SANS Digital Forensics and Incident Response Blog

Lawyers Aren't So Bad, After All

This sentiment may vary depending upon whose side of a case you choose. I have had the good fortune to work with several capable lawyers. It has been my experience that lawyers are good listeners when they need input from me concerning my field - forensics. The important thing is to make sure you have a good relationship with legal. The communication lines have to be open, no matter what you think of the "legal eagles" with whom you are dealing.

Just Push a Button...

I wrote code in a former life for a guy who ran a trucking firm. He didn't even know how to turn the computer on. However, when he wanted some new feature, his comment was, invariably, "...you should just be able to push a button and get that!" While today's lawyers are typically more sophisticated, they may still expect us to be able to push a button and get their answers. Just like that. While they may be disappointed, they can learn that there is no instant gratification with forensics. A lot of preparation is required to reach the point where we can just "push a button" to get answers.[1]

Consider cases that start with the pain of drive decryption. Decryption will probably take a day or a night to complete. If the drive is large enough, and if the lawyers have provided a large number of search words, it could be several days more before we have results. We may need to reveal file structures and run a number of case initialization scripts before we can really begin the searches in earnest. Searches can take days. Once the searches are complete, there is a chance that something was not right in the search parameters, and we may have to start over.

Needle In a Needlestack Art or Science?

Computer forensics - art or science? My co-worker, Richard Newman, expressed recently that it was like looking for a needle in a needle-stack. When Legal understands that, they can be your best friend. They can help buy you needed time in order to do a thorough job.

Provide timely status reports. Explain everything fully. Seek their advice. Work closely with them throughout the entire case. Maybe you, too, will believe that lawyers aren't so bad, after all.

1. http://www.craigball.com/CF_0807-Digital%20Clock%20article%20only.pdf Computer Forensics for Lawyers Who Can't Set A Digital Clock

J. Michael Butler, GCFA Gold #00056, is a Information Security Consultant employed by a fortune 500 application service provider who processes over half of the approximately $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide information security policies for his corporation.