In part 1 of this series I focused on the use of the scientific method in computer forensic expert testimony. Now I would like to use a real life example of it in action. I have successfully used an example similar to this in court as an expert witness in digital forensics (the details have been changed to protect the parties involved). Theory is great, but seeing real results come alive before your very eyes is much more useful and persuasive so I hope it helps convince you that this is a really important topic that we; the industry’s practitioners, voice, and leaders, must embrace and use with confidence.
When choosing a controversial subject in computer forensics where this type of analysis could help, I believe determining the true time of events in a case is an aspect that is usually disagreed upon vigorously by opposing parties and the perfect choice for this article. If your expert opinion is that a document was signed at noon on a certain day, but the opposing party says you do not have enough information to present that opinion – it may be the right time to think about the problem scientifically, using a scientific methodology, statistics, and reproducible results as the Daubert decision requires.
In our example, imagine the scenario happened many years prior so key computers no longer exist and other computers exist but have been heavily upgraded – losing all of your “smoking gun” information. Luckily, anticipating litigation, some key logs were saved along with the documents to be physically signed by a human being. Of course a full forensic duplication was not acquired because that would make our job too easy, but the relevant files were instead moved to a different piece of media which destroyed the important file system metadata associated with the files while still keeping the internal file content intact.