Many times it seems that as forensic engineers, we are put in positions where it is thought full concrete conclusions can be made by analyzing acquired drives and devices. In truth however, it is important to distinguish hunches from full conclusions, an area which seems to be blurred amongst many engineers who feel they either have absolute evidence of a particular activity taking place or enough to justify absolutes in their reports.
For example, so you found a USB device was connected to a system. Bingo! Or not? Does this mean the ’suspect’ transferred that intellectual property that everyone thought they did? Or was it the sysadmin playing detective after the employee left? Better yet, was it just a USB device installed for utilizing Vista’s ReadyBoost technology and nothing more?
Let’s take a look at another one:
What makes the suspect a suspect? Is it just because that’s what the paying customer believes they are? Is the paying customer themselves a suspect framing someone else? Using such a term lightly can make a forensic engineer delve into murky waters fast. Don’t assume anything as fact!
As forensic engineers, it is our duty to collect, analyze and present data to assist others in a case. We are not psychologists, hence it is not our job to make such conclusions. We are IT professionals looking at and presenting nothing else but data, 0’s and 1’s. So next time you write that report, remember!
