News & Computer Forensics Blog
Author Jon Berryhill
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
By Jon Berryhill
If you’ve encountered a matter involving computer evidence, you may have heard the term “hash value” and wondered what in the world a hash value is. A hash tag “#” (otherwise known as the pound symbol or, originally, an octothorpe), brought to you by Twitter in 2007, is not what this post is about. A hash value and a hash tag are two completely different things. Let’s take a quick dive into this somewhat esoteric term for a critical tool. A hash value is a common feature used in forensic analysis as well as the cryptographic world. The best definition I’ve seen is that a hash is a function that can be used to map data of an arbitrary size onto data of a fixed size. The word “function” is used in its truest form from mathematics. The hash value is the result of the function. Standard hash algorithms are sets of complex but public mathematical steps. There is nothing secret about them. Some people equate a hash value to a fingerprint. It provides a way of identifying and verifying a chunk of digital data. You can have a hash value for a single file, groups of files, or even an entire hard drive. A hash value is a harmless looking string of hexadecimal values, generally 32 to 64 characters long, depending on the hash algorithm used. There is absolutely nothing in a hash value that will tell you anything about what was hashed or how big it was. The way the algorithms work, the length of the hash value is always the same no matter the quantity of the data processed. So what do they look like?
12 Comments
By Jon Berryhill Recently our firm was brought into a case where the opposing counsel had retained a computer forensic expert. After the work was complete, questions began to surface regarding the quality of the work and the value received for the cost. During the initial telephone call, information regarding this "expert's" work process and work product started to raise giant red flags for us. We went to the location where the computer forensics "expert" had gathered evidence. We counted the computers, noted the size of the hard drives, and analyzed the scope of work. Since that initial phone call, what we discovered has been rather alarming: exaggerated fees, unsupported conclusions, exaggerated hours per task, opinions not supported by the facts, and the list goes on! Ultimately, this "expert" billed over $100,000 for computer forensics services that should have required about 10–20 hours of work. While their hourly rates were within the average range for the industry, they pumped up the amount of time and the number of employees required to complete the job. To protect your firm from being fleeced by a computer forensics "expert," read Hiring A Computer Expert - Don't Get Fleeced! As a bonus, we have included a standard chart of typical or common computer forensic services, and corresponding amounts of time usually needed to complete each task. If you are involved in a case in which a computer forensics firm has been hired by opposing counsel, give us a call. Protect your clients and your firm's reputation; don't allow shoddy computer forensics work to damage your case. Author: Jon BerryhillWrite something about yourself. No need to be fancy, just an overview. What if opposing counsel informs you they’re calling a computer forensics analyst as an expert? Even if you don’t need an expert to analyze computer data, it can pay to have one in your hip pocket. Computer forensics and eDiscovery can involve computers belonging to your client and/or the opposing side. If there were computer evidence (or the potential for evidence) germane to a case, you would be best served to have an experienced computer forensics analyst look at the data. A computer forensics expert can work as a special master or can sign a non-disclosure agreement in order to protect confidential information. If opposing counsel hires an expert, you will want to have their analysis and conclusions reviewed by your own expert. Occasionally, opposing counsel will share the imaged (copied) hard drives from computers involved in the discovery. If you are deposing opposing counsel’s computer forensics expert, it can be extremely valuable to have your own expert in attendance. Often, they can identify flaws in the other expert’s answers, or suggest a line of questioning. We recently provided this service to a client. During the depositions, the other side’s experts essentially refuted much of what was in their own analysis. Before the case ever went to trial, opposing counsel had withdrawn its computer forensics experts. Have you ever considered acting as your own computer forensics expert? A few years ago, a defense attorney contacted our company and asked to rent (use) our forensics equipment to view and analyze a hard drive image of his client’s computer made by investigators. As experienced professional computer forensic experts, we were concerned about this request, and offered our analysis services, which this defense attorney declined. The attorney paid for the use of our equipment, and until recently, we had not heard what became of the case. Unfortunately for his client, this attorney lost the case. His client spent the next few years in jail as a result. We were approached on this case after the client had secured a new attorney to handle an appeal. The original trial judge provided a declaration expressing his opinion that the defendant had been poorly represented. Our company was the only other party asked to provide a declaration, which we did, stating our professional opinion that the computer forensics evidence was incomplete and not conclusive. Perhaps if the attorney had not tried to act as his own expert, his client might have been spared prison time. When to Call a Computer Forensics Specialist?
In nearly all litigation these days, there is some evidence on a computer. Have you considered this for your case? If you haven't, you should. But don't panic. Bring in a seasoned computer forensics specialist sooner rather than later, and you can save valuable time and money; not to mention legal wrangling. Intuition is a powerful force that deserves your respect. If your gut is nagging at you, suspecting that some legal issues may be afoot, it's worth checking out. And it's literally never "too soon" to call in a qualified computer forensics expert. Doing so may speed up the legal process, and help clarify facts and issues from the get-go that may influence your case later on. In fact, the earlier an expert is brought in, the more helpful we can be. Is there a downside to calling your computer forensics expert right away? We're hard pressed to think of one, perhaps just the confirmation that you have a legal battle ahead. But that would have been the case whether or not you called us first! Even in that worst case scenario, computer forensics can smooth or even shorten the rough road you anticipate. In the best scenario, we can help clients avoid court altogether. We've discovered many a "smoking gun" in the discovery phase that put an abrupt end to the proceedings. What's the downside to not calling computer forensics experts first? Evidence may be lost that could support your case. If you've even considered litigation, your first consideration should be to preserve evidence. Don't even touch an evidence computer until you've spoken to a forensics specialist. Worried we'll come in and stop business operations in their tracks? No need. We quickly archive data to preserve a snapshot of every potential piece of evidence. Bringing us in when you first suspect a problem means you have a qualified guide in navigating even the first few crucial steps of the electronic discovery process. It's an opportunity to avoid pitfalls that would otherwise harm your case, and gain valuable insight into the facts. Sometimes we're brought in early enough that we can deliver excellent advice or recommendations without even touching a computer. Sounds strange, we know. But a thoughtful conversation leveraging decades of experience can often dispel a client's concerns. And in situations where squaring off in court seems unavoidable, we're right there with expert advice. We help clients anticipate challenges and face them down with the very best evidence available. So if you've got butterflies, chances are you're about to wade into the ESI (electronically stored evidence) jungle. Call or e-mail us first, because every step counts. Especially the first one! |