Digital Forensics – What We Don’t Know CAN Hurt Us


If my work with Volume Shadow Copies has taught me one thing it is that I don’t know anything. I have often said the more I learn, the less I know. Everything that we learn about computer investigations leads to more learning. It never ends. Anyone that thinks they know everything there is to know about digital forensics is either a liar or delusional. Each case should be teaching us something new and we should be learning from it.

The same goes for any new developments in the field. If we don’t keep up with all the latest developments how do we expect to be able to conduct a full investigation?

I have noticed a worrying arrogance lately in that digital forensic investigators believe that they know all that they need to know. They’ve been on all the AccessData and Guidance courses that are on offer, so they have all the knowledge they could ever hope to amass. There is no more room for progression.

This is incredibly dangerous not only to the analyst, but to the people that we represent.

A little while ago a friend of mine conducted an investigation for a police force. I remember him working very hard to experiment and test his findings, like any good examiner. He sent his report to the relevant authorities and got on with his next case.

Some months later the defence report arrived on our doorstep. This report was compiled by a digital forensic investigator professing nearly 20 years experience in the field.

His report went on to attack my colleague’s findings. This is not unusual but the manner in which he tried to do this left me feeling completely stunned.

The report was simply dismissive. This ‘veteran’ stated that he did not believe my colleague’s finding were accurate. He did not give any justification for this, he did not conduct any testing, he just said something along the lines of “I know of no method to recover this data so his findings must be incorrect.”

What?

I couldn’t believe this. At what point does an investigator allow himself to interpret his own limited knowledge as fact? It is disturbing and I hope that I never fall into this trap.

The question I would ask is: How do we safeguard against such arrogance? Clearly our field is intellectual and we know a great deal but how do we stop ourselves from becoming like this examiner? How do we keep ourselves firmly anchored?


11 responses to “Digital Forensics – What We Don’t Know CAN Hurt Us”

  1. Unfortunately, I see this very frequently when I testify in pretrial motions, hearings, and at trial.

  2. The only thing that makes sense is to keep up with advancements in the field. Any professional in any field should pursue knowledge with a relentless spirit and insatiable curiosity.

    In pursuing a mystery, there is a great separation between those who proclaim, “This is impossible!” and those who query, “Is this possible?”

  3. The problem is, when an attorney is paying an “expert”, and they want that expert to lean a particular way, they cherry pick someone to do their bidding, even if it’s completely farcical. Because there’s no certification standard for “expert”, anyone will do. It’s up to the opposing council to use certs and prior work and discredit the morons so they stop getting used. I also think that the courts should be the ones calling and hiring expert witnesses independent of the attorney’s to better ensure an unbiased report. And monitor who goes what way on cases, so a judge isn’t constantly relying on some patsy. It’s fixable.

  4. Confidence is a good trait to have, but not when one is driven blind and ignorant by ego and arrogance.

    Had he followed the examiner’s methodology and maybe even attempted to replicate his findings, he could have reported that an attempt to perform the same feat failed and then planted the seed of doubt. Instead, he proved himself to be far from qualified to make any statement at all.

    The important thing to remember is that nobody knows everything, but somebody may actually be smarter (or luckier) than you.

  5. That is unfortunate. Like with any other situation where facts are involved those should be allowed to stand for themselves. If the other side did not understand how the facts were obtained, maybe they should have asked for a step by step walk through or maybe challenged the integrity of the process vs. dismissing the facts.

    – “Nothing is more rewarding than to watch someone who says ‘it can’t be done’ get interrupted by someone actually doing it.”

  6. this makes me remember an old Shaolin like movie, where despite his position in the Temple, every day the Master sweeps the yard to keep his humility.

  7. I’ve seen this as well, and I agree with the comment above that the court should be more proactive in appointing Special Masters for computer forensic work. Of course, the problem also involves coming to an agreement on the trusted 3rd party, but it’s embarrassing for the courts and the experts when two “experts” in the field don’t agree on anything!

  8. Confidence is a good trait to have, but not when one is driven blind and ignorant by ego and arrogance.

    Had he followed the examiner’s methodology and maybe even attempted to replicate his findings, he could have reported that an attempt to perform the same feat failed and then planted the seed of doubt. Instead, he proved himself to be far from qualified to make any statement at all.

    The important thing to remember is that nobody knows everything, but somebody may actually be smarter (or luckier) than you.

  9. The only thing that makes sense is to keep up with advancements in the field. Any professional in any field should pursue knowledge with a relentless spirit and insatiable curiosity.

    In pursuing a mystery, there is a great separation between those who proclaim, “This is impossible!” and those who query, “Is this possible?”

  10. You gotta be creative use different software and techniques and not be ‘set in your ways’. Me along with the help of an appraiser punched holes in a DR of forensics report working for the police. He failed to notice nearly all of the kiddie porn pictures were of a 20 year old porn actress Melissa Ashley. This just takes common sense rather than experience. Through his own arrogance he used a flesh detection script and didn’t properly view the pictures!

Leave a Reply to Fernando Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.