Thursday, September 29, 2011

Is your client an attorney? Be aware of possible constraints on your investigation. (Part 1 of a multi-part series)

by Sean L. Harrington

Significant legal and ethical challenges confront digital forensics investigators, for which some may not be well prepared. Just as many lawyers may be confounded by technology in dealing with digital forensics matters, many digital forensics experts lack formal legal training, and are uninformed about their special obligations in the employ of a lawyer. These obligations include zealously guarding the attorney-client privilege, applying the work product doctrine, developing reports, exhibits, and testimony (that are both admissible and understandable to a lay jury or judge), and conducting their work in a way that does not compromise the integrity of the case or the rights, privileges, or immunities of the retaining party.
In certain situations, such as where digital forensics examiners serve as special masters (see Fed.R.Civ.P. 53) or third-party neutrals (see Model Rules of Prof’l Conduct R. 2.4 cmt. 1), they are regarded as officers of the court.

The use of a third-party neutral has significant advantages. See, e.g., Craig Ball, Neutral Examiners, Forensic Focus,  First, as an officer of the court, the expert is subject to the court’s inherent powers, thereby providing an extra measure of accountability for misconduct (e.g., confidentiality breaches).  Second, a third-party neutral is ostensibly impartial, which impartiality presumptively aids in the fact-finding process and administration of justice. Third, the third-party neutral is aptly situated to resolve discovery disputes, including issues of confidentiality, relevance, and privilege, and, if necessary, obtain court intervention or in camera review to resolve such disputes.

But if the examiner is not appointed by the court, but rather is retained by a party to an adversarial proceeding, he or she is nevertheless obliged to ferret out the truth...

Read more

Thursday, September 22, 2011

Publishing articles at Forensic Focus

Forensic Focus is always keen to publish articles, papers or blog posts of interest to the digital forensics community. Articles are published not only online but also included in the monthly newsletter (sent to over 12,00 subscribers) and promoted via our homepage/RSS feed, Twitter, LinkedIn and Facebook accounts.

This is an excellent way of raising your profile or promoting your blog and items for publication are welcome from anyone working or studying in the field.

To register as an author and start publishing at Forensic Focus, please use the form at

Monday, September 19, 2011

What is “good enough” information security?

by Simon Biles

I have, occasionally in the past, mentored people in (on?) Information Security – once for money (this is not a revenue stream that I’ve mastered by any stretch of the imagination!), but more often than not, informally and infrequently. What there is in common with most people who are keen, but still a bit wet behind the ears, is an idealistic world view where Information Security, as a totality, can be obtained. It sometimes seems a bit like kicking a puppy to have to break it to people that, irregardless of how long, how much money and how much technology you throw at something, it will still have vulnerabilities and risks. Even the proverbial “unplug it, stick it in a safe and throw away the key” is still vulnerable. I’ve seen “Oceans 11″ – I know what can happen to a safe.

The reality is what we do for a living is to make security “good enough” – we are risk managers, risk mitigators, risk avoidance and risk acceptance professionals. We know what can happen, and then we decide if spending £x on it is worth it. Where we go wrong, inevitably, is that we sometimes have absolutely no idea about the value of the asset that we are protecting. How can you determine if a countermeasure or control is appropriate if you don’t know this figure? The real problem is that very often the business has no real idea either...

Read more