We make a multitude of assumptions every day, at times without giving them much thought. Assumptions are a part of our daily lives and how we interpret the world around us. They also impact our decisions, large and small.
Digital forensics is based on science, not magic. It’s not just pushing a button or running a tool and getting results. In forensics and e-discovery cases, assumptions can lead to mistakes, duplication of work and/or deliverables, and tension between you and a client. We live in a world of assumptions, but in these matters, you cannot assume.
Why do we make assumptions? It’s easy; it’s safe. It’s a habit derived from familiarity and performed out of safety. We’ve done or seen this before, so this must be what will happen. We expect or predict certain outcomes based on what has happened in the past. It serves as a form of protecting ourselves or in some cases, placing us in control of a situation. It’s a way of convincing ourselves that how we act or what do or say is right.
In his book The Seven Habits of Highly Effective People, Stephen Covey discusses paradigms, or how we see and interpret the world around us. Paradigms are often the basis of assumptions. Covey explains that these come from conditioning and habit, and that they influence our actions and behaviors. He observes that “we simply assume that the way we see things is the way they really are or the way they should be” (Covey 32).
Below are several types of assumptions and scenarios that arise often in forensics and e-discovery cases:
Do you have access to the device or account you are collecting? Do you have the credentials? The presence of encryption or password protection on a device can hinder forensic preservation in some cases. For instance, if a custodian has their Apple device encrypted with FileVault, you will need to provide the pass phrase in order to decrypt the drive and image it with a tool such as MacQuisition. This also pertains to encryption or passcodes on other devices.
Do your forensic tools parse the data properly? What types of files are present on your device? Are they operating system-specific files – only viewable on a Macintosh, Windows, or Linux operating system? Do you have the necessary tools to view and/or convert them if you need to provide them to a client? Will you need third party tools to parse or analyze certain types of files? Does a newer version of your tool parse your data in a way that an older version did not? Newer versions of forensic tools can support and collect more models of phones and parse more file systems. For example, EnCase 7 accurately parses the file and folder structure of Windows 8/8.1 devices, but EnCase 6 shows the F: partition, which contains much of the operating system and user data, as unallocated clusters and does not accurately parse the folder structure.
Do you have authorization – legal or otherwise – to perform a collection, examination, and/or analysis? In civil litigation matters, no collection or analysis can be done until permission is granted by the attorneys or ultimate client. In criminal cases, this is typically applied via a search warrant. In child exploitation cases, do you have legal authorization to collect or seize devices? Do you have legal authorization to view pictures?
How do you know your data has not changed during the forensic preservation and/or replication processes? This is where hashes and verifying file integrity are important. If providing counts of files, how do you know you’ve accounted for everything on a system or within a data set? If providing native files, are you providing them to a client in a readable format?
– – – – – – – – – – – – – – – – – – – – – – – – – –
In confronting the dangers of assumptions, here are a few techniques that I have found useful in my personal and professional lives:
-Pull yourself back from the situation and ask yourself “why?” Why are you feeling like this? Why are you thinking this way? What is causing you to feel this way? Why are you jumping to this conclusion?
Try to do this not as a form of rationalizing or justifying your own behavior but as a means of understanding how and why you tend to make assumptions. Use this as a starting point to become more aware of your own thought process and to curb these habits.
-If unsure about something, ask before going forward (or perhaps making a statement or decision that could land you in hot water). This applies to personal and professional matters. Clarify issues with a client or project manager ahead of time.
-Acknowledge and learn from your mistakes.
Covey, Steven R. The Seven Habits of Highly Effective People. New York: Simon & Schuster, 2004.