Avoiding the Temptation of DIY Forensics

DIY, Do-It-Yourself. Staples® has the “Easy” button. Home Depot® advertises everything you need for do-it-yourself home improvement projects. The HGTV® and DIY® networks have several shows dedicated to doing things yourself. Just a Google search on DIY returns links to people showing you how to make crafts, build your own computer, etc. However, when it comes to digital forensics, there isn’t an easy button or “find all evidence” button. Without the proper training and expertise, you could miss something or, worse, destroy valuable evidence.

Your client hands you their cell phone, computer, credentials to access their email, thumb drive and anything electronic that can store data – and tells you everything you need to solve their case is stored on them. Based on some of the estimates you may have received, it may be tempting and more manageable, you think to yourself, to power on the device and review it on your own. Do you really need to hire a trained digital forensics specialist? The short answer is an emphatic “YES!”

Just as an example, a client hands you their cell phone and tells you the pertinent text messages from her husband are on the phone and to look at them yourself. A cell phone operates on dynamic memory, meaning every millisecond, the cell phone the operating system is writing and re-writing data for the phone to operate at peak efficiency. If your client deleted a relevant text message just before giving it to you, you won’t see it just scrolling through the text messages. If a digital forensics examiner can complete an extraction of the phone, it may or may not be recoverable. But give yourself a fighting chance rather than waiting a few days with the cell phone powered on.

As another example, a client had an employee who embezzled funds from the company. The client took it upon themselves to conduct their own investigation of the employee’s computer. The client opened File Explorer, searched for documents, opened documents, read emails and powered the computer on and off. These small acts can alter and destroy items of evidentiary value. Even by powering off the computer, if it was received in an on state, the client has destroyed 8 gigabytes to 128 gigabytes of data, depending on the size of the random-access memory (RAM) installed on the computer.

For context, one gigabyte can store approximately “700,000 pages of text” or “50,000 average emails with no attachments.” The RAM is a part of the computer that stores running programs, possibly passwords in clear text, unencrypted documents and draft emails and documents. All that data can be permanently lost if the computer is powered off. If it is a Windows operating system, opening and closing documents will change the Windows Registry, a hierarchical database used to store system and user configurations. In addition to the Windows Registry changes, the documents the client accessed could be inadvertently altered. It is definitive that the file’s last access date and time captured by Windows will be changed, limiting the ability to use the document in court. It would be like touching a piece of evidence at a crime scene before it was cataloged and photographed.

Both scenarios above would make it difficult to use the information developed from a digital forensics exam in court. At a minimum, you would place yourself in an uncomfortable situation where you would have to testify to your actions. The result could be the judge ruling that the evidence is inadmissible at trial.

A qualified digital forensics examiner is more than taking some classes and earning certifications. A good digital forensics examiner will have an “investigative mindset,” something that can be taught but is cultivated and developed over years of case experience. As private detectives, you understand what it takes to be a good investigator. It is no different with a digital forensics examiner.

A qualified digital forensics examiner is a person who has honed a set of skills over several years and possesses certain traits that set them apart from everyone else. They are familiar with and understand the Rules of Civil / Criminal Procedure. Great digital forensic examiners are curious, ethical, persistent, focused on the details and consistent and relentless in documenting their investigative efforts through notetaking, memorandums, and reports.

Training and constant learning is an absolute requirement for qualified digital forensics examiners. Technology is constantly changing, especially regarding messaging apps and social media platforms. A qualified digital forensic examiner also is aware of trends. For example, many social media platforms have integrated messaging features. Persons of interest in many investigations are well aware of the various avenues for communicating . . . well beyond email.

Qualified digital forensic examiners are familiar with computer operating systems, and the inner workings of where to find evidence of wrongdoing. A good forensics examiner is familiar with Locard’s Exchange Principle – which holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it, and that both can be used as forensic evidence. Qualified digital forensics examiners are trained and experienced with proper evidence handling, specifically, the best way to collect digital evidence without altering it, and the importance of documenting said efforts through chain of custody documents and digital and mobile evidence acquisition forms.

Qualified digital forensics examiners recognize the importance of focusing on a fact-based investigation that can be supported through the underlying evidence. Most cases these days involve some form of digital evidence that needs to be acquired and preserved. So, for that cell phone your client handed you, a digital forensics examiner is trained and can utilize forensic software programs to extract data from the phone and preserve that extraction so that it is admissible in court.

Consider the potential evidence a cell phone contains that could be relevant to your case. For instance, location data on the phone may be contained in apps or attached to photographs or videos taken with the device, that might otherwise not be available. Along with the standard call log, voicemails and email, there could also be additional chat or email applications, such as WhatsApp (end-to-end encrypted chat application) or Proton Mail (end-to-end encrypted email application). There are a myriad of other types of cell phone apps that could have a bearing on your case. A consultation call with a qualified digital forensics examiner will better equip you to determine what is best for your client.

Any case you receive has the potential to involve digital devices and therefore digital forensics. A call to a qualified digital forensics examiner should take place very early in the investigation to inform you of any potential evidence related to your case’s facts. Digital forensics can be utilized in any case type, such as internal investigations, civil and criminal defense, human resource investigations, insurance investigations and matrimonial investigations. You or your client should immediately enlist the efforts of a qualified digital forensics examiner and subject matter expert (“SME”) once you identify that there is the potential for digital evidence. Mistakes made by an inexperienced IT staff member or consultant with no expertise or training could jeopardize the outcome of the investigation.

A qualified digital forensics examiner is prepared to discuss with your client, the merits of their case based upon the facts at hand and the underlying evidence. They can advise them of the digital investigative steps needed, how that process works and the deliverables. Often times, a victim organization opts for shortcuts to the process, failing to recognize the importance of digital evidence preservation and what it means to their case and situation.

Investigations can be complicated matters and require a trained and experienced investigator. Today’s investigations include the complicated aspect of the constantly changing world of digital evidence, which can be an integral part of an investigation. Do not be tempted to look through that cell phone or that computer. Your clients deserve an equally trained and experienced digital forensics examiner to assist you in your cases and ensure digital evidence is identified, acquired and preserved so that it can be presented in court, if necessary.

Originally published in the March/April 2025 Issue of PI Magazine.