Friday, May 30, 2008

Forensic Crossover

There are many parts of our jobs that cross over from one discipline to another. Latent Print Examiners and Questioned Document Examiners, for example, may also consider themselves Forensic Image Analysts inasmuch as they analyze the images used within their workflow. The same might be said of the crossover between Computer Forensics and Video / Image analysis as it pertains to digital CCTV.

There are, of course, some pitfalls in looking at this crossover. Pulling the power cord may be recommended in a computer forensics investigation ... but pulling the power cord on many Linux based DVRs can/will result in the loss of all data as the file structure may be stored in volatile memory (RAM) and not on the hard drive - until the appropriate shut down procedure is performed.

With this in mind, many agencies are trying to get more from less and tasking folks across these disciplines ... for better or worse. With that in mind, it's always best to know the technical and legal aspects of your work before jumping headfirst into a case.

Here's a hypothetical: an image analyst and photoshop user has been tasked with the retrieval of digital CCTV evidence from a crime scene. The system has no usable outputs and someone decides to seize the hard drive (not the entire unit). The analyst's unit does not have funding for the forensic examination of computer drives, but does have a little petty cash ... so someone runs out and buys Ghost at the local electronics store. Good idea or bad? I'd say bad. Here's why.

Computer Forensics is it's own universe, complete with best practices and citable cases. There are plenty of available software and hardware combinations out there, EnCase, FTK, and the associated hardware, write blockers, and so forth. Although Symantec may claim that Ghost can be used as a forensic tool, there is way too much disagreement on that for my comfort level. Click here and here for the discussion on Ghost from a Computer Forensics point of view. (Ghost is great for creating imaged clones in the corporate world, but when lives and careers are at stake ...)

IMHO, you may sacrifice credibility as an "expert" in your field when you take such risks. An expert seeks mastery and looks to understand the why of his/her process before undertaking the work. If the expert skips steps and allows expediency to rule in one aspect of the case, who's to say that he/she hasn't taken other shortcuts along the way. It opens the door to too many questions for my comfort level.

If you really want to work in that other field, get proper training, get proper procedures, and certainly get proper funding. There are too many sharks swimming around these days. Shortcuts are not worth the risk to your cases. 

Have a great weekend.

No comments: