Nationwide Toll Free: (877) 787-7075

Challenges Of The Digital Forensic Expert

Image of poorly handled ESI

One of the biggest challenges often facing a forensic examiner is the client.

One of the biggest challenges often facing Digital Forensic Expert is often the client. Though well intended, the client’s actions that lead up to the hiring of an expert often do more harm than good. SSG’s computer forensic examiners have put together a list of common mistakes everyone should avoid.


Common mistake number #1 –  Trampling a digital crime scene.

In order to properly document the content of a suspect system, the computer’s date and time stamps must be preserved. Clients that allow access to a suspect system before engaging a forensic examiner are forever altering the computer files’ metadata last ‘written’ time stamp, last ‘accessed’ or ‘modified’ time stamp. In addition, allowing such access can add another party to the case. They could be blamed as well as needing to be later deposed. The average forensic acquisition of a hard drive is equivalent to two hours of legal fees.


Common mistake number #2 – Assigning the forensic examination to the untrained IT Department.

In short, digital forensics and the handling of electronically stored information (ESI) and is a highly specialized skill set. When the IT Staff is called upon to “copy files” from a suspect system, they often alter the files during this “copying” process.  The fact that the IT staff is an agents of your company and not a disinterested party can cause additional issues with the integrity of the copied files.  It is possible that they may have a personal relationship with the employee(s) involved which may prevent them from being forthcoming in their testimony or they may be equally as disgruntle and work against you.


Common mistake #3 – Failing to secure the system properly.

This is often referred to as the “chain of custody”.  Any system suspected of containing ESI that is relevant to an “act” that needs to be documented must be properly secured.  Because turning the computer off is not always the best option, it must be removed from any wired or wireless network to ensure it will not be accessed by an unauthorized individual(s).  In addition, the system’s memory offers the forensic examiner evidence of files and programs actively running on the system this information would be lost once the computer is turned off.  Digital Forensic Experts are trained in the data collection, handling and retention process. They will often prevent you from overlooking sources of evidence you may over look such as cloud services and off site backups.


Common mistake #4, Waiting too long to hire a professional.

Often companies make decisions based on the cost of a forensic examination without weighing this cost against the cost of lengthy litigation. At minimum, any suspected systems should be identified and a forensic acquisition be performed by a Digital Forensic Expert to obtain copies of ESI.  There is no excuse for not spending the money up front to preserve suspected data. Be proactive, not reactive.

Common mistake #5 – Allowing a personal opinion, theory, or bias take the investigation down the wrong path.

Investigators and digital data experts follow the evidence and report findings based on facts not opinions.


Common mistake #6 – Failing to realize employees are responsible for their actions.

For example, I recall a case in New Jersey whereby an employee renamed all of the company files as well as their files extensions to As a result they had no way of determining a Word document from an Excel spreadsheet or a .jpg, etc.  The employee was later convicted and forced to make restitution for all costs associated to repair the files as well as the company’s down time. All ESI created by your employee is your work product and not employee’s to copy, distribute, or destroy.


Common mistake #7 – Trying to destroy ESI.

In most every case someone will attempt to delete files or destroy evidence once they have been caught.  Spoliation is sometimes easier to prove than finding evidence. Often forensic examiners are called upon for expert testimony to essentially explain to the court where the evidence should have been and what steps were taken to remove it. A deliberate act to get rid of emails and other data implies guilt, and courts have the power to impose hefty monetary penalties or rule against you for failing to produce records. Attorneys have many tools in their bag to keep evidence out court, let them do their job.

Article by the Digital Forensic Experts of Surveillance Specialist Group, LLC