Category Archives: Forensics

You too can make a forensic image! (Part 1)

NOTE: This exercise is to gain an understanding of what a forensic image is, and how they are created.  We strongly recommend that you contact a certified forensic examiner to create images that will be introduced as evidence.

Not long ago, I was speaking with an attorney over a case which involved dates of creation and dates of access.  They told me how concerned they were that when they copied these files to a flash drive, all of the creation dates changed to the day that they copied them!  What could possibly be wrong?

A simple misunderstanding of how to acquire information was all that was at stake.  Well, that and the case. For anyone needing to preserve the state of information of, say a hard drive, it is important to seek the assistance of a certified forensic examiner.  They will be able to make an accurate bit-by-bit “image” of the data source, so that it can be referenced, viewed, extracted, etc., without the risk of altering the state of the data.  Now some of you might wonder why I put the word Image in quotes.  This is a term of art.  Many attorneys refer to an image as a photograph, or a graphic.  In the scope of forensic acquisition, it means a bit-by-bit duplicate of the media, created is such a way that it can be verified, and not altered.

Can anyone make a forensic image?  Well, this part isn’t very difficult.  But you do want to be certain that you document what you are doing, and can explain how you were able to authenticate that the image was correctly produced.  At the very least, it is an EXCELLENT exercise for an attorney to do a forensic acquisition so that when you have to speak with an examiner, you will have more of an idea of what they are going to do for you and your case.

First, you will need forensic acquisition software.  Not to fear, it is free from my friends at Access Data.  The link for the Windows version that is current as of this writing is here: .  Once it is downloaded, go ahead and install it.  It is quite small.  I’ll wait.

The next thing we will need are two flash drives.  Smaller is better for our example.  One however should be slightly larger than the other.  So a 1GB and a 2GB flash drive would be great. (It is important that you use different size flash drives – your destination should always be larger than your source)  Format the larger of the two devices (your destination media) so that there is no data on it. (A forensic examiner would do a ‘wipe’ to make certain that the media is completely erased before beginning, but that is not necessary for this exercise). Take the 1GB flash drive (this will become our SOURCE media), and copy some files from your computer onto the drive.  Browse the flash drive to make certain that your newly copied files made it safely to our source media.  Next we start FTK imager.  Once you start FTK, Your screen should look like this:

At the top of the screen, on the left side are two small green icons.  The first one allows us to pick a single device that we want to image. When you click that, a screen will pop up to ask you what it is that you want to create a forensic image of.  In this instance we want to take an image of a PHYSICAL DRIVE.  Select that.  Your screen should look like this:

Click NEXT
You will now be presented with a drop down box asking you WHICH physical drive you want to image.  Remember when I told you to use different sized drives?  The drop down box identifies the devices that are currently attached to your computer.  Since FTK doesn’t recognize drive letters here, you should pick the device that is the size of your source media.  In this image you can see that I have two devices attached to my computer: my hard drive, and the 1GB flash drive:

When you click finish at the bottom of the screen, your source drive should be listed on the left hand side of the screen in FTK.

Now it is time to create our forensic image.  While leaving the source drive plugged into your computer, now add your DESTINATION flash drive. PLEASE be careful at this juncture to select the correct drives – we don’t want you to overwrite something important.
Right click on the drive that is in the evidence tree.  Using the above example, you would right-click on \\PHYSICAL DRIVE1.  A small menu should pop up – please select EXPORT DISK IMAGE.

So far, so good.  We aren’t done yet though …

When you click the EXPORT DISK IMAGE menu item, you will get a screen asking for the DESTINATION MEDIA information. It should look like this:

Please take care to tick the box at the bottom that says “VERIFY IMAGES AFTER THEY ARE CREATED”.  This is of paramount importance.  Then click the ADD button. You will be asked what type of image to create.  These are different formats that are readable by different systems.  The most universally accepted are DD and E01 images.  You should not concern yourself with the other two types at this time.  Just so we can all be on the same page, please select E01 and click NEXT.  On this screen you can identify the information relevant to your case.  None of this is mandatory, but it is all a really good idea.  Go ahead and populate this information – you will see why in a few minutes.  When you are ready click NEXT for the image destination screen.

First let’s click the BROWSE button, and find the DESTINATION flash drive that you plugged in. (Note, there shouldn’t be any files on it – if there ARE files, you either did not format the drive, or you have selected the WRONG drive.  So, using my example, my destination flash drive is drive Y and the image filename I have chosen is “DemoImage”.

For the purposes of this exercise, we won’t go onto the other settings on this page.  After you have these items properly populated, then click FINISH.  Now you are returned to the CREATE IMAGE screen.  Since we have no more source media to add, double-check that the box is ticked at the bottom that says “Verify images after they are created”, and click START.  Since the source media is only 1GB in size, this will only take less than 5 minutes to create the image and to verify it.  When the process is finished you will see “Image Created Successfully” in the STATUS field of the progress box.  A new box should have popped up on your screen that says “Drive/Image Verify Results”

Mine looks like this:

This is a really important screen.  When you see the word HASH, this is another term of art.  It is a method of positively identifying a file, folder, or drive, so that it can be verified that it has not been altered.  FTK Imager calculated two different types of HASH before it imaged your source drive.  After it completed the process, it calculated those HASHES again, and they both matched.  THAT means that you have authenticated your image and can be certain that it is an accurate representation of the source drive.  If anyone were to alter anything it this image, even a comma, the HASH that would be calculated would NOT match.
So, you have successfully created your first forensic image of a drive.  Congratulations!
Now …. What can you do with it?
Lets go ahead and close the FTK windows that are up.  Let’s pretend that an attorney gave you this destination drive with the image on it for you to examine.

When you look at the drive itself, you will see lots of files that have the same filename, but a different extension.  You can’t use Word or Excel, or notepad to read this.  What can you use?  FTK Imager.  FTK Imager will not only CREATE images, it will also READ them.
Start FTK imager again.  Click the little green icon on the left to Add Evidence Item.  This time when it asks the source type, select IMAGE FILE. Click next and browse to the image that you created on your destination flash drive.
My screen looks like this:

Click on the DemoImage.E01 file.  Hey! There are TWO of those.  Well, not really.  One it a TEXT file that will have the case information and the hash information of the image, and the other one is the E01 file that you created.  Note the extension difference in the TYPE column.  Select the E01 file named DemoImage.E01, then click OPEN, and FINISH.

You have NOW opened your forensic image of the source media that you created.  In the column on the left, you will see the file DemoImage in the Evidence Window.  If you click the + sign next to the items in the list, you will drill down to the files that are on your source device.

The next article will talk about all the things you can see in an image that you may not be able to see on the source media.


As an attorney, how would you defend yourself?

USA Today reports in the November 12th 2014 issue that “Former Jodi Arias attorneys blamed for porn deletion”. The claim is that when the defense attorneys viewed the evidence at the police station, that they secretly deleted thousands of files. This is why it is important, if not imperative, that attorneys never work with live evidence. Had the attorney been working from a forensically sound copy, as they should have been, this allegation could not have been made.

The sad part is that most attorneys have not had the training to know how to use a forensic copy. That is not hard to fix, as this process simply isn’t that hard.

1. The police should *never* give access to original evidence that could be altered – in the case of hard drives, or mobile devices, forensic copies should be made for examination.

2. An attorney should *insist* that the evidence that they are examining must be in such a condition that it could not be altered. Failure to do this invites this kind of claim.

3. An attorney should request an authenticated copy of all electronic evidence. These authenticated copies can easily be compared to the original to verify that the data is authentic

4. An attorney should possess software that can mount the forensic copy as a drive on their computer. (This software is FREE.)

5. The attorney should know where to look for standard documents.

What are the take-aways?

• If the police department, or opposing counsel, lets you have access to evidence that can be altered, REJECT IT.

• If the police department, or opposing counsel, gives you access to evidence that has not been authenticated, REJECT IT.

• If you get an authenticated image of electronic evidence, know how to mount it.

• Once you mount the authenticated image of electronic evidence, know where to look for common files.

• When in doubt, consult a certified forensic computer examiner.

I’ve heard attorneys state “relax, this isn’t life or death”. In this instance, and the instance of Casey Anthony, I have to differ in opinion.

Jodi Arias was found guilty of murder, and the evidence was overwhelming. If this improper handling of evidence is used as grounds for a new trial, then a murderer could go free.

If the investigators that were working the Casey Anthony case had done a proper investigation of the internet browsers on Casey’s computer, perhaps there would be some degree of justice for her daughter, Caylee. I am not casting blame on anyone – the fact is that people make mistakes. However, if those mistakes can be fixed, then there is no excuse to make them again.

This evidence, found on June 16th, 2008 (the day Caylee Anthony died), was never admitted as evidence.

•At 2:49 p.m., after George Anthony said he had left for work and while Casey Anthony’s cellphone is pinging a tower nearest the home, the Anthony family’s desktop computer is activated by someone using a password-protected account Casey Anthony used;

•At 2:51 p.m., on a browser primarily Casey Anthony used, a Google search for the term “fool-proof suffocation,” misspelling the last word as “suffication”;

•Five seconds later, the user clicks on an article that criticizes pro-suicide websites that include advice on “foolproof” ways to die. “Poison yourself and then follow it up with suffocation” by placing “a plastic bag over the head,” the writer quotes others as advising;

•At 2:52 p.m., the browser records activity on MySpace, a website Casey Anthony used frequently and George Anthony did not.

Does this mean the Casey was guilty? That is not for me to say. What it does mean, is that valuable evidence was not considered because someone didn’t know what they were doing. We all do our jobs to make a living, but there must be something greater than that. We have an obligation to society to help fix the things that are wrong.

The things I point out in this article, we can help you fix.




The typical role of a forensic examiner is to find exculpatory information as designated by a discovery order.   It is common to receive a list of terms that are of interest to the attorney, and then the search begins.  But what happens when you need to find what isn’t there anymore ?


More importantly, why isn’t it there anymore ?


According to the Ohio Revised Code

2921.12 Tampering with evidence.

(A) No person, knowing that an official proceeding or investigation is in progress, or is about to be or likely to be instituted, shall do any of the following:

(1) Alter, destroy, conceal, or remove any record, document, or thing, with purpose to impair its value or availability as evidence in such proceeding or investigation;

(2) Make, present, or use any record, document, or thing, knowing it to be false and with purpose to mislead a public official who is or may be engaged in such proceeding or investigation, or with purpose to corrupt the outcome of any such proceeding or investigation.

Now why I am telling you, an attorney, that which you know so well ?  Because there are a lot of ways to hide things that you may not be familiar with.

There are also quite a few ways to casually (or not so casually) destroy potential evidence.

I have been a forensic examiner for many years, and I have used many tools during that time to assist me in my job.  As the profession of computer forensics has become more widely known, it is no surprise that a group of tools would be created to thwart the efforts of the would-be examiner.  These tools, though seldom advertised as such, are known as “anti-forensics”.  Their very job is to destroy or obfuscate information so that it would be of no use in a legal proceeding.

This is a two-edged sword.  Whereas I have no problem with people using software designed to destroy information for the purpose of thwarting identity thieves, or protecting themselves from people that might be involved in industrial espionage, it is obviously a crime to use these methods, software, or hardware devices to alter or destroy information sought by the court.

Though ignorance of the law is not an officially accepted reason (for almost anything), it would be better to remove the specter of ignorance from a custodian’s claims by being specific in an order designed to elicit information

Litigation Hold (AKA “preservation orders” or “hold orders”), are designed to inform a party that they are to preserve any and all information regarding a potential discovery order.  Generally, the  Court Order is written in such a broad fashion as to cover any potentially discoverable information. What it never includes (at least as far as we have seen), is a prohibition from employing any software, hardware, or method,  that is “anti-forensic” in nature.  This is an important concern, because many potential Custodians employ their own software in a corporate environment which is designed to obfuscate their actions.  This software may be in use outside of the purview of the corporate IT department, and as such would fall outside the scope of a corporate retention policy.

Typical examples of common packages in use would be :

Window Washer

Software that is less common, but very powerful would be :

Tracks Erase Pro
Evidence Eliminator

By specifying the prohibition of any tools which could obfuscate or destroy data in the preservation order, you give yourself more tools should a case of spoliation occur, and you also aid the Custodian in understanding what is and what is not permissible.

Advanced forensic analysis is often able to uncover the use of such methods, however the investigator must be familiar with the “footprints” that these products often leave.  If you were to walk into a room where a couch was recently removed, there would be imprints on the carpet where the couch was.  In much the same way, when we are examining a hard drive, we are not only looking for what is there, we are also looking for the remnants of what USED to be there.

As these products become more and more prevalent, the need to be diligent in defining the terms of the Rule 26 conference becomes greater.  When it doubt, take your forensic specialist with you.  If you don’t have one, give us a call.


–Many thanks to my editor, Mark Kruse


What does my smart phone know about me? (And what do I know about it?)

As a Certified Computer Examiner, and a Mobile Certified Examiner, I have the opportunity to look into all kinds of devices looking for information which is responsive to a subpoena and has probative value.  I tend to forget that most folks don’t realize what is in their device.  I was asked to look at a website today to determine if I could tell when it was accessed and by whom.  Simple enough – I went to the access logs of the site, and found exactly what I was looking for.  Well, that seems straight forward enough, doesn’t it ?

I was a little surprised at the reaction of the attorney I was working with, until I realized that most folks don’t know what information that their Smart Phone is willing to give up.

I was able to tell the attorney :

1) What type of phone the user had
2) What browser they were using
3) What they searched on their telephone to find the website in question
4) and their GPS co-ordinates when the request was made.

I can comment on that information – but I have simply decided to let you think about it.


For my forensic friends out there

Know your environment.  Know more than one operating system ( I suggest at least three).

Know the major browsers – and the minor ones too.  Know where things are kept.

Know how email works.  Not just the flavor that YOU use – know them all.

WHY ??

On July 5th, 2011, Casey Anthony was found not guilty in the death of her baby girl, Caylee.  The forensic examiner did not follow the rules I just gave you.  The examiner was instructed to find the internet searches that had been executed on the computer that Casey accessed.  When the investigation was complete, it was declared that there was no evidence of value to be had in Microsoft Internet Explorer.

Casey Anthony used Firefox as the browser of choice.

Now, is that to say that if the examiner checked the internet history of Firefox he would have found the search terms “fool-proof way to suffocate” ?  I do not know.  They may not have known that Firefox stores its data in SQL-Lite and even after history files are purged, remnants remain.  What I do know, is that this type of oversight cost a little girl her justice.

We also can be certain that the examiner was not using professional tools.  Had he been using Access Data’s FTK (Forensic Toolkit), the question of “what browser did she use” would simply be moot.  Providing a proper forensic image of the computer was made, FTK would have located her search, and the results of the trial would have been drastically different.

So, for my forensic friends, know your environment and get good tools.

For my attorney friends, make sure that your forensic expert knows their environments and has a decent toolset, as well as a great skillset.  Good tools are no substitute for poor skills. Good skills and good tools, however, are the combination that is required.

Be good at what you do – in this business, justice depends on it.


We are certifiable…

It’s true … and we can prove it.



We are happy to announce that we now hold all Access Data Certifications, including all 3 from Summation.

We had a very productive time at the Access Data Users Conference held in Las Vegas.  The expert panels, and classroom instruction were informative and interesting.  The NEW Summation is something that you must see.  It is a game changer, and we would be pleased to give you a demonstration on our live Summation Server.



Sticks and stones may break my bones, but I will still get your password.

“I can do more damage on my laptop, sitting in my pajamas,
before my first cup of Earl Grey than you can do in a year in the field.”

– Q, Skyfall.


In the history of combat, it used to be that one could see the enemy approaching and take proper precautions.  A “fair” fight dictated that one announced their intentions to their opposer and stand firm to look the enemy in the face.  When the revolutionary war came about, the Americans did not prescribe to these notions – they did not wear red, they did not march in a straight line, they hid behind rocks and trees, and attacked in the dead of night.

There is a certain aristocracy for those who follow in the traditional steps of war.  I recall hearing two older men arguing once and one of them said “sure, anyone can drop a bomb – but real men go hand to hand”.  Interesting.  So pilots and smart warriors are not real men ?  No, I believe that they are.  They just have better tools.

So what does this all have to do with the internet ?  I was reading the comments of someone who stated that password cracking was now “officially” a script-kiddie activity.  Wow.  You know, you can call these people names all you want.  That does not negate their intelligence, nor should it lessen the impact of what they are able to do.  Password cracking is a great example of where scripts can come in pretty handy. The article goes on to say that an amateur, using only free tools available on the web was able to break more than 10,000 passwords in one day – and he had never broken a password before in his life.

You have heard it said by everyone : Change your passwords often and make them complex.  Don’t use words that are easy to type or remember – and don’t use words that are in the dictionary – and don’t write them down.  But you aren’t a computer are you ?  How will *you* remember a password that is complex, not in the dictionary, and you didn’t write it down ?  You won’t – unless you are willing to put a little work into it.

Padding a password helps – the longer the password, the longer it takes to break.  What is padding ?  Im glad you asked.  Imagine the password PASS123 – a very common password – most password cracking programs will have this done in moments.  However, if we padded it slightly PpAaSsSs112233, this will increase the complexity dramatically – and it isn’t too hard to remember.  However many systems now require you to have three different types of characters of the four you can choose from (lower case, upper case, numbers, and special characters). Our previous example has three – but if you want to be even more secure, lets add two more characters : PpAaSsSs11!22!33@.

That is a strong password – and we haven’t done a lot to make it so.  Simple changes like this can make the job of password cracking a little harder.  Of course, if you wrote them all down and leave them on your desk, then it won’t take a lot to lose them all at once.

This isn’t a new concept, but it is one that deserves your time.

According to CBS news, the 25 most common passwords of 2012 are as follows :

1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1


If you use a password on this list, you are not alone. It is worth taking the time to make a change.  You wouldn’t use 1234 on your home alarm would you ?  Don’t fall victim to the use of an “old friend” password.  Your attacker will not be wearing a red coat, with a musket, marching in a straight line, with drums behind him.  They might just be in their Pajamas, eating Captain Crunch and waiting for their morning cartoons.


BYOD – Bring Your Own Device, or Bought Your Own Disaster?

It seems that the talk of business is BYOD – employees don’t want to carry two phones – employers don’t want to buy phones for employees … what to do, what to do …

Here is a thought !  Lets bring our own devices, iPhones, iPads, Blackberries, and Droids to work and get our corporate email on there !

Here is a thought !  Lets tell our employees we will give them $ 25.00/month to use their own personal devices for corporate email and we won’t have to buy them phones !

And how wonderful that is, the win-win proposition of business.  What could be bad with that ??

Well – it may not be a bad thing at all, as long as the employees and the employer are both pleased with the employment arrangement that they have entered into.  But suppose, one day, the rose-colored glasses break, and it is time to change the employment arrangement. Most of the time, either the employer or the employee knows when this is going to happen before the other one does.  They both know, however, that some of the data on the phone is personal and some of it is corporate.

We now have a electronic data child custody battle.  I’ll bet you weren’t ready for this when the whole BYOD idea came up.

From a corporate perspective, the data on that phone needs to be wiped – but you can’t do that without wiping the whole phone, and those cute little pictures of the puppies the phone owner took this morning will be lost.  That will not go over well.

From a personal perspective, that phone belongs to me, and so does everything on it.  Im not tech-savvy and I don’t know how to back it up, but Im not asking my ex-company for help..

So, Solomon, the baby is in front of you … what do you do ?

It would not be uncommon for both sides to have attorneys to represent their interests – so what will you do ?  Will you, the employee, hand over your phone to be wiped and lose all of your personal information ?  Do you want them to see the texts that say that your boss is an idiot ?  Or perhaps the not-so-flattering pictures you took of a co-worker (who wants to continue being employed) when you were out last weekend ?

Will you, the company owner, be comfortable with the employee you fired saying “don’t worry, Im not upset over this, I’d be happy to erase all of your critical data that I have on my device” ?

No, there is no good answer in this situation.  How did we get here ??  Oh, that is right, we wanted a little more convenience and to save a little more money.

My advice is simple : don’t do it.  If you need your employees to have mobile devices, then provide them.  If they don’t want to carry two devices, then they can leave their personal phones at home, or in their car.  It might cost you an extra $ 50.00 / month, but your attorney bills will consume 3 years of that in one day of legal work.  As an employee, I value my right to privacy too much to allow corporate interests to infringe upon my personal life.  Yes, they would give me money per month to defray my data costs, but my rights are not for sale.

At the very least, when you are tempted to enter into such an arrangement, consult your attorney for legal advice.



Predictive coding: the future of electronic discovery?

(this article originally published 6/20/12)

If you keep up with news of the legal technology world, you’ve already heard about something called predictive coding, and about why it’s a game-changer in the field of eDiscovery (electronic discovery). And with recent legal cases both showing federal support of the technology and attempting to regulate its use, the judicial system seems to assume it’s here to stay.

And why shouldn’t it?

Why We Love It
Let’s say ne’er-do-well John E. Guilt got caught embezzling company funds and is being brought to court for it. He doesn’t much like the idea of jail time and is claiming innocence, the greedy rascal. Prosecutors are now faced with the task of sifting through all his personal and company emails from the last five years to look for evidence, which wouldn’t be so bad if there weren’t 3 million of those to go through before the case against him can be fully prepared (a relatively normal figure). And, with recent legal events like the rulings of Judges Peck and Carter in da Silva Moore v. Publicis Groupe (which supported a preference for the use of current predictive coding software over manual review techniques) and the US v. Metter et al ruling (which limits the amount of time prosecution can take to analyze and present electronic evidence), the prosecutors handling Mr. Guilt’s case are most likely going to turn to predictive coding to help them churn out their evidence on time.

Mr. Guilt’s prosecutors use a well-known predictive-coding software like Recommind’s Axcelerate, plug in Mr. Guilt’s emails, babysit it for the first few trial runs, then sit back and wait for their results to pop out. It gets through them in a few days (rather than the months a team of poorly-equipped manual reviewers might have taken), organizes those results for efficient access, cross-lists pieces of related information, avoids the false positives and negatives that generally come from manual review, automatically prioritizes documents by importance, and does it all 60-90% faster and cheaper than the team of unmotivated, underpaid interns who would have done the job using clumsy keyword-based searches in years past. The cherry on top? Axcelerate does it all with higher consistency and quality than any manual review team armed with a notepad and Google-type search engine ever could. What’s not to love?

Why We’re Not Pinning Our Hopes and Dreams On It
Your much-abused interns (and, especially, the third-party computer-forensic investigator that you’ve hired to help nail Johnny Guilt) have more going for them than you may realize. While companies like Recommind are quick to point out that manual review misses 25-50% of documents, they don’t claim it’s perfect, either – in fact, as Recommind’s Craig Carpenter puts it, “perfection is not the goal” compared to improvement over manual review. And the aforementioned court rulings aren’t wholehearted endorsements of it, either. Judge Carter from the da Silva appeal wrote, “There simply is no review tool that guarantees perfection…. [t]here are risks inherent in any method of reviewing electronic documents.” We tend to agree, and for a couple of important reasons.

First of all, predictive coding is absolutely perfect…for the honest criminal who knows he should go to jail, feels really really bad about what he did, and wants to make it up to society by gift-wrapping all the incriminating evidence for them. (We’d really like to meet one of those, but we’re also still holding out for proof of unicorns and leprechauns.) More than likely, your tech-savvy criminal is going to want to hide or destroy (spoliate) electronic evidence if he knows he’s been caught, so there’s a good chance he’s going to try to get rid of it or, barring that, to encrypt it. Encrypting electronic evidence is unexpectedly successful when it comes to predictive coding, because the software often can’t read encrypted files and won’t list it in search results. The software might have noticed something unreadable was there, but it’s probably not going to tell you about it. And sometimes, your really tech-savvy criminal will be able to remove evidence and leave only an indicator that something was deleted. Unfortunately, your predictive coding software isn’t going to find that, either.

In addition to encryption and deletion, there’s also the option to simply hide the stuff you don’t want the lawyers to find, and predictive coding software won’t always see it. For instance, there’s something called alternate data streams which allows you to hide a document within the structure of another document. Your software might find the outer “shell” document, which is a flier for the homeless shelter where you’ve been volunteering twice a week, but it won’t see the embedded document, creatively titled “My Scheme to Take Over the World.” For the especially devious, there’s also the option of hiding documents in completely unrelated file formats (steganography) – like hiding a document in an image file. Once again, predictive coding will find the picture, but not what’s hidden within it.

And, last but not least, there’s the issue that some criminals are intimately familiar with predictive coding software, and they know how to defend themselves against it (anti-forensic technology). It’s the reason why you may not want to put one of those “Protected by ADT” signs in your front yard if you have an ADT home security system – if you’re targeted by a criminal who used to work for ADT and knows how to get around it, there’s a good chance he’ll rob you blind, expensive security system or no. If predictive coding technology is ruled legally sufficient for all methods of electronic discovery, criminals will be able to accurately predict the methods which will likely incriminate them, and they can learn how to avoid them. It’s much more difficult for a criminal to know the methods of examination and analysis that, say, a forensic investigator would use, because he’ll use a wider range of tools (some of which use predictive coding, and some of which don’t).

Are we trying to start a blood-feud with all advocates of predictive coding technology? Not at all. We think predictive-coding softwares are great tools, but people are often quick to assume that they can replace the whole toolbox. So what method has the efficiency of predictive coding without losing the intelligence and problem-solving abilities of a human examiner? As you’ve probably guessed, we say that nothing can beat a forensic computer investigator. The right investigator has experience, certifications, the “imagination” to think of outside-the-box solutions, a thorough knowledge of the capabilities of hardware and software, expertise in a wide range of popular and lesser-known investigation tools, and the ability to put himself in the shoes of another computer expert. Best of all, you never have to pay to download his newest update. You can find the one we recommend here.