Incorporate Extrinsic Evidence in Your Investigation
One of the greatest mistakes that can be made is to look at any digital evidence in isolation without properly considering all of the processes, inputs, and outputs that can impact the interpretation. Accordingly, I believe examiners should insist upon unfettered access not only to the media, but also to the court filings and related discovery (e.g., arrest reports, opposing party’s expert’s report, etc.)
I have found that gathering and reviewing extrinsic evidence is a concept that roughly approximates so-called early case assessment (ECA) in the e-discovery world. One e-discovery solutions vendor, StoredIQ, explains “using ECA, legal counsel can assess the merits of a dispute, formulate a legal strategy, and make decisions concerning the matter before the costly process of taking the case to trial begins.” Another familiar vendor, Guidance Software, distinguishes their product on the basis of ECA by claiming that “other products … provide analysis and review only after completing collection and processing.”
An examiner should be vigilant against extrinsic evidence suggested by others—particularly affiliated with the opposing party—that may be intended to distract or lead the examiner on a costly and unproductive safari. Similarly, I believe examiners should resist any undue influence by the retaining attorney with regard to what can or should be found,9 although not everyone shares this view.
From: Incorporating Extrinsic Evidence into the Digital Forensics Investigation by Sean L. Harrington