Don’t DIY: Why You Should Never Attempt to Collect Digital Evidence Without Expert Assistance
With the boom of electronically stored information (ESI) and e-Discovery in litigation, digital forensics has become a widely sought-after practice. With the advent of and nearly ubiquitous reliance on e-mails and electronic financial transactions, electronic discovery appears in a significant amount of cases nowadays. To cut electronic discovery costs, law firms and corporations are putting together internal teams in place of outside vendors. However, these sorts of Do-It-Yourself or “DIY” operations are often doomed from the start — especially when it comes to digital evidence.
Pitfalls of DIY Digital Evidence Collection
Certain corporations and legal teams consider a DIY approach to retain a semblance of control over a situation by keeping the process in-house. However, the dangers of savings and limited purview efforts can far outweigh the benefits.
Compromised Chain of Custody
Internal IT staff and other technology professionals are generally not sensitized to maintaining the chain of custody for potential evidence. This idea entails logging all digital items and tracking them from the time they are identified or seized through the conclusion of the matter. In essence, the data needs to be properly preserved and accounted for every step of the way.
If “self-collection” occurs, the forensics examiner can immediately expect weak preservation of the data.
Spoliation and Tampering of Evidence
When IT boots up and searches a computer, pertinent file metadata and operating system artifacts automatically update — spoliating data and exposing the case to data tampering allegations. In these cases, the client can be subject to purposeful tampering, but there remains a solid case for unintentional tampering. This creates a case within a case — a complication that can be costly in terms of time, funds, and legal sanctions.
Here’s what to keep in mind when it comes to evidence handling:
- Do not turn on a computer or phone
- Do not login (even as administrator), as this can alter and change key pieces of evidence
- If a computer is on, and you suspect it could be encrypted, do not shut it down. If the computer is “hibernating,” rebooting it will destroy the hiberfil data, which is critical to investigations
- Preservation is easy and cheap when done by a professional
- Always preserve data first, even before you suspect wrong-doing. You can’t rewind the clock.
Overlooked Evidence and Data
The DIY approach typically misses less-than-obvious yet relevant data sources, including USB thumb and external drives, personal and network drives, PDAs, and in-house instant messaging logs, as well as back-up CDs and DVDs. These additional digital devices can provide a wealth of information that could be critical to your investigation.
Depending on the case, there is a variety of data sources that should be considered for preservation. This includes physical items like computers and USB drives, server-side logs like VPN or file journaling on shared drives, cloud, and other online accounts, and many other things. It is important to discuss the nature of the investigation with a seasoned professional, so nothing is missed. Digital investigations are like following breadcrumbs in the forest; even a few missing pieces can result in a dead-end investigation. Many times, these consultations are free, so there is little risk in reaching out to a digital forensic expert.
There is a legitimate concern that your internal IT staff performing an investigation won’t be able to render an unbiased opinion if they are interested in keeping an employer happy or out of legal trouble. IT professionals want to preserve their positions and their companies, so entrusting them with collecting and analyzing electronic evidence for their employer’s litigation is, at best, flawed logic. Turning to an objective third party largely eliminates the chance of bias or conflict of interest.
When it comes to your firm or corporation, preserving reputation is always essential. However, considering the repercussions of a botched digital forensics collection or investigation should be of chief importance.
An experienced digital forensics firm can help you avoid these pitfalls and save you time and money. Our examiners can assist you in your investigation including everything from identification of digital devices to expert preservation and analysis. Rest assured that there is never a charge to discuss your case. There’s no risk to contact us, and everything to lose if you don’t.