“Confessions of CEOs” is a series on how business owners are changing the service landscape. Today, we’re chatting with Steve Simpson, founder of S2 Forensics, a digital forensics consultancy. He shares his secrets on how to protect your business forensically.
Why S2 Forensics?
I love to solve puzzles, and technology only makes it more fun; court cases are just another kind of mystery. You can tell a story of what a person did, where they went, and the keywords for which they were searching. People take lots of photos – selfies, photos of friends, landscapes, or any number of things. Some even take pictures of themselves at a crime. Images have the potential to provide metadata regarding the time, date, or geo-location, indicating that they could have witnessed something or participated somehow. Evidence found on devices can exonerate or convict a person, whether the case is civil or criminal.
S2 Forensics offers the best digital forensics and computer technology support available to litigators, corporations, and government agencies. We offer a cybersecurity element that goes beyond computers or cell phones. Many of our non-technical clients want to know the nuts and bolts literally and figuratively, of the technologies they work with daily. We put in whatever extra work is needed to explain these complex technical concepts.
Every litigation case is intriguing. It’s about helping lawyers understand technology so they can best present the case in a courtroom environment. We discuss tactics on specific examinations, testimony on the witness stand, and cross-examination of the opposing witness. We review the evidence and provide contrasting interpretations without violating people’s civil rights. It’s often about how and where we discover information that makes that evidence admissible. For example, some peer-to-peer (P2P) shared folders don’t need a warrant to be searched; if, however, a particular file is removed from the P2P shared folder, law enforcement may require a search warrant for the file. A digital forensic analyst needs technical and legal background knowledge to do forensics right in addition to specialized skills and tools.
What can businesses do to protect themselves?
Keep all hard drives. When a person leaves a company, the company should replace the hard drive and store the hard drive away. The hard drive may contain critical information and evidence of misuse of corporate resources. The hard drive should be kept or given to a digital forensic professional who will take a forensic image and complete a comprehensive hard drive analysis. The hard drive mustn’t be recycled or used by another employee. The replacement cost of a new hard drive is about $100 per 1TB of disk space. This cost is minimal compared to the cost of litigation that may occur after someone leaves.
If a business suspects someone internally of misconduct, any evidence you collect that may be used in legal action against a current or former employee must be collected and stored in a manner that will hold up in a court of law. For example, a previous client had agreed to allow an employee to perform a particular project remotely. The company issued the employee a computer with specific software expecting the employee to develop a business application. After making zero progress on the application after several weeks, the company collected the laptop and terminated the employee. The employee later came back to sue the company for wrongful termination. The company requested a complete forensic analysis of the terminated employee’s computer. The evidence on the computer showed that the former employee was using the corporate computer for hacking websites and harassing and extorting women he found on various dating websites. After being confronted with evidence, the former employee dropped his case.
In divorce cases, spouses often sue for child custody. Often both spouses have joint access to devices. Forensically, it’s possible to determine infidelity or other inappropriate behavior like cyberbullying, harassment, active involvement in child pornography, etc. Using the correct tools and methods, this type of data can be uncovered and used to help make the best decisions for all involved. While the act of searching for data may seem trivial, it requires specialized skills and tools to find the data that will stand up in court.
What’s your #1 learning in cyber forensics to date?
Each device stores data differently. From the outside, devices may look similar, but internally, they are as different as night and day internally. Let’s take storage media as an example; traditional computer storage technology is about 70 years old. Because of how an operating system stores data on magnetic media, deleted data may continue to reside on the hard drive disk for an indefinite. In contrast, solid state storage technology may not hold deleted data near as long due to garbage collection and wear leveling processes. These processes, along with other differences between solid-state storage and magnetic media storage technologies, significantly impact the amount of deleted data that may be accessible on different devices. Access to this deleted data may make or break any given case.
What’s an indispensable tool you couldn’t live without?
I’m a big fan of open-source tools suited for Windows and Android devices. Many of these tools are developed by digital forensic enthusiasts and improved by digital forensic practitioners. However, commercial and proprietary tools (those requiring paid licensing) are also important. A professional digital forensic analyst usually has access to both types of devices. I will usually use one to acquire or analyze evidence and use the other to verify my findings and conclusions. I will not present my findings and conclusions for a case until both the open-source and commercial tools agree on the evidence.
What’s your philosophy?
Be hungry for learning. Technology is constantly changing, advancing, and widening its reach. I enroll in classes in my free time to better understand concepts. I found that with a strong work ethic and an ability to internalize information quickly, it’s easier to stay up to date. Many tool vendors provide fee-based training that is usually top-notch. Many YouTube videos offer tutorials on how to use various software tools and demonstrate evidence collection and analysis techniques. Many excellent books can be found in college and university libraries or purchased online at a reasonable cost.
How do you give back to the community? Why is that important?
I’ve been teaching at the college and university level since 2015. I currently teach computer, mobile, and network forensics classes at Highline College, Central Washington University, and the University of Virginia. Through both my professional and teaching career, I’ve aspired to help teach people the beauty and complexity of technology while also helping them understand how impactful it can be in their everyday life. While you can’t master forensics in 13 weeks, you can at least appreciate the field and continue to develop a mastery of the technology throughout your career.
To date, most of my clients have been lawyers and particularly criminal defense lawyers. As a result, some of the cases I work on can present me with a moral dilemma. However, my job is not to determine the defendant’s guilt or innocence – that is the job of lawyers, judges, and juries. My job is to uncover the evidence found on a computer device, determine how the evidence might have gotten there, and present my findings for use in a court of law.
What inspires you to keep going?
I’m fascinated with digital forensic technologies and how to use the technology to uncover information and develop a timeline of events. Each case is different and might require a different and unique approach. I find helping both my client and society very rewarding.
When all is said and done, what do you hope for S2 to achieve?
At the end of each case, I want to ensure that justice is grounded in data fairly.
S2 Forensics is a preferred partner on Beaze.