I just finished up Case Study #8, with one of those types of cases that just won’t die.  If you ever had a case like that, you know what I mean.  If you don’t know, it simply means that as much as you try to close a case (“kill it”), it keeps coming back to life.  This happens with both civil and criminal cases (and internal corporate matters as well).

A few reasons that a case may live on well past the time you wish it would are; 

•          You keep finding more evidence, even after the investigation is over
•          Corners were cut and now the devil is calling
•          The attorney keeps asking for more work on it
•          Trial comes and goes, then comes back again, then goes, then…
•          Evidence you initially found is now found to be inaccurate
•          Interrogatories and interviews come and go and come and go and keep coming
•          More jurisdictions join in
•          Case agents/officers keep changing and rotating and being reassigned
•          Errors that were made are now coming to light, just in time for court
•          Reports are missing or don’t contain necessary information
•          And worse yet, the case hits the news

Case Study #8 takes a case that has a few of these things, but as for how to keep a case from coming back to life, there are things you can do to reduce the risk.   The most important method is to do a thorough job.  Doing a good job will reduce the chances of a zombie case by 90%.  Do good work, double-check your work, triple-check it, and you have less than a 10% chance of it biting you later. 

The remaining 10% chance of your case turning into a zombie is probably out of your control.  If you are given the wrong information, evidence is misinterpreted, or workers in your case don’t do a good job, there is a good chance that the 10% zombie case is coming for you.  And of course, if the suspect wants to fight tough-and-nail, it will drag on.  However, if it is bad enough (ie: news worthy because of investigator ERRORS), and someone leaks it to the news media, you now have a full-blown zombie breakout that will last not only years, but perhaps the better part of your career.

Back to preventing the zombie-case outbreak

Do a good job.  Even on those cases that seem minuscule at the time.  You never know how one seemingly insignificant case can end up reaching the Supreme Court, and not because you did a good job, but just the opposite.  Trust me.  I’ve seen it.  Seriously.  Do a good job, because when it happens, it is so much better to be the person that did a good job in the case and not be the one that screwed something up.

#DFIR Case Studies #8 released today. I picked a case where an innocent person was arrested and talk about the mistakes to avoid.
Get the entire case study series + the WinFE course with 3-day promotion at: https://t.co/aKZhmkijc4 #infosec pic.twitter.com/TQQKSPuOsq

— Brett Shavers ? (@Brett_Shavers) April 12, 2018