Friday, September 30, 2011

Lessons Learned

Having just finished a marathon case, one of the longest I have ever had, I have been taking some time to think over the progression of the case and adding the lessons learned to the other "hard ones" I have accumulated over the years. This is written from standpoint of a contracted forensic examiner, I think most of the points could be applied to internal exams as well.

1. Before you ever ACCEPT the engagement, have a very deep conversation with the party or parties that is going to pass judgement on your results and final report. Make sure you know what their expectations are, and if they are not reasonable or obtainable get this understood right up front. If these parties will not take the time to do this, or will not accept the realities of what your examination can accomplish, walk away, it's a losing proposition that will only damage your reputation in the long run.

The next two items go hand in hand.

2. Make sure you know the final result the client is expecting. This is a result of doing a good job at step 1. Make sure that you can put into words that are consistent with a good forensic examination what the result should be for the client. Here we have to remember our job is not to prove the case for the client, our job is to locate and present ALL possible evidence relevant to the matter.  That requires we stay in the ballpark dictated by the clients wishes, and find either the presence or the absence of items that pertain to that.

3. Make sure you know what YOUR final result is expected to be. I know you are asking isn't this the same as point 2? My contention is it is not. The client wants "proof" of some activity, you want items that are relevant to that activity. You need to be able to express both. The client's expected results are going to be matter concentric, yours are going to be artifact concentric. Make sure you can answer both 2 and 3.

4. Have a case outline and case preparation plan before you begin to examine anything. Develop your own style of case prep or adopt one of the many you can find in recent blogs. But have a written plan. You may, and often will deviate from the plan or change it as your case progresses because you go where the evidence takes you. Having the plan will help you answer the questions of why did you do A and not B during your examination.

5. Begin with the end of your case. I always start a case drafting a Summary like you will find in my final report. I know, I have nothing to report yet. But this is where I let my analytic forces run free. I picture what I am trying to find, the write out a "fake" finding of every type of relevant artifact, where I "found" it, what methods I used a how it is presented. I also "report" absence of artifacts and what steps were taken to show they didn't exist and why that's important. It also points out to me what research I may need to do to handle an artifact I have never dealt with or method I may need. Now I have a great picture of my examination. Without the pressure of having the image open in front of me and getting sidetracked or led down wrong roads by things that jump out in front of me, I can go find the things I know will yield the results I should end up with. Not proof for client mind you, that may not exist, but the truth of what does or doesn't exist.

So that is the beginnings of a case for me, and it saves me and my client headaches and tine and money. I look forward to hearing how everyone else does it.

1 comment:

  1. This is a great post, in that it validates what others have been saying for some time. Take Chris Pogue's "Sniper Forensics"...items #2 and #3 above come straight out of his presentations. I've taught #4 and #5 time and time it's good to see others validating these ideas. Thanks!