iDigital forensics investigators are experts in locating, obtaining, preserving, and analyzing data from various sources. These professionals often play a central role in the investigation of cybersecurity breaches, in civil litigation involving voluminous electronic discovery, and in other matters involving potential civil liability or criminal culpability. Increasingly, digital forensics investigators are being utilized not only to investigate computer and Internet-related issues and offenses, but to investigate offline matters ranging from car accidents to professional liability claims as well.
As a result, if your company is facing the prospect of litigation—whether individual or mass tort litigation, commercial litigation, or federal civil or criminal enforcement action—it will most likely need to engage a digital forensics investigator to help it gather critical data, develop an informed litigation strategy, and choose the best path forward. But, how do you select the right digital forensics investigator for your company’s needs?
As you might expect, there are several factors you will want to consider. Here are some of the key factors, broken down into five areas of consideration:
1. Training, Certifications, and Experience
Working in digital forensics requires extensive training. Digital forensic investigators must be knowledgeable about all pertinent legal, forensic, and other principles (more on this below), and they must be able to work both quickly and effectively within the constraints presented by any particular set of circumstances. In addition to undergraduate and graduate education, there are various certification programs as well, and many of the most-highly-skilled digital forensic private investigators will have prior experience working for the Federal Bureau of Investigation (FBI) or another federal investigative or law enforcement agency. Some examples of reputable certifications that are available in the digital forensics field include:
-
Certified Computer Forensic Examiner
-
Certified Cyber Forensics Professional
-
Certified Cyber Security Analyst
-
Global Information Assurance Certification (GIAC) Forensic Analyst Certification
-
GIAC Forensics Examiner Certification
-
GIAC Advanced Smartphone Forensics Certification
-
GIAC Network Forensic Analyst Certification
Practical experience is crucial as well. While former federal investigative experience can be extremely helpful, it is also important to have significant experience in the private sector. It is necessary to have an understanding of the investigative process from the corporate point of view, as the needs and priorities here are very different from those at the federal level.
When selecting a digital forensics investigator, it is important to examine the investigator’s specific experience—not just his or her experience in the digital forensics field generally. The need for digital forensics can arise under an extremely broad range of scenarios; and, while someone who specializes in investigating auto accidents (i.e. by examining a cell phone, GPS, and vehicle “black box” data) may be very good at what he or she does, this individual might not necessarily be the best choice for a cybersecurity breach investigation. With that said, some private digital forensic investigators have very broad expertise and will be able to assist with a variety of types of investigations.
2. Knowledge of Relevant Evidentiary, Forensic, and Data Security Principles
Digital forensics investigators must have a breadth and depth of knowledge that are unique among most professional fields. From knowing what steps are necessary to preserve data’s admissibility as evidence to be able to access secure platforms while effectively mitigating against the risk of third-party intrusion, digital forensic investigators need to know a lot in order to do their jobs effectively.
The National Initiative for Cybersecurity Careers and Studies’ (NICCS) digital forensics role descriptions are illustrative of what working in the field requires. For the role of Cyber Defense Forensics Analyst (which is described as, “analyz[ing] digital evidence and investigat[ing] computer security incidents to derive useful information in support of system/network vulnerability mitigation”), the NICCS lists 46 specific areas of required knowledge. Some notable examples include:
-
Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
-
Knowledge of encryption algorithms.
-
Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
-
Knowledge of server and client operating systems.
-
Knowledge of physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).
-
Knowledge of hacking methodologies.
-
Knowledge of legal governance related to admissibility (e.g. Rules of Evidence).
-
Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence while maintaining chain of custody.
-
Knowledge of reverse engineering concepts.
-
Knowledge of anti-forensics tactics, techniques, and procedures.
Not only is this list not comprehensive, but it is also comprised of very high-level descriptions of in-depth areas of specialty and expertise. When selecting a digital forensics private investigator, knowing what you need is critical, and it is imperative to break down your requirements in such a way that you can confirm that the individual (or firm) you hire has the necessary capabilities.
3. Intimate Familiarity with Relevant Operating Systems and Hardware Platforms
For most of us, learning the basics of even a single operating system is a triumph. How long did it take you to get familiar with your smartphone’s features? Do you cringe at the idea of switching from Windows to Mac OS (or vice versa)? However, for a private digital forensics investigator, it is necessary to be able to have intimate familiarity with all of the major operating systems that are out there. Different companies use different platforms; and, when gathering data during an investigation or e-discovery, unfamiliarity with a particular operating system cannot serve as a barrier to efficiently and confidently secure all relevant data that is available.
In many cases, it will be necessary for digital forensics investigators to have technical knowledge of hardware architecture as well. This is an even more nuanced and more specialized area of expertise, and it may require an electrical engineering background in addition to training in all of the various other areas discussed above. Digital forensics investigators must truly be masters of all trades, and they must be able to overcome barriers that most of us do not even know exist.
4. Nationwide, 24/7 Availability
When engaging a digital forensics investigator, you need to know that he or she will be available as and when needed. This means offering 24/7 accessibility, and it means being willing and able to travel nationwide on short notice. While it is possible to access many systems remotely (especially with consent and authorization), this will not invariably be the case. As a result, when conducting a forensic investigation or e-discovery, it is very possible that it will be necessary to travel to litigants’, vendors’, and other parties’ locations in order to gather data from hardware on their premises.
“Digital forensics investigators are increasingly playing critical roles in civil litigation and government enforcement actions. If your company needs the services of a digital forensic investigator, its selection of investigators could have a direct and material impact on the outcome of any ensuing legal matters.” – Attorney Nick Oberheiden, Ph.D., Founder of Mach Investigations
Typically, digital forensic investigators will work for firms that have sufficient resources to manage both remote and on-site investigation, preservation, and analysis. When evaluating digital forensics firms, this is certainly something about which you will want to inquire. If your company’s investigative needs lead to a far-flung location, you will need to know that your digital forensics firm can do what is necessary without missing a step—and without compromising its ongoing forensic efforts or any logical or physical security measures.
5. Strong Analytical and Data Presentation Skills
Due to the highly specialized nature of digital forensics and the technical nature of the procedures and methodologies involved, it is important to select a digital forensics investigator who has strong analytical and data presentation skills—in addition to all of the other skills previously discussed. At some point, you will need to know what your digital forensics investigator has uncovered; and, if he or she cannot communicate this effectively in layperson’s terms, you will have a very difficult time figuring out what you need to know and making an informed decision regarding your next steps.
Communication is a skill, the ability to effectively relay information is often bolstered by experience. If a digital forensics investigator understands what people in your position want (and need) to know, then he or she will be much more capable of providing an effective analysis and debriefing. In addition to figuring out whether you can establish a good rapport, it can be helpful to seek references as well, and in many respects, this is just as important as ensuring that your digital forensics investigator has the requisite technical knowledge and capabilities.
Additionally, if your company needs to conduct an investigation or e-discovery in connection with a pending or potential lawsuit or enforcement action, then your digital forensics investigator may also need to be prepared to testify as an expert witness. If this is the case, his or her ability to break down complicated technical issues and present his or her expert opinions clearly and concisely could be crucial to the outcome of the litigation.
