It seems that colleges and universities are pumping out digital forensics experts by the dozens these days. There is an ever-increasing understanding of the need for digital forensics experts in corporate and legal circles. This is a good thing for the industry, but it also carries with it some inherent risks.
While we welcome the fresh-faced newcomers to an exciting field, we need to also understand that their education may not be as complete as it needs to be. For example, a lot of what is being taught in the modern classroom is evidence handling and the modern tools to use. This is good, but the one thing that I see being missed is a robust knowledge of the underlying technology. The digital forensics tools that most students are being taught to use, while impressive, do not necessarily give them a thorough understanding of what is really happening “underneath the hood.” This can be a real problem when your case goes to litigation — either by arbitration or in a court of law. If your opposition hires my company, for example, they are going to have questions for your expert that could undermine your entire case.
So, what is that one question that can give you confidence in your digital forensics team? It is: “What are the seven layers of the OSI Model?” If your DFE can answer this question, it should give you a good amount of confidence that they have the technical expertise to best evaluate your case.
Now, without going too far into the weeds, let me give a brief synopsis of what the OSI Model is. The OSI Model is the Open Systems Interconnection Model created by the International Organization for Standardization (ISO). This is the model that all computers and electronic devices must use to enable any and all data to be used/stored or networked (received and sent). If a computer person understands this model thoroughly, they can fix any computer problem, write any software program, understand routing and networking in its entirety. This includes databases, email, you name it, they will understand it and how it works. This is especially important in dealing with digital forensics. A computer person or a digital forensics expert must understand how data flows through a computer or any other electronic device to understand thoroughly what is going on within that device. A simple knowledge of digital forensics software is not enough. The digital forensics software may be able to pull all of the data out of a computer or digital device, but the examiner needs to understand what they are viewing and how that data that was data-carved by the forensic software is relevant to your case.
I recently had a case where I was asked to level an opinion about emails that had been sent from one company to another. The emails themselves contained domain addresses that did not necessarily belong to that individual. The question was asked, “How was this possible?” Was this person hacking emails? Were they spoofing email addresses? Or was there some larger nefarious organizational structure causing this to happen? The email servers involved were Microsoft Exchange email servers. The opposition digital forensics expert concluded that this was an anomaly and no nefarious activities occurred. But I had to know for sure. As it turned out, their expert was completely wrong, was discredited by the court during litigation and “my side” won the decision handily.
On that note, it is also highly critical that you engage a digital forensics expert willing to dig in and research. The best experts are the ones who love learning and honing their craft, simply for the sake of the new and exciting information they will learn. If you’re engaged with a digital forensics expert and you’re not sure how much they are willing to research, ask them what new tool/technique/idea they’ve learned lately in their personal research. This can give you a good indication of where they are at.
Here’s why the research is so important. If your digital forensics expert isn’t willing to do research with regards to your case, you may have problems during litigation. Digital technology is changing almost daily. Keeping up with the technology seems like a no-brainer, but I have found a lot of digital forensics experts don’t do that. They may take the odd class, attend a conference, meet with and/or network with other computer forensics experts and even belong to various organizations. But if they aren’t willing to research for themselves when the case presents itself in such a way that their knowledge and/or background may not be enough, will they go the extra mile? An FBI forensic examiner once told me that 85% of his job was research. Why? Because he dealt with video and audio media, and that type of data technology changes daily. There is also no standardization mechanism in place with video and audio media files, so, yes, a lot of research is involved with those types of cases.
In conclusion, it is absolutely critical that your digital forensics expert thoroughly understands the underlying technology. It is equally important that they be willing to research areas they may not understand. It’s a fact of life that no one person can know everything. The key is that they combine that critical understanding of the technology with that love of learning and research. This is the kind of DFE you want to have on your case. They will not be easily discounted and/or refuted with regard to their findings in a court of law.