Explaining Computer Forensics to Lawyers

I found a small treasure trove of articles on e-discovery and computer forensics today from Burgess Forensics. I especially liked the article “How is data written, stored on, and erased from hard disks?” by Steve Burgess, where he likens hard drives to “a hybrid of a record album and pizza pie … or a dartboard” in an attempt to describe how data is stored on computer hard drives.

naked hard drive

Last week I had the pleasure to present a Webinar for LegalSpan (Manexa) entitled “How and When to Use Computer Forensics Professionals.” In my research for this presentation, I realized how difficult it is to explain how operating systems store data on computer hard disks to non-technical folks. It’s always made perfect sense to me due to my background, but it’s tough to smoothly explain how bits, bytes, sectors, and clusters build upon each other, and why hard drives have “slack space,” and why data is rarely saved in consecutive clusters, etc. etc.

The Steve Burgess article does a great job of introducing the terminology, but the masterful Craig Ball takes your hand and gracefully leads you through the woods of bits and bytes in his concise compendium entitled “4 on Forensics: Four Articles on Computer Forensics for Lawyers.” If you’re a lawyer that needs to understand how to preserve a computer’s hard drive, Craig’s “4 on Forensics” is an absolute must read. And due to Craig’s easy style, I guarantee that you will have a solid foundation on computer forensics when you’re done reading. The first of the four articles, “Computer Forensics for Lawyers Who Can’t Set a Digital Clock,” is the longest and the most relevant. Read that one if you can’t get to anything else.

I would be remiss if I did not mention Sensei Enterprises, Inc., the digital home of Sharon D. Nelson, Esq. and John W. Simek. Not only have the two collaborated on the terrific The Electronic Evidence and Discovery Handbook: Form, Checklists and Guidelines ABA book, but Sharon Nelson now authors the informative (and often entertaining) electronic evidence blog entitled “ride the lightning.” You can find a wonderful chunk of articles on their Website, and I will specifically recommend “Finding Wyatt Earp: Your Computer Forensics Expert” which provides a compact set of suggestions to consider when you need the services of a computer forensics examiner.

Computer forensics has always had a “CSI mystique” about it, mainly because so many people have never had to worry (or care) about how their computer stores data on the hard drive. And while you really don’t need to know how the innards of a computer works to send e-mail or type a document, you should have a basic understanding of the technology in use so you can confidently communicate with the computer forensics professional you hire.

The blanket rule when it comes to computer forensics is DON’T DO IT YOURSELF (or don’t let your client do it themselves). Many IT professionals wrongly assume that they can make a full copy of the hard drive themselves that will preserve the data. Unfortunately, many of these copies will NOT be considered forensically sound images of the hard drive, and will reveal changes made to the data, which could lead to claims of spoliation.

It’s never worth the gamble – always call a professional, certified computer forensics professional when you need to preserve the data on a computer hard drive.