The magic “Find Evidence” button

By Jon Berryhill

​So what is a digital forensic analysis? The short answer is – it depends….  Every case and situation is different. Recently I was talking to someone who had retained the services of a company to conduct an analysis of a laptop. The customer had a fairly simple question he was trying to answer: “Is there evidence that the user of the machine was engaging in the suspected inappropriate communications and/or activity?”. What the customer got back was a several hundred page “report” of “preliminary findings” and was told that was their “phase one” analysis. In order to get more information or even an explanation of the provided report, the customer would have to pay for the “phase two” analysis. The additional cost was tiered depending on how quickly the work would be done with the “standard” (lowest cost) option having a 60-day turnaround. Needless to say the cost of a much more reasonable turnaround time made me gag.

A proper analysis means doing whatever data processing and analysis is necessary to answer the pertinent questions for the specific case. This usually means putting together the pieces of the puzzle from many different sources to put together a logical and relevant conclusion.
​
Most digital forensic analysis software packages (like EnCase, FTK and others), can generate an automated “report.” With little or no input from the analyst, the scripts that generate these reports can produces hundreds of pages of information. Seldom do these reports contain anything meaningful or understandable to a customer. When an analyst dumps one of these automated reports on a client, especially when accompanied by a bill, it is usually done for what I call the “thud effect” (how loud a sound can you make when you drop the report on a table in an effort to make it appear you have done a lot of work?). Did all that work and the trees they killed producing it provide answers? Did the analyst explain the findings?

---

When it comes to analysis, context is everything. One of the basic tools used by digital forensic analysts are keyword searches. In most cases no more than a dozen or so key words or short phrases are enough to show if the relevant evidence exists. The “key” in keyword searches is context. You could pick just about any word and find it a number of times on just about anyone’s computer. I’ve seen keyword hit reports with 100,000 hits on one word. The skill and analysis comes in when refining the process and looking at the context of the keyword hits. Who is going to eyeball each and every one of those to determine which, if any, are relevant? Where and when did the hits appear on the computer? What else was going on with the computer at the time? In order to fully answer these questions, it usually takes a collaborative effort between the analyst and the client. Often the review of keyword search hit data and its context leads to additional keyword searches and new questions which will direct the analysis in a more targeted direction.
There is no magic “Find Evidence” button. It takes work, the proper application of logic, and good communications between the client and analyst.

The ethics of running a business play an important part in all this, but that is a topic for another newsletter. I leave you simply with this—if your dealings with a digital forensics company make you uncomfortable, whether with respect to their process, findings or business practices, perhaps you should look elsewhere.