Friday, May 14, 2010

Positive predictive value and digital forensics

by Sean McLinden

In my last column, I discussed the concept of prior probability, that is to say, the likelihood that that conclusion A can be derived from fact B with no additional data. In medical diagnosis, prior probability is estimated in order to determine the need for and type of additional investigation.

Another tool used by clinicians is that of the positive predictive value (PPV). In essence, the PPV is the likelihood that a positive value for given test will confirm the operative hypothesis (diagnosis). Given all things being equal, choosing the procedure with the highest positive predictive value will be the single most useful step in confirming the clinician’s suspicion.

Of what relevance is this to digital forensics?

As I commented on, previously, it appears that US courts, especially civil courts, are increasingly limiting the scope of discovery out of concerns that discovery may violate expectations of privacy or be too burdensome to the producing parties. In a recent case in which I was involved, the judge required the requesting party to propose an alternative to production of forensic images of an entire enterprise network’s computers solely to search for possible instances of the plaintiff’s intellectual property (engineering drawings) located on the defendant’s computers. Instead, the court restricted the discovery to only those devices which were used to store or manipulate files of the same type as the engineering drawings and, of course, to only those documents which were reasonably accessible.

In addition, some judges are now following the principle of “one bite of the apple”, i.e., limiting production to a single request. Not surprisingly, though not always successfully, this has led to the notion of discovery for the purpose of discovery; the classic slippery slope...


No comments: