Following the Forensic Road Map: A mutual understanding up front puts both attorneys and forensic examiners on the same page from the start

Tuesday, January 5, 2016 - 23:30

Michael Ciaramitaro has extensive experience in managing large, complex cases involving data preservation and forensic analyses. An expert in data mapping, as well as preserving and analyzing ESI, he recounts the evolution of computer forensics and charts the latest advances. His remarks have been edited for length and style.

MCC: Your career in computer forensics spans a period when fundamental changes are taking place at an incredibly rapid clip. Let’s start with how you got to where you are today. How did you become interested and get involved in the field? What most excites you about what you do? 

Ciaramitaro: My progression into computer forensics was gradual. I started out as a quality assurance analyst with Guidance Software, the leading computer forensic software developer, where I tested every suite of software developed by the company. 

I was mentored over a five-year period by some of the founding fathers of computer forensics, such as John Colbert, Larry Stinson, Shawn McCreight and Dominic Weber to name a few. They taught me the intricacies of defensible data collection and computer artifact interpretation. 

I then took that foundation and began my career as a forensic consultant, when I was able to marry my deep understanding to traditional computer forensics with my passion for solving e-discovery problems for my clients. 

I am now fortunate to be at the forefront of identifying and solving some of the Am Law 100’s and S&P 500’s e-discovery technology challenges, especially when dealing with emerging technologies. This is of course very stimulating and fulfilling for a forensic examiner. 

MCC: Let’s talk about the evolution of computer forensics. Setting aside the technological changes for a moment, what has been the single most important change in the field during a career that has seen many changes? 

Ciaramitaro: Technology aside, I’d say the biggest change that has had the single greatest impact in forensics is the myth that data preservation is an all-or-nothing proposition. The reality is quite opposite. Understanding that data preservation can be commensurate to the legal team’s needs and the clients’ requirements means that forensic preservation does not always require a scorched earth approach. Sometimes the only requirement is to preserve one folder from an email account, and other times we may be required to recover deleted content from a computer. It can be bits and bytes, or it may require a data lake.

MCC: You’ve worked very closely with corporate law departments on investigations, on e-discovery and in other areas. These are frequently smart and experienced lawyers who are not experts in technology and must rely on others, including advisors such as you. What advice can you give them when it comes to dealing with forensic experts and the highly sensitive matters they frequently deal with? What can they do to most help you and your colleagues achieve the results they need you to deliver? 

Ciaramitaro: The most valuable advice I can give attorneys when selecting a forensic expert is to be sure that the road map of investigative options is laid out and fully explained in a way that the client can understand. There is little mystery to what can or cannot be done to answer a specific set of questions; therefore understanding what tasks are required up front can put both the attorneys and forensic examiners on the same page.

The road map ensures that everyone is on the same page and helps focus time and budget on what’s most important. I think it was Albert Einstein who said, “If you can’t explain it simply, you don’t understand it well enough.” 

The other perspective is that lawyers don’t have to be technology experts per se but rather technology enabled. It’s my goal to enable each lawyer fully; however, they have hired me to be their technology guru around e-discovery so demonstrating that capability helps to build that trust too.

MCC: As data continues to proliferate and as forensic footprints grow, time becomes even more of an enemy given the ever-present need for speed in an investigatory setting. Some e-discovery experts say that the technology, at least today, simply cannot keep up with the data explosion. Do you agree? If something has to give to get the job done, how do you approach the hard priority choices that must be made? 

Ciaramitaro: My position is that technology is much further ahead than most clients realize. It’s often a client’s own technology environment and processes that are not optimized. That said, I believe that the proliferation of data, as well as the types of artifacts, only increases the amount of time necessary to answer the key questions of a computer investigation in a linear manner. The first thing I do when a client wants two weeks worth of work crammed into four days is create phases of analysis, prioritize tasks, then divide and conquer. Phasing allows us to test a project to the point necessary to make an educated decision about whether to continue along the same vein. Prioritization with rolling deliverables can mean the difference between a timely temporary restraining order or not. The right team can then be assembled to achieve the client’s needs. When an examiner says, “We simply won’t have enough time,” a lot of times they are really saying, “We don’t have the resources to assemble to accomplish this in the requested amount of time.” 

MCC: UBIC is promoting AI technologies that can predict human behavior. Tell us about how AI is being used in advanced forensics and where you see that going in the years ahead. 

Ciaramitaro: UBIC continues to invest research and development dollars in technology to better support client needs. This encompasses not only processing data but also interpreting data in a more automated way, all toward the goal of saving money and time. For example, our AI technology allows our clients to get better, faster results in a variety of ways. Users can leverage a tool built for correlational analysis in order to identify possible new custodians using special scoring and algorithms. Human intervention can then be applied to verify and accept the automated findings. Additionally, predictive coding features in our solutions leverage AI technology for improved review speed – up to three times faster than manual review. This is accomplished via self-learning processes and adds speed and review capability for encoding “hot or not” unstructured data. This will ultimately reduce client cost and save time. And finally, predictive email auditing solutions are market ready and are designed to prevent and proactively review email to reduce the risk of noncompliant behavior, which could lead to litigation. We also have exciting new technology leveraging our AI capabilities. One is an examination solution for police or prosecutors who have seized hard drives that need analysis. Our solution can find related or comparable notes to identify or prove a threat or criminal activity. Similarly the AI application in social media allows for monitoring that can also prevent many types of threats.

MCC: You’ve worked on many types of litigation, including employment, IP and other matters. What areas do you find most challenging? Most interesting? Dealing across many types of clients, as you have, where are the problems of tomorrow most likely to arise?

Ciaramitaro: Exiting employee investigations and investigations that require computer use analysis without a specific directive are both most challenging and most interesting. Usually it starts with “We have an employee who has left, and we want to make sure they didn’t do anything nefarious before they left.” This is particularly challenging because we have to make assumptions about what the custodian would have likely done and how they could have done it from their computer or email account. These investigations are interesting because we get to look at the problem holistically versus limiting our examination to a few exit points. It boils down to finding a thread and pulling on it until we get a good picture of the computer use chronology. When I look in my crystal ball for the problems of tomorrow, I would say that keeping up with exponentially growing data sets and leveraging more automation, like our AI solutions, to deal with the volume, variety and velocity is in the very near future.

MCC: Recent surveys of general counsel show that they are most concerned about cybersecurity and corruption. They want advice on how to avoid problems for their companies, not just clean up after them. How can advanced forensics help them get out in front of these areas that are keeping them up at night?

Ciaramitaro: Data is both an asset and a liability for most companies. Information governance helps us mitigate our liability by developing policies and procedures for dealing with our data in practical and flexible ways. It’s important to understand your data on so many levels and create a system to protect it from those whom you don’t want to have access to it, without locking it down so much that those who do need access can’t get to it. 

Information governance has been around for decades, and it continues to develop and adapt to today’s modern needs. In short, indexing all your data sources, categorizing it into logical groups and flagging data based on the created policies is a great way to understand your data, prevent leakage and also to protect it.

Retention and deletion policies often cause an organization great consternation. There is always a fear of deleting data too soon or keeping it too long. While there is no magical or perfect solution, establishing one policy and maintaining consistency is key to gaining control over your data. 

MCC: Given that you work with both in-house and outside counsel, what personal qualities have you found most important, in yourself and in others with whom you’ve worked, for developing the kinds of trust-based, collaborative relationships that you need to achieve the best possible results on an assignment?

Ciaramitaro: It’s very important to listen to your client’s needs and understand the overarching objective of the work being performed. Repeat what they are saying and confirm your understanding with them. From this deep understanding, you can develop a statement of work that will put you and your team on the right path. 

The idea is to organize and establish an easy-to-follow workflow for your client and your team to use, building trust through better understanding on both sides. We never want to be a black box that only surfaces when there are problems. It boils down to communicate, communicate, communicate.

Michael CiaramitaroSenior vice president of forensic advisory services at UBIC/Evolve Discovery and can be reached at