![]() ![]() Without a protocol, a forensics examiner could spend months seeking to meet an equivocal examination mandate. “Standard” procedures change over time, adapted to new forms of digital evidence and new hurdles–like full-disk encryption, solid-state storage and explosive growth in storage capacities and data richness. In that time, I’ve never encountered a forensic examination protocol of universal application. A good protocol helps an examiner know where to start his or her analysis, how to proceed and, crucially, when the job is done.Īs a litigator for over 35 years and a computer forensic examiner for more than 25 years, I’ve examined countless devices and sources for courts and litigants. Protocols may afford a forensic examiner broad leeway to adapt procedures and follow the evidence, or protocols may tightly constrain an examiner’s discretion, to prevent waiver of privilege or disclosure of irrelevant, prejudicial material. Parties and courts use examination protocols to guard against compromise of sensitive or privileged data and insure that specified procedures are employed in the acquisition, analysis, and reporting of electronically-stored information (ESI).Ī well-conceived examination protocol serves to protect the legitimate interests of all parties, curtail needless delay and expense and forestall fishing expeditions. In the context of electronic discovery and digital forensics, an examination protocol is an order of a court or an agreement between parties that governs the scope and procedures attendant to testing and inspection of a source of electronic evidence. ![]() Searching so vast a virtual metropolis requires a clear description of what’s sought and a sound plan to find it. It’s routine for a single machine to yield over a million discrete information items, some items holding thousands of data points. A computer or smart phone under forensic examination is like a sprawling metropolis of neighborhoods, streets, buildings, furnishings and stuff– loads of stuff. ![]()
0 Comments
Leave a Reply. |