Computer Forensics & Digital Discovery
"The New Frontier"
By: Bill E. Branscum
Copyright 2008

I realize that many of you whom I consider to be professional colleagues have not yet reached consensus, but personally . . . I believe that computers are here to stay. I know that's a bold statement, and I can certainly relate to those of you who stubbornly cling to the venerable IBM Selectric II, but I'm willing to go out on that limb!

A few years ago, Kevin Ripa, my good friend and my favorite Canadian, whom many of you know to be a real expert, persuaded me to take an interest in Computer Forensics, the technological aspect of retrieving, restoring and analyzing digital and electronic evidence intended for use in criminal or civil courts of law. It has been almost as fascinating and challenging as it was expensive; I would certainly recommend it to any of you with an interest.

There are many aspects to Computer Forensics, such as; secure drive imaging, the recovery of deleted partitions, files and folders, by-passing passwords, the examination of file slack and unallocated clusters, the retrieval of documents and images that people have endeavored to hide, the preservation and presentation of evidence, and the maintenance of a viable chain of custody. Computer Forensics is complicated, demanding and time intensive, but for the investigator who enjoys puzzles (and who among us doesn't) it is intellectually challenging and rewarding.

With the proper hardware, software, and training, digital evidence may be recovered from various types of computer media, including; hard drives, CDs, DVDs, floppy disks, zip drives, flash cards, jump drives, RAID systems, cellular phones and other forms of electronic storage media. We have recovered and retrieved files and information from hard drives and electronic media, including e-mails, digital photographs, word processing documents, instant message logs, files saved from accounting programs, spreadsheets, internet browser histories, databases and digital video or audio files, even when those files had been previously deleted from the target drive.

There are various tools and products available to us, but we rely upon EnCase, this industry's "gold standard," manufactured by Guidance Software. Those of you who may be considering this should expect an initial "out-of -pocket" investment of about thirty thousand dollars - not counting your time. In this ever-evolving theater, maintaining proficiency requires a significant commitment as well.

Similarly, and intimately related, is the management of Digital Discovery, often referred to as, "E-Discovery." My interest in, and involvement with, digital data management began during my career in federal law enforcement more than twenty years ago. During the investigative process, there is no tool like CaseMap; I haven't any investment in the product, or connection with the company, but I have been a "power user" of Casemap for many years, and I may very well be their most vocal proponent.

When the Digital Discovery would fill a truck, Concordance is one of the most widely recognized tools for that job, and it merits mentioning that Concordance integrates seamlessly with CaseMap. We handle cases for law firms domestically, and internationally, who find themselves deluged with Digital Discovery, which often includes forensic images of hard drives that must be analyzed with EnCase. It is a rapidly expanding niche.

Lexis-Nexis published an article about a complex case that I managed to simplify rather dramatically with the right tools. Perhaps more art than science, it is the objective of all good case presentations to simplify the evidence and present a picture that any layman can comprehend. For example, note particularly the Graphic Analysis published below - could anyone page thru that presentation and remain unconvinced that this was an outright fraud?

Lexis-Nexis Article

Declaration

Graphic Fraud Analysis

Plea Agreement Joseph DiBruno, SR

Plea Agreement Joseph DiBruno, JR

Plea Agreement, Nicholas DiBruno

In another recent case, I was asked to investigate allegations of government misconduct upon which the Defense proposed to base a Motion to Dismiss. I am sure you have all seen this sort of desperate nonsense before, we all have, but there were aspects of the allegations that gave me pause. The discovery was overwhelming, the evidence was voluminous, and the case took me all over the place, from Florida to Washington state, including almost two weeks in Panama.

Egregious Governmental Misconduct - the Order

Most recently, I was the Investigator retained by Wesley Snipes, to assist with his criminal tax case. It was widely touted to be the unwinnable case in the unwinnable place, but we took the government's case apart as they presented it so effectively that we put on no defense of our own. Winning these cases requires intense trial preparation, and mastering the art of functioning as a team.

Wesly Snipes: The Tax Case

I will be publishing various articles related to Computer Forensics, Digital Discovery, Complex Case Management, etc. If any of you have anything in particular that you would like to have me address, please let me know.


Related Articles:

Complex Case Data Management

Oracle International
Bill E. Branscum, Investigator
OracleIntL@aol.com
(239) 304-1639


Visitor Number
 
 
© Copyright 2002 - Bill E. Branscum. All Rights Reserved.