this problem, it took several years for at least one well-known forensic tool developer to do so, illustrating that
even tools that have held up in court in the past may have
serious flaws that can affect the outcome of an investigation; most importantly, these flaws can result in erroneous
interpretations of fact.
I have used the pejorative “click monkey” to describe
individuals who use automated forensic tools, sometimes
with considerable proficiency, but do not have an understanding (or have an incomplete understanding) of what it
is that the tool actually does. In some circles, the expression “tool monkey” is used to describe the same individuals
for pretty much the same reason. My disapproval of “click
monkeys” is not based on the demonstrable fallibility of
the tools themselves; no tool can ever be perfect, and they
remain indispensable assets. In my experience, the limitations and imperfections we find have not generally been
due to poor design, but to an intrinsic lag in response time
to changes in operating systems and file systems, as well as
the sometimes secretive nature of changes to these systems.
Criticism of click monkeys is usually based not on contempt, or disrespect, but on fear. People who know nothing
more than how to use a tool are manifestly incapable of
detecting flaws in that tool, or taking steps to correct or
account for those flaws. Moreover, they are often unaware
of important information that the tool omits.
Examiners with a more solid grounding in the technical theory behind file system mechanics and operation are
better able to conceptualize what a tool is doing. With a
solid grounding in research methods, an examiner is better
equipped to design and execute effective tests to determine
how well and how reliably the tool is doing its job. Moreover, that same knowledge better equips the examiner to
take corrective measures or place appropriate boundaries
on the interpretation of that tool’s results. The advantage
of a liberal arts education is that the student is not simply
better trained, nor merely given a greater depth of technical
knowledge. He or she is not taught to merely follow steps
in a process to arrive at a solution; but to learn to recognize
problems, to test for problems, and to develop solutions for
Digital forensic science is not a matter of recovering a file
that proves somebody’s guilt; it is about wading through
hundreds of thousands, possibly millions, of a wide variety
of digital artifacts and making very pointed critical judgments about which provide some sort of inculpatory or exculpatory evidence relevant to the case. It is important to
remember that it is the digital forensic examiner alone who
will make this discrimination, and will normally be the
only person to ever see the majority of recovered artifacts.
Those items that are excluded by the examiner will not get
a second look, will not be re-evaluated or reconsidered by
Tool use alone might allow me to recover thousands
of images. With even more technical knowledge, I might
piece together even more fragments of images and Web
page artifacts out of unallocated space that were missed by
the tools. Absent any other insight or education, I might
quickly discount dozens or hundreds of pieces of relevant
information. A liberal arts education might tell me (or
give me the research skills and habit to find out) that the
bearded man with the green robes whose image keeps
showing up on the subject’s hard drive is Ali, suggesting
that my subject is Shi’a. I might further recognize that my
subject lives in a Sunni neighborhood. If my subject is a
murder victim, this may provide an insight as to motive.
If I am conducting an intelligence analysis, this may be an
anomaly that is worth noting in my report.
The ability to make this kind of contextual observation
may be critical to an investigation. More importantly, this
ability must reside with the digital forensic examiner to be
of any value; otherwise the artifacts will simply be discarded, and the connections never made. No amount of tool
proficiency will cause an examiner to make these connections; it requires a greater awareness of the world around
us, as well practice at making these kinds of connections,
and the intent to do so.
Mere proficiency with carpentry tools alone is insufficient qualification to build a house. A builder must be able
to read and interpret a blueprint to create a meaningful
result with those tools. Likewise, a truly competent digital
forensic examiner must not only recover data, but must
be able to verify the reliability of that recovery, and must
competently place recovered data in context.
1. I base this on conversations with dozens of county sheriffs, chiefs
of police, and prosecutors between 2005 and 2009 while acting as
program support coordinator for the National White Collar Crime
Center. Without exception, they acknowledged the need for some
sort of digital forensic capability, but most (all but two) cited budget
constraints as preventing them from developing sufficient capability,
or in some cases, any capability at all.
2. Screenshots for figures 1 and 2 were made using “Diskexplorer
for NTFS” (demo version) by Runtime software. This does not constitute a recommendation for or criticism of this product.
3. Screenshot for figure 3 was made using “R-Studio” (demo version)
by R-Tools Technology, Inc. This does not constitute a recommendation for or criticism of this product.
Tim Wedge is an Assistant Professor of Practice in Digital
Forensic Science at Defiance College. He has been in the field
of digital forensics for more than twelve years and has been in
the information technology field for more than twenty. He has
trained thousands of investigators and prosecutors in digital
forensics in the U.S. and spent two years conducting digital
forensic examinations for Army Intelligence in Iraq.