Organizing Computer Forensic ExhibitsApril 22, 2010
One of the issues with being a computer forensic analyst in this day and age is volume. I’m not referring to the size of the media being examined but more in how we organize the large amount data we are finding that is relevant (or possibly relevant) to the investigation. Classes abound on how to use tools to find the information but what do you do with it when you find it?
I remember early in my career, I started off by organizing the data I located by the file type. I sorted all the docs, spreadsheets, jpg etc into their respective folders and then built my exhibits around the same structure. This seemed like a simple way to organize my findings. That was until I met up with a prosecutor and a lead detective on a child pornography case I assisted on and found they did not understand file paths and came to the wrong conclusion about an exhibit. In this case, I had a single hard drive and numerous 3.5-inch floppy diskettes which were organized by file type and sorted by file name. Each of the images included a full file path and the associated dates. As it was laid out, an image of the suspect, which was found on the hard drive, was directly in the middle of numerous CP images, which were found on a diskette. They assumed the images were found in the same location and therefore the suspect had known about the CP images. I was able to point out this error in time so no actual damage occurred but it got me to thinking about better ways to organize my exhibits so this wouldn’t happen again.
I now organize the exhibits by location seized (usually by address), media type and then break up a single exhibit into four sections; Section 1, Address (the media was seized from); Section 2, Media Type (usually a graphic), Section 3, Evidence Number; Section 4, Distinguishing Media Information (make, model, serial number) and Location Media was found (office, family room, etc).
I set up my analysis from the start with this technique and all my bookmarks are organized in this manner and this is not tool dependent. The most important part is it is very simple to understand and draws a clear picture for anyone reading the report. Another side benefit from this technique is that it reduced the amount of follow up phone calls from detectives and prosecutors asking, “what does this mean?”
Sorry eDiscovery types, this technique works for criminal cases and is not very well suited for extremely large amounts of data and data mining usually associated with eDiscovery processes.
Hope this helps – Steve