Around 2001, Larry E. Daniel began getting more requests to recover information from individual computers and computer systems.
By then, he had worked for more than 20 years in all aspects of computing, from software programming to setting up and maintaining computer networks.
He thought, “This is going to be the place to be in 10 years,” so he began educating himself in data recovery and digital forensics – the science and art of finding and investigating the material on digital devices for legal purposes.
Almost 10 years later, his prediction has proved to be true, he said. The field has become more fertile as the types of devices from which information can be recovered has exploded – from computers, “which is about all there was then,” to cell phones, PDAs, GPS devices, digital cameras, even the black boxes in vehicles that record the few seconds before a car crashes.
With the proliferation of electronically stored information (ESI) and court rules that encourage efforts to get at it, the amount of data and the interest in sorting through it also has increased.
Daniel is careful to distinguish between expertise in computers and expertise in digital forensics.
He said he is somewhat unusual in that he is adept in both areas, but he is quick to say that broad computer expertise is not necessary to successfully perform digital forensics.
In fact, it can be a disadvantage in some cases because the computer expert may look for material that’s extraneous to the data that is essential to an investigation.
“You don’t have to know how to set up an exchange server to do forensics on an exchange server,” he said.
Many digital forensic experts have backgrounds in law enforcement rather than in computer science. Their expertise may be based on the EnCase and Forensic Tool Kit software packages and systems favored by police but also used by firms specializing in e-discovery and other civil applications.
Much of Daniel’s work is in the criminal field, where the government often has far more manpower and resources than defendants have. He said he works frequently with criminal defense attorneys because there “should be some balance to the system.”
His analysis of a computer can show that the presence of child pornography is a result of what he calls risky Internet behavior such as trolling adult sites or surfing in unfamiliar territory.
Navigating away from a site once such material pops up on a screen doesn’t mean that it won’t attract the attention of an investigator checking the contents of a computer hard drive. The image will show up in a temporary Internet cache that can be recovered until it is overwritten by other data – something that may take weeks or months on a large hard drive unless the operator makes a specific effort to delete it.
Explaining how that can happen may be of great benefit to a defendant, but his investigation also may show that the defendant intentionally stored an image on his computer and transferred it to another device, even if that device can’t be found.
“Sometimes the only thing I can do is tell you the truth about your client,” Daniel said at a recent continuing legal education program for the Virginia Association of Criminal Defense Lawyers in Portsmouth.
The details of tracking information to, from and on a computer tend to be mystifying to non-experts, he said.
He cited as an example “link files,” the shortcuts in a Windows operating system that reflect everything from double-clicking on an icon to opening a program to removing a thumb drive from a computer.
The files can show who owned a file or opened it last even if it’s no longer on the computer. He likened it to a card file in a library, which would indicate where a book is in the library or who might have it if it has been checked out.
Daniel and his son, Lars, who works with him at Guardian Digital Forensics in Raleigh, N.C., are working on a book, “Digital Forensics for Legal Professionals,” that uses such analogies to make understanding such computer and forensic concepts easier for the digitally challenged. The book is scheduled for publication in May by Syngress.
With a little knowledge, those concepts should not be intimidating, he said. “It’s all data at the end of the day. If you know what the data is and how it’s structured, you can pull something from it.”