Expert Witness Forum West

The Use of Computer Forensics, Mobile Forensics and e-Discovery in Expert Witness Testimony

Michael Chong, Kemar Wilks – The use of Computer Forensics, Mobile Forensics and e-Discovery in Expert Witness Testimony


Lawyers need to get comfortable with digital evidence

Even though technology is all around us — from cell phones to computers to always listening personal digital assistants in our homes — it doesn’t mean everybody has an equal understanding of how digital information is created and stored and accessed, and that includes lawyers.

As the amount of digital data continues to grow, those electronic ones and zeros are playing ever-increasingly important roles in legal actions. Some lawyers who are either technology buffs in their personal lives or who have professional experience with cases involving digital forensics are comfortable examining digital evidence and hunting through electronic information looking for information to support their positions. Others, however, find themselves having to navigate an unfamiliar world of metadata and hashes and logs, all while doing the best they can for their clients.

For those legal professionals, it’s not a matter of learning to code or becoming technical wizards, but it’s about developing an understanding of the digital landscape and the evidence that it contains so they can do their jobs better.

Michael Mulligan

Michael Mulligan, Mulligan Tam Pearson Law Corporation

“If you don’t know [digital evidence] is there, you’re not going to make efforts to look at it, or you’re just going to focus on some other aspect of the case because you’re unfamiliar with it,” said Michael Mulligan of the Victoria, B.C.,-based defence firm Mulligan Tam Pearson Law Corporation. “People have to be familiar enough with it to know it exists and then retain an appropriate expert if they don’t know enough about it.

“It’s like if you’re a police officer, and you didn’t know about DNA evidence. You’re just not going to take the steps to check and see if it exists or take the steps to see that it’s properly preserved. Pretending it doesn’t exist, I don’t think, is a satisfactory response to it.”

As to what that familiarity amounts to, Jeffrey Posluns, owner of the Toronto-based information technology security company Posluns Consulting, said lawyers should understand some fundamental concepts.

Jeffrey Posluns

Jeffrey Posluns, Posluns Consulting

“They need to have a basic understanding that e-mails can be spoofed and that any log that shows something on a computer or a server can be fabricated or adjusted or can show wrong information if the logs aren’t set up properly.

“At the same time, when they are looking for evidence, they need to understand that logs should exist for most situations and for most activities in companies that have competent systems administration and/or a networking team. … In summary, it’s most important for a lawyer to know what is possible and what exists, not necessarily how to use it or what it does or where it goes,” said Posluns.

Lawyers dealing with digital data should be aware that there are acceptable procedures that must be employed while retrieving information from devices, and if the proper steps aren’t taken, any evidence obtained may be deemed inadmissible at best or irretrievably lost at worst.

“The first principle of digital forensics is don’t change anything,” said Robin Fowler, junior forensic examiner at TCS Forensics Ltd. in Richmond, B.C.

“One of the main issues in relation to the admissibility of digital evidence is the fact that metadata — which is like the dates and the times that files were created or accessed or modified — are changed really, really easily,” explained TCS senior forensic examiner Kemar Wilks.

Wilks said when inexperienced people attempt to retrieve files by opening them and saving them, they alter the computer’s records — its logs of when that data was originally created and accessed — which is typically the evidence that is needed to support legal arguments. To get around this problem, most experts use a technique known as imaging the drive, which Wilks likens to taking a snapshot of the data.

Robin Fowler

Robin Fowler, TCS Forensics Ltd.

“It’s a court-accepted procedure. At the beginning of the imaging process, something is done known as hashing, which is generally just creating a serial number of the data as it is. Then we copy it. We do the same process again to see if the serial number is the same and normally it is.

“Say, for instance, after you create the serial number, you open a document on the same hard drive and put in one change and save the document. Then the serial number will be completely different. [The hash] is almost as unique as DNA. I think it’s the most important step in digital forensic analysis as a matter of fact.”

Preserving information isn’t just something forensics experts do. It’s actually something that computers and other electronic devices are very adept at.

“The basic advice would be if you delete something from an electronic device, a computer or a cell phone, it’s not gone. It’s the equivalent of taking the index card out of the old library card catalogue but leaving the book in place. When you delete the file from the computer, you don’t get rid of the underlying data, you just make a notation on the file system that the space might be available for future use,” said Mulligan.

“If you examine the computer in a forensic way, you are likely to find vast quantities of data that would not be apparent to a user of the machine. You’ll get the deleted e-mails, the previous versions of documents — just a vast amount of information that is there and many lawyers simply do know it exists so they’re not looking for it.”

Kemar Wilks

Kemar Wilks, TCS Forensics Ltd.

It’s not just computers and cell phone with memories. Smart devices from printers to Internet-enabled appliances and TVs, also retain logs and records. For example, Fowler said TCS Forensics was involved in an intellectual property case where one side was supposed to have destroyed a set of documents by a certain date. TCS proved that didn’t happen.

“We were able to determine from a print log file that they had been printing those documents —  documents that weren’t found on their computers — at a later date than they were supposed to have destroyed the documents,” he said.

The type of law a lawyer practises will likely influence the type of digital data encountered. Mulligan said in the criminal world, it used to be child pornography cases that would mainly rely on digital evidence, but today almost every case touches on some element of it. Determining people’s locations by tracking where their phones were, for example, could easily find its way into murder cases.

Posluns said he spends half his time on e-mail related, 25 per cent looking into malicious activity that took place by analyzing IT infrastructure, servers, platforms and code, and the rest performing an assortment of activities, including explaining to one lawyer how to purchase illegal drugs on the dark Web and how police investigate those types of purchases. (The lawyer’s client was accused of performing that activity.) Currently, when TCS is consulting on civil cases, 80 per cent of what the company deals with are mobile devices including cell phones and tablets.

For lawyers looking to hire a forensic expert to assist them with an investigation or to explain certain aspects of technology, Mulligan, Fowler, Wilks and Posluns all agree that one of the key qualifications is that person’s ability to explain things in clear, succinct language, and to offer explanations that could be understood not just by the lawyer but by judges and juries (if necessary).

Lawyers can also ask about forensic training accreditation and inquire if they have licences for the software that was used to find or create the evidence. (Mulligan noted that police departments, for example, often use a program called EnCase Forensic to conduct their investigations, so it helps to be able to use the same software to examine the evidence they collect.)

As for lawyers who are still uncomfortable with the idea of dealing with digital data, unfortunately, there is only going to be a proliferation of it in the future, except instead of being stored on people’s desktop computers or in their handheld devices, a higher percentage of it will be kept in the cloud on servers across the country, or even in countries across the globe. A growing percentage of that will be information collected by personal digital assistants like Apple’s Siri, Amazon’s Alexa or Microsoft’s Cortana. Additionally, more previously unnetworked devices are being transformed by their manufacturers into Internet of Things (IoT) products, with the addition of wireless connectivity (including GPS tracking).

As people’s lives become increasingly tracked and traced online, there will be more opportunity to find, retrieve and use that data in legal actions, and doing so will become even more commonplace than it is today, leaving lawyers who are technology adverse an increasing disadvantage compared with their colleagues.

Thursday, December 28, 2017 @ 10:56 AM | By Carolyn Gruske | The Lawyer’s Daily

Lunch & Learn Events, Conference Presentations and Workshops for 2018.

We are now booking lunch & learn events and presentations for 2018. We will also be offering in-house and on-site training workshops in 2018 with several engaging topics listed below. Please contact us directly for more information.

  • Digital Forensics Challenges in the Internet of Things (IoT) World
  • Digital Forensics and Big Data Challenges
  • Demystifying eDiscovery & Digital Forensics
  • Digital Forensics and the Cloud Computing Environment
  • Digital Forensics Evidence Collection and Management
  • The Value of Digital Forensics to Your Organization


June 2014-Cyber Attacks, Mobile Forensics and Validation Tools

Cyber Attacks Take Hours to Detect (Source: CSG International)

More than one-third of cyber attacks take hours to detect. Even more alarming, resolving breaches takes days, weeks, and in some cases, even months. Despite increased resource allocation designed to protect networks, a CSG Invotas survey conducted by independent research firm IDG finds that 82 percent of respondents report no decrease in the number of network security events or breaches last year—and more than a quarter of those surveyed report an increase. “There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period.” Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

  • More than one-third of breaches take hours to detect.
  • Resolving breaches can take days, weeks, or months.
  • Ongoing management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event.
  • A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data.
  • Sixty-one percent of respondents admit they are looking for ways to improve response times to security events.

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens. A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. Fifty-seven percent of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30 percent of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

Israel’s Cellebrite delves deep into cell phone memory (Source: Ari Rabinovitch PETAH TIKVAH, Israel, June 5 Thu Jun 5, 2014 3:20am EDT) (Reuters) – Israel’s Cellebrite has seen a huge jump in sales of its mobile forensic technology as smartphones have become an increasingly vital tool for investigators in solving crimes across the world. A deleted picture or text message can often be key to a case – whether for police detectives or bank auditors – and the ability to extract and analyze the data could prove a suspect’s innocence or guilt, said Yossi Carmil, corporate co-chief executive. Cellebrite, a fully owned subsidiary of Japan’s Sun Corp , developed a system it says can do just that – retrieve data hidden deep inside nearly all mobile devices on the market. And with people becoming more dependent on their smartphones, which have in turn become more sophisticated, Cellebrite is playing a “more and more significant” role for Sun Corp, Carmil said. The company’s forensic department saw an average 25-30 percent growth for three straight years. It controls a major portion of the global forensics market, which in total Carmil estimated is over $150 million but will exceed $1 billion within a decade, as the field broadens and new technologies are introduced. Cellebrite also sells products to retailers and cellular operators that back up and transfer data and can quickly diagnose problems on a phone. About 150,000 shops worldwide use these devices, and it brings in a bit less revenue than the forensics business, Carmil said. “Ten years ago someone would have to sit and physically scroll through the phone. If you had erased a message, it was gone,” Carmil said. “But like in computers, even if you delete something, it is actually still there on the smartphone.” “Our system can retrieve it. This is harder to do than with computers since there are so many systems and devices,” he said. Leeor Ben-Peretz, vice president of products, said a key advantage for Cellebrite is its speed to market in supporting new phones and its coverage of a wide range of operating systems and devices, including those with higher levels of encryption and protection. (Editing by Tova Cohen).

Forensics Tool Validation (Source: “Training is Not Enough: A Case for Education Over Training” by Tim Wedge)   forensics

The premise that an effective digital forensic examiner must be able to validate all of the tools that he or she uses is universally accepted in the digital forensic community. I have seen some less-educated members of the community champion a particularly insidious, and I will argue, invalid method of tool validation, often referred to as the two-tool validation method. The premise of this method is that if two different tools provide the same result, they must both be correct. The problem with that assumption is that it ignores the fact that both tools may have the same flaw. This may be due to unforeseen changes to operating systems, or file systems, or it may simply be the result of invalid, but widely accepted assumptions. Few practitioners would suggest testing a gas chromatograph by merely seeing if two of them produced the same result; they would insist on testing a calibrated sample and ensuring that the results of the test matched the known values of the sample used. Digital forensic tools cover a much broader spectrum of data recovery and presentation of recovered data, and are therefore correspondingly difficult to test. Nonetheless, we cannot hold them to a lower standard. Errors and limitations in the recovery and presentation of data may occur as a result of oversight, design flaw, or simply because the ability to interpret every data structure that exists in the real world is an intrinsically unattainable goal.

Mr. Stewart Bertram to join TCS Forensics Richmond BC location

Richmond, British Columbia, Canada August 6th , 2013—TCS Forensics Limited is pleased to announce the appointment of Mr. Stewart Bertram as the Director of Cyber Security & Threats Intelligence to our main office in Richmond British Columbia.

Stewart brings ten years of experience in providing tactical and strategic intelligence support to the CEO’s of global multinational companies (some over 100,000 employees), combined with a number of professional and academic certifications; Stewart epitomizes best practice within the field of intelligence and security.  Stewart’s past projects included providing real time cyber threat monitoring support for the 2012 London Olympic Games, geopolitical risk assessment of the effects of terrorism within Sub Saharan Africa, risk assessing the impact on the Organization of data breach from employee use of social media and direct consultancy on how to develop a cyber-threat intelligence capability within a private sector organization. With deep knowledge in the field of risk assessment on terrorism, cyber threats and cybercrime trends, Stewart consistently adds value to the customers’ existing risk assessment.

With the rapidly growing digital industry and the digitization of business, government and personal records, TCS Forensics can offer customers everything from threat active profiling, to digital forensic investigations and analysis, to network security analysis to safeguard businesses from intruders and cyber-terrorist.

TCS Forensics is the premiere forensics investigation company that specializes in mobile devices such as Iphone, Ipad, Blackberry, Samsung & 5300 others, computers, laptops and PC’s. We also specialize in network vulnerability/ Penetration Testing, Risk management and E-discovery. TCS Forensics has the largest private forensic lab in Western Canada serving clients from New Brunswick to British Columbia, Washington DC, Texas, California, Washington State and more. We provide onsite forensics 24 X 7 X 365 and service many happy clients from private individuals, corporate & public companies including law firms, municipalities, government ministries, financial institutions and private investigators.

TCS Forensics New Office Location

Richmond, British Columbia, Canada June 7, 2013 —TCS Forensics Limited is pleased to announce the relocation of their office. On June 1, 2013, TCS Forensics moved their main office to Unit 125- 3751 Jacombs Road in Richmond British Columbia V6V 2R4.

The move will accommodate recent growth and enable the company to continue to maintain superior customer service to its expanding clientele. “Everyone here at TCS Forensics is thrilled to move into our new home”, stated Keith Perrin, CEO and founder of TCS Forensics. “The move will allow our company to better facilitate our employees by doubling the square footage of our office and upgrading our in-house technology. The new location includes additional space for new Risk Management & E-discovery Labs. Most importantly, the relocation is driven by the company’s commitment to better serve its clients. The new office will bring our team together allowing a more collaborative approach to the new services.

TCS Forensics is the premiere forensics investigation company that specializes in mobile devices such as Iphone, Ipad, Blackberry, Samsung & 5300 others, computers, laptops and PC’s. We also specialize in network vulnerability/ Penetration Testing, Risk management and E-discovery. TCS Forensics has the largest private forensic lab in Western Canada serving clients from New Brunswick to British Columbia, Washington DC, Texas, California, Washington State and more. We provide onsite forensics 24 X 7 X 365 and service many happy clients from private individuals, corporate & public companies including law firms, municipalities, government ministries, financial institutions and private investigators.

Original Source: “June 2013 Press Release

CBC TV, Regional News – Anu Dawit-Kanna

TCS Forensics, Subject Matter Expert: Social Network Privacy and Security

Subject Matter Expert: Corporate Social Media Policy

By Alan Zisman – Business in Vancouver

Over half a billion of us – including me and probably you – have Facebook accounts.

There are over 100 million of us on Twitter and countless others using Linkedin and other social networking sites. Not surprisingly, what we do in those virtual places has implications for our employers whether we visit the sites at work or at home. How our time on Facebook (et al) affects our employer, however, is more complex than it might seem, as is the way our employer needs to respond.

For example, going on Facebook during work time – an obvious no-no, right? TCS Forensics’ computer forensics and data security consultant Ryan Mattinson notes that a management gut reaction to social media, perhaps as a result of “shoulder surfing” during a quick walkabout, may be to simply decide to ban access to these sites at work.

Mattinson suggests this is the wrong approach. It’s bad for morale, hard to enforce and ignores the legitimate uses of these sites on the job. He points out groups of employees who might need access to social media from work:

• IT staff might find social networks a valuable way to receive expert advice from peers;
• marketers may want to monitor your company’s viral campaign (or the competition’s); and
• HR might be using them to check up on potential hires.

But monitoring potential and current employees raises issues. Most of us understand that our employer might monitor what we do using a company-provided computer on the company network during company time. Your company may also feel it needs to know what you’re posting even if it’s been done using your own computer and on your own time.

Companies feel that it’s their business what you say about your job, the company, your boss, your colleagues and even the competition online regardless of where you were when you posted the comment.

If, however, companies are going to get involved in this sort of monitoring, clear policies and employee awareness and consent are needed. And this is where many companies fall down.

Last fall, Manpower, a U.S.-based company specializing in providing office temps to the marketplace, polled 34,000 employers in 35 countries about attitudes toward social media in the workplace.

Nearly 60% of the employers surveyed thought that social networks could be used to provide benefits to their organizations, including building their brands, fostering collaboration and communication, and recruiting and assessing new employees.
However, three-quarters of the employers surveyed (71% of the North American employers) had no formal policies covering employee use of social networking sites.

Employers who did have them felt that the policies helped prevent productivity loss by limiting non-business-related time spent at these sites.

Other benefits of formal policies noted by employers included protecting their organizations’ reputations, helping with recruitment and protecting proprietary information.

Mattinson points organizations to, which asks a quick 12 questions and then churns out a boilerplate social media acceptable use policy. However, he urges companies to go beyond that – take time, look at the policies in use by other companies ( offers 148 real-life examples) and, most of all, think about the unique needs and culture of each organization.

Sharlyn Lauby of Internal Talent Management suggests that while social networks seem new, “social media or new media is really media. Many organizations … already have a policy in place for working with media. Social media is merely an extension of what you already have in place.”

She hopes that organizations can build on what they’re already doing to develop and communicate guidelines, train staff to use these networks to benefit their organizations and build an environment to use social media positively within the organization.

Original Source: “Companies need guidelines for effective employee use of social media

CBC TV, The National – Craig Lederhouse

TCS Forensics, Subject Matter Expert: British Columbia Lottery Corporation Data Breach

CBC Online Regional News

TCS Forensics, Subject Matter Expert: British Columbia Lottery Corporation Data Breach

Excerpt from “Campbell confident in BCLC after breach“:

Meanwhile, a local security expert is warning that hackers and cyber-thieves will be on the alert when B.C.’s virtual casino goes back online.

Ryan Mattinson, a forensic examiner and computer security consultant, said the troubles are far from over for the lottery corporation.

“In this day and age, there’s a baseline level of activity just from being online,” he said.

“Everyone’s having their systems probed and having automated attacks … run against them to see if there’s anything that can be easily taken advantage of out there. And after something like this happens, then BCLC is going to be getting a little bit of extra attention.”

Mattinson doesn’t want to see the website running again anytime soon.

He said the lottery corporation needs to go back to the drawing board to beef up its security and quality control.