What Lawyers Should Know About Digital Forensics

By Tad Thomas | Apr 6, 2021 | Tad's Tech Corner

Technology is an essential part of any modern practicing attorney’s toolkit. In Tad’s Tech Corner, join me as I discuss how to best utilize technology– both from a device and software standpoint– during your daily lawyering tasks and during trial. Discussions, as always, are welcome in the comments section below.

— Tad Thomas

Electronic data plays a significant role in legal matters—especially given that’s how most sensitive information is stored today. With advances in technology, how trial lawyers obtain evidence for their clients is constantly changing. Digital forensics is how evidence is obtained from digital media in a defensible manner. There are a number of techniques used to collect information properly.

As a trial lawyer, having even a basic understanding of computer forensics is necessary to running a successful law firm. Let’s take a look at what attorneys should know about digital forensics and how it can help you win at trial.   

Five Stages of Digital Forensics

Before we look at the latest computer forensic trends and how they can help you improve your client’s chances of a favorable settlement or verdict, let’s take a look at the primary stages of a digital forensics investigation. If your law firm already has an established process, you may see differences in the steps, but all investigations are composed of these steps in one way or another.

  1. Assessment. Prior to collecting any data, you’ll want to assess the client’s situation and develop a forensic investigation plan. Whether you consult a digital forensics expert or you choose to handle the investigation yourself, you’ll need to understand data storage, file formats, production strategies, and complex IT infrastructure, so you can assess the effort needed to examine the possible digital repositories and create a plan to obtain the information.
  2. Collection. It’s generally considered unacceptable to perform a digital examination on source media that contains potentially discoverable information. Before examination starts, the source media needs to be copied so that the original’s integrity is preserved. A forensic copy is a faithful replica of original media and includes all data visible through the file system.
  3. Examination. During a digital forensics investigation, you may recover deleted information, analyze computer or phone backups and compressed archives, identify the history of opened files and the file types, and get rid of unnecessary files like duplicates.
  4. Analysis. Once the evidence is compiled, your firm or the digital forensics examiner will perform an in-depth analysis of the evidence, interpret the data, draw insights, and begin to formulate your client’s story.
  5. Reporting. In the last phase of the digital forensics process, a report that documents all relevant findings is filed. The report describes activities that took place during the investigation, provides a timeline, and supplements evidence with expert opinions and conclusions.

Latest Cyber Forensic Trends

The field of digital forensics is constantly evolving. In the recent past, we’ve seen the rise of smartphones and tablets, along with other interconnected devices. Below are the latest cyber forensic trends you should be aware of:

  • Smartphones. Smartphones can yield a wealth of information—even in a civil trial. We access emails, social media, messaging, and more via our smartphones, and geolocation information tracks our movements. As such, these devices are critical in most digital forensic investigations.
  • Ephemeral Apps. Apps that deliver messages that are temporary in nature are ephemeral. The most common is Snapchat, but there are many apps that automatically delete content after it’s viewed. What people may not realize, however, is that Snapchat content can be recovered using some fairly basic forensic techniques.
  • Internet of Things (IoT). IoT refers to the ecosystem of digital devices that connect to the Internet. Devices that previously only completed simple tasks, like doorbells, thermostats, and smoke detectors, now regularly track activities and record information in the form of metrics, logs, or audio or visual files.
  • Solid-State Drives (SSDs). SSDs are silicon-chip-based and identical to the technology found in flash memory cards. SSDs provide users with a reduced footprint, fast response times, and lower power consumption. While it can be challenging to obtain evidence from an SSD, it’s important to note that information has to be erased before new data can be written, unlike traditional hard drives.
  • Encryption. Hardware and software companies take consumer privacy more seriously than in the recent past, so information that we store can be automatically encrypted. Even when info is encrypted, forensic examiners can recover the information.

Data forensics cannot only help you win a case, but it can help your client avoid issues when a case involves examining sensitive data. The biggest advantages of digital forensics include eliminating hearsay, providing concrete evidence, preserving data, and providing expert witness testimony.

With a more comprehensive understanding of digital forensics, you’ll be able to maximize the benefits of the discovery process and improve your ability to build a successful case on behalf of your client.