Digital Coordination: Is Your Computer Forensics Investigation A Symphony Or A Circus?

Tuesday, November 19, 2013 - 11:30

Digital forensics is changing, and you should be prepared for more of it in the future, not less. The increase of cloud computing has, in some ways, reduced the instances of hard drive analyses, but the explosion in mobile devices has more than offset the need for device-level analysis for litigation and investigations. In fact, due to the wide variety of mobile devices, the myriad ways of configuring them, and the new types of data created and stored, there is an explosion in the need for qualified digital forensics. Even if you have not needed digital forensics in the past, it is increasingly likely you will in the future.

Dealing with computer forensics can be daunting, but understanding the roles of corporate counsel, outside counsel and the forensics team, and understanding best practices for a forensics investigation, can make the difference between an effective investigation and digital disaster.

The Scenario

You receive a whistleblower letter alleging inappropriate management of one of your key accounts. At this point, you are not sure if this is an issue of embezzlement, fraud, incompetence, or a severe misunderstanding. However, you do know that something is amiss.

You quickly realize that investigating these allegations will require focused outside counsel, and will likely require the consideration of email, text messages, phone records, voice mail, invoices, shipping records, and other sources of digital information.

What roles, in this scenario, should you expect from yourself (corporate counsel), outside counsel, and the digital forensics team?

Corporate (In-House) Counsel

As corporate counsel, you will be the initiation point for the process and provide the umbrella for the matter’s success.  You will make the decision about which outside counsel to engage. They will take it and handle it, but your job does not stop there.

In-house counsel should also be involved in issuing legal holds, identifying interview candidates, coordinating interviews, and making resources available. For the forensics portion of the investigation, these resources can include in-house IT specialists, onsite security access, and physical spaces for setting up forensics capture stations.

Outside Counsel

Outside counsel is charged with the management of the case and will likely select the expert or forensic team.  Most firms generally have a direct relationship with the selected forensic company and manage their work, reporting results to in-house counsel. In effect, outside counsel is the middleman between the forensic team and in-house counsel.

Law firms should work to clearly define the project. They conduct interviews and set the initial scope of the dates, issues, and custodians. They need to convey this information to the forensics team and to make decisions regarding the type of forensics captures to make and the type of forensics analysis to conduct.

Based on the nature of the investigation (misfeasance or malfeasance), timing facts, and types of activities alleged, outside counsel will confer with the forensics team to determine if partial, full, or device-level copies need to be taken of various devices.  They will also decide if individual employees will help in the collection or be excluded from participation, and if subsequent analysis will be focused or broad.

Forensic Teams

Forensics is charged with the actual tasks involved with the matter.  From the onset, forensic experts should work with outside counsel to reconcile counsels’ understanding of the allegations with experts’ understanding of how data is created, stored, and retrieved. This may include providing technical questions for counsel to add to witness interviews. After the scope is determined, forensics handles the collection, extraction, and analysis of data.

A good forensics team will be able to provide options to counsel on how to capture data, how to extract data, and how to present results. They will also have well-documented standard workflows and allow for tighter budgeting, if necessary.

Forensic teams work at the direction of outside counsel. This includes providing forensic reports and education about technical issues, as well as standard forensic activities. Forensics can assist during scoping and engagement phases of the project, with counsel providing legal guidance and the forensic team providing technical leadership. Forensics can also provide expert reports or testimony required during the matter at the direction and oversight of outside counsel.

Role Recap

  • In-House Counsel
  • Engages outside counsel to manage a case.
  • Makes resources available during the project lifecycle.
  • Facilitates onsite visits for outside counsel and forensic teams.
  • Provides access to third party data sources, such as hosted platforms like Office 365.
  • If necessary, facilitates self-collection when capabilities match needs for systems like email or employee data.
  • Responsible for arranging payment terms of all invoices.
  • Outside Counsel
  • Scopes and defines the project requirements for the matter.
  • Selects the experts or forensic team for the matter.
  • Sets appropriate deadlines for assigned tasks.
  • Manages the case and oversees forensic team’s work.
  • Reviews the results of the forensic processes and reports.
  • Manages the testimony, if necessary, of expert witnesses.
  • Forensic Teams/Experts
  • Facilitates collection of structured or unstructured data sources.
  • Manages the extraction and early data assessment phases.
  • Completes any required analysis activities.
  • Reports findings back to outside counsel.
  • Provides education to counsel teams when appropriate.
  • Testifies in court, if needed.
How To Interact

Now that everyone knows their roles, interaction among the three should run smoothly and efficiently, just like a symphony.  Early definition of the roles between teams helps mitigate risk, eliminates costly duplicative efforts, and ensures smooth dissemination of information. Successful interaction can provide comfort to the legal teams as the case progresses. 

In-house counsel is like the percussion section of an orchestra: providing the rhythm and background support for the project. Outside counsel is like the woodwind or strings section: providing the melody for the teams as they solve problems. Forensics teams are like the brass section: coming into the fold as needed at the direction of outside counsel. Like the woodwind and brass section of an orchestra, outside counsel and forensics play off each other as the melody ebbs and flows through the symphony of the matter.

In-house counsel, at times, may directly engage forensics. When brass and percussion sections play off one another, results can be bold and progressive.  Forensic teams can leverage knowledge gained to assist in-house counsel with litigation readiness, defensible deletion, or other information assurance projects. Building upon successful projects can create the relationship needed to provide the requisite consulting around these needs.

Locating A Qualified Expert

Now that we know how these teams work together to create the music, it is clear that hiring the right forensics firm for your matter from the beginning is essential if you want to avoid the circus of costly additional partners muddling through your forensic weeds. This fragmentation is a symphony killer. Electronic discovery vendors are increasingly building soup to nuts solutions for the entire EDRM phase of litigation. Today, matters routinely require advanced forensic analysis from an expert team, yet many providers act more like vendors who put focus only on data collection and extraction for processing and hosting gain. How can you find the best music makers?

  • Litigation and forensic conferences provide opportunities to assess multiple service providers. Events such as the Masters Conferences highlight thought leaders and decision makers in the forensics industry and provide a backdrop to meet and evaluate several potential partners rather than only one.
  • Referrals from trusted colleagues are always helpful. Selection of a known partner can fast track an engagement with a shorter lifecycle. Discuss experiences with your colleagues to ensure your needs match the referred forensics team’s capabilities.
  • Internet searches targeted at expert testimony and forensics are also a good option, if used in tandem with the above. Focus on relevant experience and consider your end game. To that point, more and more frequently expert testimony is needed if a case does not settle. Do the forensic companies you are looking at have qualified, seasoned testifiers? Whether you need testimony or not, this will often inform how they approach the entire case.

When you have narrowed your search, request the CVs of the team members you believe will be needed for your matter. The CV should cover specific case experiences, training, certifications, and prior testimony.

Special Sauce

Increasingly, forensic analysis is moving beyond the laptop, server, or mobile device.  Records from third-party sites (e.g. “cloud computing”) and networks are also sources of data considered during forensic analysis. Will your selected partner have a deep enough bench of professionals to provide extended forensic services or litigation readiness consulting? Does the potential partner employ PMBOK-based management (Project Management Book of Knowledge)? Can the forensic team provide expert testimony if required? Selection of an experienced, deep expert team will ease the stress around management of forensic projects, creating a perfect harmony between the teams.

 

James Whitehead, a Manager at Washington, DC-based iDiscovery Solutions, Inc (“iDS”), has more than 15 years of experience managing technology and projects related to computer forensics, electronic discovery, and information governance. 

Dan Regard, CEO and Co-Counder of iDS, is a nationally recognized electronic evidence and case management expert and has conducted system investigations, created data collections, and managed discovery on some of the highest-profile matters of the last decade. 

iDiscovery Solutions, Inc. (iDS) is an award-winning, global, legal technology expert services firm. Founded in Washington, DC by industry veterans with more than 50 years of litigation and consulting experience combined, iDS provides consulting, data analytics, processing and hosting of electronically stored information (ESI), and expert services in the areas of electronic discovery, digital forensics, and enterprise applications. iDS also provides subject matter experts that testify as to how technology works, generally and specifically, within the context of litigation, investigations, and government inquiries. 

Please email the authors at jwhitehead@idiscoverysolutions.com or dregard@idiscoverysolutions.com with questions about this article.