Digital Forensics – What We Don’t Know CAN Hurt Us
If my work with Volume Shadow Copies has taught me one thing it is that I don’t know anything. I have often said the more I learn, the less I know. Everything that we learn about computer investigations leads to more learning. It never ends. Anyone that thinks they know everything there is to know about digital forensics is either a liar or delusional. Each case should be teaching us something new and we should be learning from it.
The same goes for any new developments in the field. If we don’t keep up with all the latest developments how do we expect to be able to conduct a full investigation?
I have noticed a worrying arrogance lately in that digital forensic investigators believe that they know all that they need to know. They’ve been on all the AccessData and Guidance courses that are on offer, so they have all the knowledge they could ever hope to amass. There is no more room for progression.
This is incredibly dangerous not only to the analyst, but to the people that we represent.
A little while ago a friend of mine conducted an investigation for a police force. I remember him working very hard to experiment and test his findings, like any good examiner. He sent his report to the relevant authorities and got on with his next case.
Some months later the defence report arrived on our doorstep. This report was compiled by a digital forensic investigator professing nearly 20 years experience in the field.
His report went on to attack my colleague’s findings. This is not unusual but the manner in which he tried to do this left me feeling completely stunned.
The report was simply dismissive. This ‘veteran’ stated that he did not believe my colleague’s finding were accurate. He did not give any justification for this, he did not conduct any testing, he just said something along the lines of “I know of no method to recover this data so his findings must be incorrect.”
I couldn’t believe this. At what point does an investigator allow himself to interpret his own limited knowledge as fact? It is disturbing and I hope that I never fall into this trap.
The question I would ask is: How do we safeguard against such arrogance? Clearly our field is intellectual and we know a great deal but how do we stop ourselves from becoming like this examiner? How do we keep ourselves firmly anchored?