Not long ago, I sat down with my friendly computer forensics investigator to participate in the analysis of a hard drive from a PC used by my client’s former employee. I actually sat in his cubicle to participate "live" in the analysis. I’d begun to suspect the typical approach of relying primarily on written reports resulted in missed investigative opportunities. I wanted to see if more active attorney participation would produce a better result.

Normally when an attorney engages a forensic expert he tells the investigator what he's hoping to find, but he may not tell the investigator much about the case. Some investigators tell me they are often told next to nothing about the case. The level of direction is quite dependent on the attorney’s knowledge of computer forensics. Often assignments lack specificity, or conversely are so narrowly defined they miss even the low hanging fruit of a typical forensic investigation.

A forensic investigator normally does the acquisition and analysis and then generates a written report. The narrative report may include lengthy spreadsheets containing lists of deleted files, reports on Internet usage, or other standard reports that can be generated by the software programs used for analysis. The attorney reviews the report and hopefully looks at the spreadsheets. He then talks to the investigator to make sure he understands the report. Together they determine if any follow-up analysis is required, and later they discuss any newly obtained information. Each additional step beyond the initial analysis raises the cost of the investigation.

I wanted to see if it would be worthwhile to work dynamically with the investigator in real time in order to develop and follow leads that were generated during the initial analysis. This approach might lead to a dead end, but you knew immediately whether there was a new path to explore. I suspected this method might actually be more cost-effective. The investigator was not called upon to re-analyze the case weeks or months after the attorney finally reviewed the report. Live interaction ensured better communication. Attorneys and techies speak very different languages. Making sure you are understood, and that you understand, is easier in face to face situations.

This case involved a departed employee whom we suspected of stealing computer files containing proprietary information. The hard drive was relatively small, and the results could be analyzed quickly. The in-person approach wouldn't have worked if we had a terabyte of e-mail to process, but the amount of information we had was fairly typical of situations likely to be encountered by the average lawyer. They don’t often deal with a server with terabytes of information to examine. They’re more likely to deal with one or two PC’s, or just an e-mail server.