Ball in Arkfeld's Court: Notes on Forensics
Craig Ball, computer forensics and EDD special master and author of LTN's "Ball in Your Court" column, was guest lecturer for the latest session of Arkfeld's Online E-Discovery and Digital Evidence Course. In addition to fielding questions and comments, he delivered a fast-paced and informative PowerPoint primer on computer forensics and electronic evidence.
Here are some quips and insights:
• Sometimes there's no loss of "information payload" producing images in .tiff, especially for "unsophisticated clients who have a lot of money to waste ... if you don't mind the bloated format."
• When Arkfeld mentioned that even when both sides agree under Rule 34 to produce in PDF or .tiff, many courts still frown upon it. Ball offered his own Rule 34 observation, "Just because two lawyers agree they can fly doesn't mean they should head for the roof."
• Why do e-discovery when "It's just a car wreck"? The moment the air bag deploys, the car's event data recorder logs info such as the speed at which the vehicle was traveling and whether a seat belt was in use.
• Computer forensics is "the crunching of specialized data to hone in on the information to tell a story." Like mind reading, "forensics finds the human drama in the bits and bytes. What people hide, steal, think." A drama in which the computer is "an instrumentality in some form of malfeasance" brought into play.
• What does a computer forensics investigator need to know to talk about cost? "What is the machine? What is the capacity of the storage media? What operating system does it use? Then I can give an estimate." Other questions will involve whether it's done onsite or at the lab. Ball gave the example of making a mirror image of a terabyte of data: "No one can speed the path of data." If this is done onsite, an expert is going to have to sit there and watch the process as the hours go by. This could cost up to $5,000 to for a disk image.
• A student asked what can be done if the entire machine is encrypted, a full-disk encryption using TrueCrypt or a similar software. Ball said the best method in a civil case is to "smile at the judge" and try to get a court order.
• What about a registry encrypted using ROT-13, also known as the "Caeser cypher," in which you replace each letter with one 13 places further down the alphabet? Ball asked the class why he was demonstrating this method of encryption, which he described as the "lousiest encryption scheme." Answer? An entry encrypted using ROT-13 cannot be found using a keyword search.
For more from Ball on keyword searches, read this month's column in LTN's current issue, "Gold Standard," in which he demonstrates how "If counsel get their hands dirty with the data, as by personally exploring representative samples using desktop or hosted tools, the parties could work quickly, effectively, and cooperatively to zero in on relevant material."
Image by Clipart.com