for. GoldFynch charges only for storage (processing files is free). So, choose from a range of plans (3 GB to 150+ GB) and know up-front how much you’ll be paying. You can upload and cull as much data as you want, as long as you stay below your storage limit. And even if you do cross the limit, you can upgrade your plan with just a few clicks. Also, billing is prorated – so you’ll pay only for the time you spend on any given plan. With legacy software, pricing is much less predictable.
  • It takes just minutes to get going. GoldFynch runs in the Cloud, so you use it through your web browser (Google Chrome recommended). No installation. No sales calls or emails. Plus, you get a free trial case (0.5 GB of data and a processing cap of 1 GB) without adding a credit card.
  • It’s simple to use. Many eDiscovery applications take hours to master. GoldFynch takes minutes. It handles a lot of complex processing in the background, but what you see is minimal and intuitive. Just drag-and-drop your files into GoldFynch, and you’re good to go. Plus, you get prompt and reliable tech support.
  • Access it from anywhere, and 24/7. All your files are backed up and secure in the Cloud.

Want to find out more about GoldFynch?