It seems that I have been analyzing hard drives for a long time; well at least ten years now. Depending on the case I have two major tools that I use. Experienced Analysts can probably guess what they are. Lately I have taken some courses using Linux software tools for Acquisition and Analysis. I like the Acquisition capabilities, but the Analysis part seems to put me off. It just isn’t as easy and all-encompassing as the Windows-based tools. The reporting seems lacking as well.

I was talking to a colleague the other day who told me that a Linux product let him boot up a suspect machine just as the user would see it without making writes to the evidence drive. That is something I need to research, because for me I was thinking the only way to do that would be a $1200.00 Shadow device. I don’t like to spend money on software or tools that I may not need or would seldom need, so I was waiting for the time to come when I would need this type of tool and then I would buy it. The same goes for cell phone forensics. I might get 2 calls a month for this service and I always refer it to someone else. Why? because the ROI isn’t worth it at that pace.

Hardware, especially computer Analyst Stations, are the same story. I make my own out of off the shelf computers. Add the necessary write blockers, memory, specialty cards, bridges and such and there we go! Spending 7 or 8 thousand on a “do it all” machine just isn’t worth it to me. It’s the reliability of the forensic software and the expertise of the Analyst that in my opinion really counts. I refuse to take cases I know I can’t handle or use software, hardware or other tools that I have not thoroughly tested in my lab.

I wonder. Is the poor economy causing people to stay home and look for other ways to entertain themselves? I hope this isn’t the case, but lately, cases have been pouring in like rain through a leaky roof. All kinds of different cases. Unfortunately for my business, most of the cases are through Public Defenders (indigent defense) possibly because people can’t afford private lawyers. Any lawyers out there that can confirm this? While we’re at it, what is the consensus of the lawyers out there; would you rather have a Computer Forensic Analyst that has a good reputation but may not be close by or an Analyst that is close by geographically? Of course one choice is an Analyst that is good and close, but don’t use that choice in a response!

Of course I don’t mind doing Public Defender cases. I feel I am giving back to the community in a way. However, the private cases pay much better. One thing I can say is that the Private Detective Industry, and especially the Computer Forensic practice is unique. No matter what the state of the economy, business is almost always good. Hmmm…

Computer Forensic Experts can assist in Criminal, Civil Litigation and domestic cases. In all of these cases, an experienced Expert has usually seen, in general, the same type of case over and again. The Expert sees the case in a different way than the attorney as the Expert is an objective evaluator of the facts of the case, whereas the attorney is more of an advocate for his client, as it should be. When the attorney has an objective element working his case, he gets what he needs to know to plan the best course for his client. Should the client fight the charges, lawsuit, child custody decree? Or should he plea, settle or let the child custody decision stand? Is it worth the risk, time or money for the client to do what he thinks he wants to do? These are the attorney’s choices to advise his client. Because the Expert has such insight into the depth of the facts of the case that the attorney may not fully understand he/she may therefore have trouble relating it not only to the client but to the court or jury. Even though the Expert may testify, the attorney needs to know the right questions to ask and additionally, needs to know how to cross examine the opposing Expert. I have had successes from merely submitting affidavits in criminal defense cases because the opposing Expert’s conclusions were faulty. Computers are involved in so many cases now, that the trial lawyer must have access to this most important resource.

Very early this year I was engaged by a State Public Defender in a child porn case. Although the Adam Walsh Act really applies to Federal cases it is trickling down to the state level. In a motion hearing attempting to get the forensic copy of the hard drive, the DA was adamant that I not have it, citing the Federal Act. I heard that the state AG distributed a memo that anytime a motion is made to get discovery of this contraband is made, if the court allows it the DA should immediately appeal it. Well the court decided that they would give me the hard drive copy but would not protect me from prosecution under the statute, which has no exemption for possession of this type of contraband. Under these circumstances I told the Public Defender attorney that I couldn’t take the case. I had been telling the SPD for over a year that they were going to have to be the ones to fight this state problem. Finally, they appear to be doing just that. The SPD attorney I declined to assist as an expert has had the case on appeal for almost 8 months now. Don’t know how this will turn out, but now I hear that at least 2 more SPD attorneys are going down the same road…I have a load of arguments for motions on this topic.