News & Computer Forensics Blog
Author Jon Berryhill
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
Author: Jon BerryhillWrite something about yourself. No need to be fancy, just an overview. Special thanks to Sgt Fred Deltorchio and the Benicia (CA) Police Department for their assistance with this test. Recently we have seen several alarming warnings about the dangers of placing computer evidence in the trunk of a police car containing a trunk-mounted radio. These articles claimed that the RF energy of the nearby radio would corrupt the computer evidence. We found these claims interesting, so we decided to conduct a test. The results showed absolutely zero corruption of magnetic media. While this test only used one type of trunk-mounted police radio, the results may be similar for other types of modern radios. We would be interested to hear from anyone who believes they have had computer evidence corrupted by a trunk-mounted radio. In the future we plan to conduct similar tests with other brands of radios operating in other frequency ranges. The tested media was four 3.5" 1.44MB floppy disks and one Quantum ProDrive 80MB SCSI hard drive. Using a version of a disk duplication program that is exclusively for law enforcement use, we created four identical floppy disks. We then ran a program that for each disk generated a CRC value for each file on the disk. We placed two disks each in paper envelopes. The hard disk was formatted and approximately 36 megabytes of data was written to it. We then ran the same CRC generating program for the hard disk. The hard disk was placed in an anti-static bag and packed in paper in a cardboard box. One envelope containing the 3.5" disks was placed directly between the transmitter/receiver and the mounting bracket of a GE MVS VHF trunk-mounted police radio (mounted on the side wall of the trunk). This radio operates in the 150MHz band. The second envelope was placed on the floor of the trunk opposite the radio. The box containing the hard disk was placed in the center of the trunk. The police car also had a trunk-mounted cellular phone transmitter/receiver mounted next to the VHF radio.
4 Comments
Author: Jon BerryhillWrite something about yourself. No need to be fancy, just an overview. What if opposing counsel informs you they’re calling a computer forensics analyst as an expert? Even if you don’t need an expert to analyze computer data, it can pay to have one in your hip pocket. Computer forensics and eDiscovery can involve computers belonging to your client and/or the opposing side. If there were computer evidence (or the potential for evidence) germane to a case, you would be best served to have an experienced computer forensics analyst look at the data. A computer forensics expert can work as a special master or can sign a non-disclosure agreement in order to protect confidential information. If opposing counsel hires an expert, you will want to have their analysis and conclusions reviewed by your own expert. Occasionally, opposing counsel will share the imaged (copied) hard drives from computers involved in the discovery. If you are deposing opposing counsel’s computer forensics expert, it can be extremely valuable to have your own expert in attendance. Often, they can identify flaws in the other expert’s answers, or suggest a line of questioning. We recently provided this service to a client. During the depositions, the other side’s experts essentially refuted much of what was in their own analysis. Before the case ever went to trial, opposing counsel had withdrawn its computer forensics experts. Have you ever considered acting as your own computer forensics expert? A few years ago, a defense attorney contacted our company and asked to rent (use) our forensics equipment to view and analyze a hard drive image of his client’s computer made by investigators. As experienced professional computer forensic experts, we were concerned about this request, and offered our analysis services, which this defense attorney declined. The attorney paid for the use of our equipment, and until recently, we had not heard what became of the case. Unfortunately for his client, this attorney lost the case. His client spent the next few years in jail as a result. We were approached on this case after the client had secured a new attorney to handle an appeal. The original trial judge provided a declaration expressing his opinion that the defendant had been poorly represented. Our company was the only other party asked to provide a declaration, which we did, stating our professional opinion that the computer forensics evidence was incomplete and not conclusive. Perhaps if the attorney had not tried to act as his own expert, his client might have been spared prison time. When to Call a Computer Forensics Specialist?
In nearly all litigation these days, there is some evidence on a computer. Have you considered this for your case? If you haven't, you should. But don't panic. Bring in a seasoned computer forensics specialist sooner rather than later, and you can save valuable time and money; not to mention legal wrangling. Intuition is a powerful force that deserves your respect. If your gut is nagging at you, suspecting that some legal issues may be afoot, it's worth checking out. And it's literally never "too soon" to call in a qualified computer forensics expert. Doing so may speed up the legal process, and help clarify facts and issues from the get-go that may influence your case later on. In fact, the earlier an expert is brought in, the more helpful we can be. Is there a downside to calling your computer forensics expert right away? We're hard pressed to think of one, perhaps just the confirmation that you have a legal battle ahead. But that would have been the case whether or not you called us first! Even in that worst case scenario, computer forensics can smooth or even shorten the rough road you anticipate. In the best scenario, we can help clients avoid court altogether. We've discovered many a "smoking gun" in the discovery phase that put an abrupt end to the proceedings. What's the downside to not calling computer forensics experts first? Evidence may be lost that could support your case. If you've even considered litigation, your first consideration should be to preserve evidence. Don't even touch an evidence computer until you've spoken to a forensics specialist. Worried we'll come in and stop business operations in their tracks? No need. We quickly archive data to preserve a snapshot of every potential piece of evidence. Bringing us in when you first suspect a problem means you have a qualified guide in navigating even the first few crucial steps of the electronic discovery process. It's an opportunity to avoid pitfalls that would otherwise harm your case, and gain valuable insight into the facts. Sometimes we're brought in early enough that we can deliver excellent advice or recommendations without even touching a computer. Sounds strange, we know. But a thoughtful conversation leveraging decades of experience can often dispel a client's concerns. And in situations where squaring off in court seems unavoidable, we're right there with expert advice. We help clients anticipate challenges and face them down with the very best evidence available. So if you've got butterflies, chances are you're about to wade into the ESI (electronically stored evidence) jungle. Call or e-mail us first, because every step counts. Especially the first one! |