Explaining what went wrong in an unsuccessful investigation requires consideration and professionalism.

Many articles instruct on best practices for extracting evidence, where to find evidence, and why evidence discovered is the way it is. But few articles guide digital forensic professionals on how to stay professional when the examination doesn’t render the results expected. Digital Forensics is a relatively new science. Most corporate management and law enforcement entities have at least reviewed the concepts of digital forensics; however, there are still organizations that have little or no exposure to such methodology. If digital forensic work can be said to be in its infancy as a whole, can one imagine the true lack of understanding that uninformed agencies generally have of this technology? Fear not, I can say with confidence that the trend is improving. More and more corporations are starting to seek information security, compliance, and auditing professionals with forensic experience. Law enforcement as a whole is catching up in the forensic arena as well. Agencies are pursuing forensic training for technology apt personnel as well as corroborating routinely with federal and state forensic investigation experts. In this article, I will portray examples of management that posses an untrained or limited digital forensic background. I will give accounts of management’s reaction to negative or partial evidence finds I have encountered over the past ten years. I can honestly say I did not handle each scenario in the most professional manner, however, given a second opportunity; I would have liked to have responded with tougher skin and a more empathetic understanding. I believe if I would have managed my management’s expectations by helping them understand the technology’s abilities and limitations this could have mitigated some of the future sordid reactions. So, laugh, empathize, and most of all learn a digital forensic life lesson from these experiences.

The text messages were on the phone when we inventoried it…I think.
Occasionally analysts are tasked to examine cell phones and are informed that there is evidence to be found on the device. Sometimes the physical state of the object containing the evidence, the way it was inventoried, and the preservation maintenance aren’t exactly standardized processes.

In this scenario, a local investigator has brought forth a cell phone in a pressing case. He reports that there are messages on the device that link his suspect to the crime. The investigator states that the phone was safely tucked away in his evidence locker…for the past month…and by the way, he believes the battery is dead…Let the good times roll.