Data Exposure Podcast

Beyond Breach: Why Data Loss Prevention Is Every Leader’s Problem

Justin Tolman and Robert Fried explore data loss prevention, forensic readiness, AI risk, and leadership decisions that protect sensitive data and preserve defensibility during high-stakes investigations.

In an age of geopolitical tension, insider threats, and AI-enabled leaks, data loss isn’t just an IT concern, it’s a board-level crisis waiting to happen.

On this episode of Data Xposure, forensic expert Robert Fried joins host Justin Tolman to unpack what true data loss prevention (DLP) requires in today’s volatile environment. This isn’t about box-checking software—it’s about building systems that protect your organization’s most sensitive assets without grinding operations to a halt.

Drawing from decades of frontline investigations, Fried shares why many companies fail to detect—or properly respond to data leaks, and how legal, security, and compliance leaders can better collaborate when the stakes are highest.

You’ll learn:

Why data loss is escalating across industries and who’s most vulnerable right now
How forensic readiness gives organizations a crucial edge in crisis response
When and why outside experts are critical to preserving legal defensibility
Why communication breakdowns are still the #1 risk amplifier during investigations
How to balance AI’s efficiency with the irreplaceable nuance of human judgment
What emotionally intelligent leadership looks like when your company is under scrutiny

Whether you’re navigating new SEC cybersecurity rules, juggling breach notification obligations, or trying to secure a buy-in for DLP tools, this episode will arm you with practical insight and strategic perspective."

Takeaways

Techno Security conference had a busy schedule and a high attendance
Justin presented on distributed workflows and the importance of privacy in investigations
The vendor hall had fun swag and a popular claw machine
The after-hours event had a large turnout and Exterro gave away 10 licenses of FTK
Automation is important for efficiency and compliance in forensic labs
Networking at conferences provides valuable opportunities for learning and collaboration
Share your stories and insights with the FTK Over the Air podcast

Chapters

Justin Tolman (00:00) Now we have Robert Fried joining me here on this episode. And as always, I'm happy and always looking forward to talking to you, Rob. Thanks for jumping on.

Robert Fried (00:09) Thank you for having me again, Justin. Appreciate it.

Justin Tolman (00:11) we just spoke at the symposium on e crime for 2025. really good event. you're very key player in that in that presentation, that webinar series. Just tell us a little bit about it and how it went and some of the successes from it.

Robert Fried (00:29) Yeah, this was our fourth year doing it. We started off, those years back with the idea that we wanted to present the industry and we're talking about forensics, industry, also dealing with digital forensics topics, nice opportunity to get some experts together. From various disciplines and talking about disciplines expertise in different areas. So with this particular Event this year it was bringing together people like yourself who have done a substantial amount of research in cutting-edge topics again, we covered AI we had ESD canines that were discussed we had forensic hardware, and how that impacts cases. So these are our topics that, and even the dark web, these are topics that are very relevant out there that we're kind of working through our investigations, in many regards. AI is a big topic, obviously now. So having all those people, come together in a webinar type format, doing it remote so that we're able to, do these things in the convenience of our own home and our own offices and be able to reach a large audience. So it's a great opportunity to get everybody together. We are going to do it again next year and hopefully for years to come bring together key experts in various areas. So look out for invitations in the near future.

Justin Tolman (01:59) it was great. when I got the invite and noticed the other speakers, I think my response was I better turn it up a better. It was a good lineup. So definitely people should check that out. But speaking of e crime, you and I got together last week, and discussing this episode, really started to focus on data loss prevention. And so I think

Robert Fried (02:10) Yeah. Yes.

Justin Tolman (02:22) that is something that impacts or potentially could impact every company out there. And so I just want to ask you, you know, let's start with the basics. What is data loss prevention? What is data loss>?Let's set the let's set the foundation first on what that is and go from there.

Robert Fried (02:40) Yeah, well, data loss is obviously the scenario where somebody takes data outside of an organization that they do other things with once they take it. So there's a lot of opportunities now to assist corporations and individuals with this service line. There's a lot of data loss prevention solutions out there which help individuals, corporations, monitor the status of different types of and or important documents and things like that, which organizations or people rely on pretty heavily. And so anytime you potentially access a file, download it, It's doing some auditing there so that you have some visibility so that if you need to take action, you can actually establish a timeline of events and the life cycle of what actions were taken on a particular file or set of documents or things like that ⁓ in investigation.

Justin Tolman (03:44) When you approach a case for data loss prevention, how important is the time of detection versus like when you start to take reaction?

Robert Fried (03:54) Yes, I think that, data leaving an organization, going out the door is a extremely difficult situation for some organizations. And, there's a lot of emotions that get involved, especially for like a small business. so the, Necessity to react pretty quickly is there, just because with all the different ways. that data can then be used once it's out the door, that can happen very quickly. And that could actually impact. an organization. mean, think of, the company secret sauce recipes going out the door and how quickly that can be propagated to different storage locations or other individuals, things like that. So there's there's likely a need there to move quickly and efficiently to kind of figure out what happened. and put some place guards within the organization so that the amount of damage won't be additional if anything like this was to happen or has happened down the road.

Justin Tolman (05:03) I love that answer and you see these high profile cases in the news or maybe you work them and yeah, they can litigate that information back but it's one of those things where once the let's say engineers or the people have seen the secret sauce. Yeah, you may not be able you may not copy it exactly but you've learned enough to do damage to the company even if you contain it later, right?

Robert Fried (05:30) Yes. it's interacting with that data, being able to obviously maybe leverage some of that data. And through the passage of time, sometimes that data may be outdated, but it does have value to the organization just because it may be stats for a particular period of time or things like that, which would otherwise maybe lose some value, but, again, it's. It's how the information is being shared, who is it being shared with, things like that, which companies will make a decision as to who may have been generating certain type of data. And if that data got out the door, is there a monetary value to that document where damages can be discussed as a result of those documents leaving possession of the company?

Justin Tolman (06:21) It really hammers home that you need to have a solution because you can't rely on, well, we'll just litigate So that leads me to one of the discussions we had. Some organizations have in-house teams. Some organizations rely 100 % on outsourcing to a company like Page One for Robert Fried and some are hybrid, what are some of the advantages, pros cons of, leveraging those outside experts to come in and, work these cases, or assist companies in working these cases?

Robert Fried (07:00) Yeah, I think that's a great question because a lot of organizations do have internal teams. Those internal teams may have a set of priorities.And if there's any additional kind of work or tests that come in sometimes we get brought in in that regard other times we get in brought we get brought in directly at the beginning of these particular projects or situations and the advantage is is that an organization that's outside of the corporation May have more tools at their disposal. They may have more direct experience Outside of normal workflows that even though an organization may have a similar tool They may not be using it in the same capacity. There's also certifications that outside professionals have and can attain by taking courses things like that but a big one that I always bring up in regards to having a third party come in and support is the ability to provide testimony on behalf of the client to say This is a scenario we were engaged for these are the tasks that we were asked to do the scope of the work These are the processes that we executed these are the results that are yielded the tool does this because of the fact that it is able to perform these processes and explain them in a way that's easy to understand for a judge or a jury which ultimately will need to understand what you did, how you did it, and where the results are coming from.

Justin Tolman (08:37) And through that whole process, communication, And it's important to, be fluid in those conversations, I would assume, right? Makes your job and their situation a lot easier.

Robert Fried (08:50) Yeah, and like I said, the emotions are so high during these times too, that you want to be overly communicative. A lot of organizations, they split up their forensics teams in kind of two categories. You have data collections and you have investigations. You can keep people active on collections, but when investigations come in, you have to stay focused in on those investigations because if you're juggling a little bit the Investigations, although they may take time. They move very quickly, especially if somebody leaves and starting a job Let's say you get word on Friday You got to be at the office Friday afternoon to collect things by Monday morning They want answers to go and send a request for a temporary, restraining orders so that that person may be prevented from starting at the new job There may be a lot of things that are going, a lot of moving parts in the background. So communication helps not only just set the expectations, but it really keeps you in touch as to these critical stages. Just like any investigation, the first few days, the first few hours, depending on the nature of the case, may be very crucial. So you want to roll the deliverables as much as possible. as quickly as possible. So we do rolling deliveries so that if they want to look at devices attached, we give them that information. If they want to look at file activity, we can give them that information. If we want to do log activity, you have that. And if you want to look at internet history and all the other aspects of an investigation, we can deliver these as needed based on the priorities involved in the case. You want to be overly communicative. You also want to know what format that the client wants to see this in. Do they want to see spreadsheets? Do they want this in an email? I like to actually have phone calls. We can bring up what's going on on the screen, discuss it, strategize about it. You want to be a very trusted advisor during this time, this critical time where decisions are being made. And sometimes it's so technical of a kind of process for a lot of people. They're heavily relying on you to be that person that's going to help guide them strategically on what needs to be done.

Justin Tolman (11:16) That's the last comment. It's kind of the true test of an expert is can they explain highly technical or complex topics in a way that anyone can understand it, at least at a fundamental level. So super important. As you go through that process, we talk about emotion. with emotion comes

Robert Fried (11:30) Yes.

Justin Tolman (11:41) a perception and assumptions of what is happening, from the client perspective, they're not usually not a company without any technical people or any investigative oriented people. So how do investigative teams in general, whether service provider or in house manage these client perceptions as you try to delicately navigate an investigation like data loss to make sure that everybody continues to work effectively.

Robert Fried (12:12) Yeah, I think, the first thing that's important is business continuity in these types of situations too. You have to think about that and who's ultimately impacted as a result of what you need to do within their environment or their network. The perception sometimes is that, this may be more widespread. You really have to go in there. with a series of tasks and a game plan. You've got to bring in that calmness, although it's a very critical time for the company. But you have to assure them that you're going to take every measure possible to identify the situation that's at hand. It's almost like being a digital fireman, right? Like you got to, get the call, gotta go there, you gotta assess what's going on and you gotta move quickly, but you also have to say, hey look, you can't go into the building right now, you can't touch these devices until we figure out what's going on. And you have to build that trust because at this stage, people are afraid of what's happening, but you have to go in there and say, this is what we plan to do, this is what we would expect to find. and we're going to give you those results as soon as possible versus going in there and saying, we have to image every computer. We have to look at every network drive. We have to see the traffic across the network. At this stage, you ask questions, but you actually take the lead. And that's what a client would look for in a provider at that point to come in and help bring some clarity to the situation. but act in a manner that really shows that you have their best interest in mind and that you're going to give some results as a result of what you plan to do that may tell a little bit of the story. Sometimes you walk in blindly. It's really tough to go into a business environment that you've never been, you've never accessed, you've never been there. Even navigating physically around the office may be difficult. There's a lot of things that you can't really plan for, but what you have to do is think of your past experiences in doing this type of work and figure out what the best path forward would be strategically and to get that information quickly because like I said, they want to move fast also if they want to file a lawsuit. Sometimes they don't even know if they need to file a lawsuit. This is their opportunity to find that out.

Justin Tolman (14:48) building on that in your earlier comment on getting results. Especially for a service provider. You it's kind of this I'm paying you situation. I mean, if we're going to break it down to its simplest thing, there's got to be a balance between serving your clients needs. Absolutely. But you're professional investigative integrity as well. what are some like a tip on balancing those two?

Robert Fried (15:14) Yeah, I think it's important not to over promise and not to set expectations so high that people who may not have that result are going to kind of push back and say, well, you told me this. I think that you want to make sure that you go in and you are objective in what you're ⁓ looking to do essentially and be able to give those steps, know, kind of share those steps with your clients so that they know exactly what the game plan is and what the anticipated results are. I think that you really have to also protect what you can do as an expert coming into that and say,Well, based on the situation at hand, we can only tell so much. If we have a thumb drive, that's left at a desk, we can tell what files are on there. We can tell when they were last accessed. We may not know exactly what computer they were attached to. So that's a good example of just kind of setting some expectations. Or if you have a computer and you triage that computer on site because you image it and you kind of go through the motions. Yes, we have the computer, it's showing us the thumb drive. Do we know anything in terms of what's on that thumb drive? Well, we need to kind of have both devices in hand to corroborate and tell the full story. So I think when you are interacting with the client at this stage, your integrity is really important because that kind of helps build trust, but that's what the client is paying you for. They're paying for you to be an advisor, to be kind of straightforward with what can or can't be determined, and you have to navigate that very carefully. You don't want to go in there and saying that you could do all these things because the reality is you may have a very small pocket of time to do everything you need to do, especially if this is a procedure or a process. that is covert in nature. So, and also you don't want to raise any concerns with others that may be in ⁓ the space where this is all happening. So you have to be really strategic about it, but also just protect the interests of both your client and also your own integrity and being very upfront about those things.

Justin Tolman (17:46) I know that the forensic term that we all love, we all need a t shirt of "It Depends". But speaking of possibilities versus reality, do you find so AI, we got to go you can't go five minutes without talking about AI, but it it really starts it's really delivering people information but not wisdom, I guess. Do you find in your line of work that it kind of has become we kind of the web MD of forensics where I know you could you can do this, or this I have this, it's this problem. Do you see that impact on your work?

Robert Fried (18:29) Yeah, I used to always say to people, I stayed at a Holiday Inn last night, expressed last night. Now it's while I talk to GROK or ChatGib, all these different sources. You are having a lot more usage of AI, which I think is a great tool. Where it impacts us as examiners is that, don't forget, sometimes we don't just share. the reports that we give or the information we give to the counsel, to the lawyers. It also goes to the end client that has a vested interest, that's a stakeholder within the organization or for the investigation. And so you are presented with a lot more questions nowadays. they don't necessarily... say that they used AI, but you can tell when somebody is getting into iNodes and the master file table and, Mac times specifically hearing it like that, or, when they have a little bit of a forensic kind of, direction that the, the information's going, it's not something that, ⁓ you would just... Easily find in a google search or whatnot, it's picking that up from an AI Model so yes, it does happen pretty often

Justin Tolman (19:50) You would think you'd have to kind of steer it towards a return on your investment because Is it going to tell you more information that's valid to your case? Right? Like probably.

Robert Fried (20:00) Right. And that's the whole thing. It becomes more of a rabbit hole sometimes. It can lead to additional analysis, which costs money. everybody's going to be looking into this. But strategically, in terms of running an investigation, one of the things that I feel that makes me a little bit different is that I've done a lot of investigations, but I also have an investigative mindset in that I'm not going to just look at what the tools give me. I'm going to go back and figure out what's the best way to prove this in a way that when I'm writing my report, I can write it effectively. And, you know, a lot of the report has to be somewhat, balanced between technical and being able to articulate. a way that whoever's going to read this, because you never know who the reports are going to wind up in front of, that anybody can read it and that you're presenting the information clear and concise. And you're right. A lot of those models now are in those ways where, look at Google now, you ask anybody something and immediately people are going on the web to clarify it, things like that. But really, the difference between you and I and just an average person going on and looking at all these AI models is that we have the experience that we have and we can balance the hallucinations that are very possible with those models based on our experience and the reality of what we see when we're actually looking at this stuff where when you hear the client and obviously you have to hear the client out. Sometimes you have to make a judgment call and say, if you need me to look into that for you and you'd like me to do that because it'll make this a little bit clearer. I will definitely do that. However, it's still not going to get us to the point that end goal like you were saying before, Justin. But at the end of the day, how's your data going to wind up in court? That's going to be through leveraging experts, through personal experience, through actual training courses that are accredited, that are through reputable training bodies. And I think that experience is something that's very important, especially nowadays where, anybody can Google anything, can search the web for anything and see videos, images. websites, I mean it's at your fingertips, but that experience of somebody coming in and saying these are the processes that I followed, these are the steps that I took in this particular case, and these are the results that are yielded on a industry accepted tool or process, that goes a long way versus I'm printing up a series of search result hits and I want to present those to you.

Justin Tolman (22:51) Absolutely. Defensibility at the end of the day is key. It's the foundation, right?

Robert Fried (22:54) Yes. Yes it is.

Justin Tolman (22:58) So we've talked conceptually about some stuff and we're not going to go into the details of who of course, but I know you've worked some cases dealing with data loss prevention or data loss, but data loss Can you share a scenario and how you approached it and what made it successful in your approach so that others might be like, okay, This is this is what I should do to do it right and to minimize damages.

Robert Fried (23:25) Yeah, there's a lot of scenarios that I've been involved in over the years. I've walked in sometimes to situations after law enforcement. Some cases are more involved than others, but there's one that I would probably want to highlight just because it kind of hit home a lot of different ways for me. So it was a job that I had to fly out to the West Coast for. Mentally, when you're going out and doing these things, you got to get yourself kind of in the zone, get focused, right? Because you don't know what you're going to respond to. You get there and it's really eerie. An entire floor of an organization departed. Everybody just walked out the door at the same time. You have an office, I've got trinkets all over the place. Offices still had all the trinkets. It was just really interesting. It was dead silent. So you walk in, you're walking with the organization, some stakeholders, and what you see is on people's desks, resignation letters and computers and thumb drives and... Inner office. You remember when we used to have inner office Manila folders? We don't have that anymore. We have email now and chats and Slack and all that. And then, you're the expert. So Rob, this is what you have here. We had 80 people on this floor and everybody kind of followed, the leader and the leader now brought on his team to a new organization.

Justin Tolman (24:36) Yeah.

Robert Fried (24:58) So in the background, as we're kind of assessing the situation, and the operations continuity is happening already. We're flying people in from another part of the business to help make sure that whatever was going on here continues. You got to think about that. You can't just start shutting things down because it's a. It's an organization that, still has to service its clients. So. One of the first things that we discuss is, well, what's the priority? Who's the main player? Who are the other people that we know, definitely went along or may have had a piece of? kind of this decision with the others, and then also determine where everybody was located in the office, physically track that down, and then start looking in their general area for any devices. Computers, those thumb drives that may have been on the desk as well. Computers that may be in drawers, printers. Anything electronic which has the ability to either print or store information was fair game. The benefit at that time too was we had counsel there. At that point, it was inside counsel who kind of knew who these stakeholders were. And at the same time, we had outside counsel who was kind of getting ready to prepare like, hey, we had a mass departure. We know people left. We have resignation letters. So the next step is to figure out what information may have been taken because obviously all these people left. So we were given machines and we're talking about stacks of computers at this point. And you get there, flying from the East Coast to the West Coast. You have a little bit of jet lag. You got to get over all that stuff. I got the phone call. was remember I was eating lunch with my wife, stopped eating lunch and said, I got to take the next flight out to the West Coast. We didn't even finish yet. was like, okay. But anyway, you you get there and you got to, you got to be in that game. So you have your tasks at hand and you get the computers, you're working closely with that corporations IT team or the InfoSec team. And what's my role? My role is they're going to start downloading the corporate email in the background. And I'm going to start dealing with the local machines. Like we split up the tasks. And so once we got onto local machines, the first order of business was, okay, what devices were attached? we found out through a lot of this stuff that a lot of documents... may have been kind of copied as a result of looking at the devices that were attached and the file activity on the computer. That was the second thing. I think we used NCase and FTK imager at that point for a lot of this stuff because we needed to basically generate a lot of file inventories. After that, it was just a matter of figuring out how much time has passed since all these activities. It was in the last few days. So, there's some planned departure. This isn't just like waking up one day and saying, hey, it's going to be my last day of work. I'm just going to, go to work and come back later. This was a planned exit. We even had a guy who we saw it generated a PDF and we didn't even ⁓ think about it at the time, but you look at the PDF and it's huge and it's got the whole email export in a PDF file. So you're like, that's a new type of PST. ⁓ You learn a lot of different ways that people export or exfiltrate data that you normally would think like, hey,

Justin Tolman (28:33) in PDF. You

Robert Fried (28:46) These people are very creative. They obviously may have thought about this. And you put yourself in the shoes of the client. Hey, what do we need to do to help you put this all together? Well, give me the name of that person whose computer it is. Tell me what devices were hooked up. Do they have their thumb drive on their desk along with their resignation letter? If not, that's somebody that we need to put a letter out to. Done. found another situation like that and another and another and soon enough you get five or six names and now you have a potential poaching case or whatever it was and we went to town on every computer figuring out what was done how it was done we found some computers were even updated prior to the departure so that you know any activity that was done in the last couple of weeks is no longer available because the computer was refreshed. So you even talk to the IT service team to say, hey, did so and so call you to tell you that their computer wasn't acting right? Or sometimes there's a major refresh that happens at the organization that wipes out a lot of this stuff and reinstalls things at the organization. So now you have that challenge in your analysis. So there's a lot of moving pieces here and you have a very short period of time to act and to give that information over to make a viable case for your client.

Justin Tolman (30:18) That's a lot of data you got to sift through as well when you're making you talked about inventories and if you had 80 people, like you mentioned, they're not just one device per person, a couple jump drives, maybe a couple computers,

Robert Fried (30:26) Yes.

Justin Tolman (30:31) that's got to be the trick is not only are you collecting a lot of data, but you got to keep that data organized so that you can tell the story as it goes. And you don't lose yourself in the narrative.

Robert Fried (30:41) I mean, think of like our reaction when we looked at the install date of the OS or when update happened and you're like trying to figure out why logs may not be available. And you you start telling that story and you're like, wow, all these people had their computers refreshed in the last couple of months. We may not be able to know exactly when this kind of, departure was actually being planned. I remember in that particular case too, it was such a contentious, eerie quietness in the office that I remember when we went out of the building at the end of the night, you're done with the day, and there was a smashed rear view window on one of the cars and you're just thinking, like, that's a lot of things to think about. but you're going into real situations. Like I said, emotions are really high. You gotta keep focused in what you're doing. You gotta stay out of the details of kind of... who is doing what at the organization. You gotta focus in on the task that you're being asked to do, which is to preserve and examine and give that information over as quickly as possible and let the people, the stakeholders that have knowledge of the business, I'm not in every industry to know exactly how everything works. I don't know based on a file name if something is relevant or not. That's something that we work with legal counsel for. The stakeholders at the company who are in those divisions are familiar with that. I'm there to provide a service where I'm able to make sure that whatever we're looking at, whatever we're reporting on goes into the court system.

Justin Tolman (32:31) And that's key. You're kind of a finder of lost things and a translator at the same time for the people that will make the decisions on how to go. Stay drama free. know, like, no, no, you guys handle that.

Robert Fried (32:41) That's right. Yeah, I remember I walked in once and to a major corporation is pretty exciting. And I said, I'm looking for the CEO. And the guy goes, that's me. I'm the chief entertainment officer. the guy was trying to make small talk with me and everything. And I just stayed focused on what I needed to do because like I said, people deal with these situations differently. I've been followed to bathrooms. While imaging computers and hey, what are you doing? I'm still work with IT, just kind of focusing in on what I need to get done and understanding my surroundings, but also being able to just stay focused and My objectives need to be met when I walk out the door

Justin Tolman (33:31) have to throw in a question that we didn't prep for for every guest because you guys give me so much good thoughts while we're going through this. But how has work from home impacted this approach and your approach because companies may not have a floor of people anymore. what are some of the dynamics with that?

Robert Fried (33:53) Yeah, so it's an interesting situation because, a lot of corporations had to kind of think about their policies like USB drives, which is a quick way to exfiltrate data, emails, know, people going on websites, printing from their home printers using cloud storage. taking snapshots now and recordings and all that. So the purview of the company is kind of different in terms of what people are actually doing. But at the end of the day, there's always a device involved. So there's always a way for us to kind of go back to the source and understand kind of what happened. That challenge becomes if it's a BYOD type of situation, we're now on top of working from home, people are using their personal devices and it becomes a little bit more challenging to compel people and require people to turn over their devices. But like I said, there's always a There's always a device or a way that people interact with the data. And our hope is that, we could potentially find timelines where people were doing that interaction, having that interaction or different types of footprints and or artifacts that are left behind. And so it kind of, doesn't overly complicate things. I think it's just a matter of the different data sources that are now involved. and getting access to those. So we have to write really compelling statements in ESI protocols and motions to the court to say, well, you know what? John Smith was a salesperson for the organization. He worked from home, but he had access to a computer from the office and he got a stipend for having a phone that was his that he was using for business purposes. You have to be really clear. with IT or legal when you're dealing with these companies to say that although they may have these corporate devices, were they using any other devices at home for business purposes? And a lot of people have.

Justin Tolman (36:09) It's when you describe it like that, it's kind of wild that the entire world for work reasons haven't gone to something like a Chromebook or a surface where it's just all in the cloud. So they always just have access. it's just like, all their stuff's in the cloud. Just pull it down, describe it. But there's also features and costs, but I don't know.

Robert Fried (36:28) Yeah,

most of the CEOs that we deal with or C levels. They don't have a lot of documents locally on their computer. It's all in the network. And you think about some of these hybrid situations with the equipment of BYOD. And let's say I use Dropbox and Dropbox desktop is... installed on that computer and it syncs automatically. So now you think you're doing a remediation of somebody's computer and saying that's the only place that, Joe has all this data. Well, it's actually synced up on Dropbox. And if you aren't the investigator to make sure that no stone is left unturned, then there's always a possibility that yes, you may have deleted that copy of the data, but there's more of that out there. that you need to make sure that you check all those different boxes. And I don't want to suggest that there's a cookie cutter approach to any of this, but you have to know based on the scenario that you're given, right? What are all the different possibilities and try to exhaust all them because that's what's going to allow your client to sleep better at night and you to sleep better at night. because you've done everything that you can potentially do. Remember, I always say that the computer is like an exact snapshot, right? Like most crime scenes, you process a crime scene, you leave. You process, the computer and you have that snapshot and that snapshot is not going to get altered or degraded in any way. So you got to make best use of your time doing it. And you have to have access to all the data that allows you to do that. For example, if I'm just given a document and said, know, hey, please just give me the metadata off this document. That will help us with our case. I'm going to say, I can do that, but I want to know where that document came from. I came from the network. I want to see the network side of it too. I want to tell the story so that this way the whole story can be told and not just a portion. And that's where you can add value as an investigator.

Justin Tolman (38:38) in adding value and you talked about avoiding a cookie cutter solution. we talked about a case killer in another discussion of we do this every time, or this is how I always do it. And that's a slip. I wouldn't even say it's slippery slope. Like you're, you're falling off a precipice at that point when you're approaching your cases like that. So given

Robert Fried (38:59) Yes.

Justin Tolman (39:03) that saying or that risk, what would your recommendation be to maintain like the integrity of the forensic process, integrity of your investigative mindset to avoid the we do this every time approach?

Robert Fried (39:18) I think you have to look at every case as a unique circumstance. You can apply your processes that are maybe standard within your organization. So for example, we may create a case within the tool and run the same processes, but. Each case needs to be looked at individually and you need to tailor your results to apply to the specific ask from that client. nobody's going to want to just look at a report that they can tell is structured for, let's say, employment departure type of report. When you're looking at is the metadata intact here for a document? So your style of report and reporting and rapport should be based on what the clients asked you to do. It's okay to have. a way to report or some language that you use that's consistent. Like I have a library of terms that I use or I have introductions if I'm starting to talk about a specific type of data. Like that is fine. However, you want to make the client aware of their device, their scenario, and what's important in their particular case because every case is different, the strategy may be different, and the sources may be different, and you may have to tie it all together in unique ways because that corroboration of all the evidence coming together happens a lot, but it doesn't always happen the same way. So no cookie cutter reports, maybe leverage, reuse some of the language that's worked for you, use footnotes for that, references or resources like that to help you, but definitely look at each case individually and it will make you a more aware examiner of how important the work that you're doing is, that it's not just another case from this client, it's a case that matters to this client and it's your your test with coming to the conclusion of whether or not information was taken or not. I am very very careful with a lot of these examinations. because I'm aware of the outcomes. The outcomes of these cases could result in somebody losing their job, affecting the livelihood of that person and their families and others that rely on them. So I think we have to be very, very understanding of the weight that's on the examiner's shoulders in that regard. And we have to approach things objectively. And we have to also think of the bigger picture. If I'm looking at a computer, for activities, I understand that that person used that computer for business activities. I need to dial into the specific business activities that my client is specifically... looking at or asking me to look at 30, 60, 90 days, 120 days, focusing on date ranges, focusing on communications. I need to really be clear about that because what I do and my reporting may impact how the case goes and if somebody is caught doing those things that will come out. But if I'm making assumptions based on certain things that are being told to me, I got to look at the evidence objectively and then write that stuff down in a report in a format that makes sense for the case.

Justin Tolman (43:13) That's so key. You may be hired by a company, but you're investigating the actions of people and your investigation will have very real consequences, not just for those people, but also in how you, based on how you conduct yourself and your work could also have ⁓ a dramatic impact on yourself. Would you consider that fair?

Robert Fried (43:35) Absolutely, you know, there's a lot of times where you're writing these reports and you find the smoking gun, you know or find something that is something that you have to report on and you always look at it from both sides, but I'm always objective and I always like to be very Sure of what I'm putting down especially in those types of situations because I understand the impact of that not only just from a monetary side of things, but also from a personal side of things, human side of things, and it's a part of the job, right? So is going to court and testifying. These are all parts of the job. nobody prepares you for things like that. Sometimes you have to just get that experience and understand how to deal with it. But our work is very important, and it's not just go collect data. It's what happens after the data is collected that is really important as well and you have to pay attention to every step along the way. Your whole case can be questioned based on signing a form. Your case can be questioned on how the tool that you used interpreted something if you don't know how that tool works. So learn your tools, learn documentation, all those things because the bigger picture is there. It doesn't matter if you've done this work for 23 years like me or five years if you're just getting started. You will have to go to court one day and testify and you have to be prepared for all that's out there that can be asked of you, the impact of what you report on and just do it with. integrity and document well and certainty that what you're presenting is exactly what you saw and that's really important advice I hope resonates well with your listeners.

Justin Tolman (45:41) think it will I think forensics is a detail oriented career path field. And it's important to never lose sight of the details. So absolutely. Well, Rob, I appreciate the time that you take out I know you're super busy between other speaking engagements between your work of course and and then your family I know you're very involved with the family so I appreciate every time you take time out of that busy schedule to speak with me and your comments are always just platinum grade. So I appreciate it.

Robert Fried (46:13) Thank you. Similar to you, I appreciate all that you do for the community. I think it's something to not only just ⁓ put your thought leadership out there, but the amount of time that you invest also in giving back is fantastic and one of the reasons why you were so invaluable at our symposium this year. thanks for all that you do as well.

Justin Tolman (46:36) Thank you. All right. Well, thanks again and we'll chat with you again some other time.

Robert Fried (46:44) Take care.

‍