The magic “Find Evidence” button

By Jon Berryhill

​So what is a digital forensic analysis? The short answer is – it depends….  Every case and situation is different. Recently I was talking to someone who had retained the services of a company to conduct an analysis of a laptop. The customer had a fairly simple question he was trying to answer: “Is there evidence that the user of the machine was engaging in the suspected inappropriate communications and/or activity?”. What the customer got back was a several hundred page “report” of “preliminary findings” and was told that was their “phase one” analysis. In order to get more information or even an explanation of the provided report, the customer would have to pay for the “phase two” analysis. The additional cost was tiered depending on how quickly the work would be done with the “standard” (lowest cost) option having a 60-day turnaround. Needless to say the cost of a much more reasonable turnaround time made me gag.

A proper analysis means doing whatever data processing and analysis is necessary to answer the pertinent questions for the specific case. This usually means putting together the pieces of the puzzle from many different sources to put together a logical and relevant conclusion.
​
Most digital forensic analysis software packages (like EnCase, FTK and others), can generate an automated “report.” With little or no input from the analyst, the scripts that generate these reports can produces hundreds of pages of information. Seldom do these reports contain anything meaningful or understandable to a customer. When an analyst dumps one of these automated reports on a client, especially when accompanied by a bill, it is usually done for what I call the “thud effect” (how loud a sound can you make when you drop the report on a table in an effort to make it appear you have done a lot of work?). Did all that work and the trees they killed producing it provide answers? Did the analyst explain the findings?

---

Read More