When you think of digital forensics, do you envision the forensic examiner personally handling the device in question? If so, you’re among the majority of legal professionals! In the past, digital forensics mandated the examiner’s physical presence at a specific location, but the landscape of digital forensics is currently experiencing shifts, notably influenced by the emerging prevalence of remote work, and its implications for eDiscovery services.
In this article, we’ll explore some of the ways that digital forensics is going remote and we’ll discuss some of the potential implications of this change. Let’s get started!
Establishing the Foundation
To begin with, we must clarify how the word ‘remote’ applies to remote digital forensics. Many people associate the word with Zoom conferences or other synchronous meetings that take place over the internet. In remote digital forensics, however, the investigation is not necessarily happening via an internet connection. Instead, we use the term ‘remote’ to mean “accessing, analyzing, and forensically preserving data contained on a digital device that is not in the physical possession of the examiner performing the tasks.”
In summary: digital forensics requires an examiner to obtain information from a piece of evidence without making any alterations to the evidence itself. The goals and protocols of remote digital forensics are identical, however, practitioners face the added challenge of ensuring the legal integrity of digital evidence throughout the remote examination process.
Discovering Innovative Solutions
After completing an evaluation, forensic examiners must be able to provide an affidavit, declaration, or testimony on the protocols used. In the past, this obligation meant that the examiner had to physically perform the work in order to offer their own firsthand knowledge of the process. Fortunately, remote digital forensics can allow the expert to perform their work without being physically close to the device in question.
There are two primary means of remote evidence collection. The first involves remote access in the traditional sense. If the client’s network allows for it, the examiner can connect to an on-site computer and install the necessary tools to collect data directly. Of course, this option is only available if there is internet connectivity at the site where the data source exists. Check out our next blog, “How Ephemeral Messaging Impacts Digital Forensics”.
Alternatively, they may directly ship the client some collection tools, such as external drives, USBs, or whole laptop computers. When connected to the target device, these tools can create a verifiable forensic image of the desired data. Using this method, the examiner is still performing the evidence collection themselves, even if the process begins with a client connecting the USB on their behalf. Generally, the responsibilities of the on-site party require little or no technical abilities, but particularly complex cases could require the assistance of IT administrators.
Final Thoughts
Thanks for reading! We hope these tips have given you some insight into how digital forensics has been changed by the remote working movement. If you enjoyed this article, check out our next blog, “The Practical Guide to Managing e-Discovery in a Crisis”.
Please don’t hesitate to contact us with any questions or concerns. At First Legal, we’re here for you from File Thru Trial™!