OK...so this my interpretation of, "Bizarro" forensics, which sadly, REALLY still happens. I was recently reminded of not only this, but of just how big the forensic world is, how many investigators there are, and how far we still have to go.
Sniper Forensics (SF) is the targeted approach to conducting forensic investigations. It helps the investigator to use logic to guide his/her investigation to find answers, not just gather data. Now, I am not going to rehash SF, but I just wanted to mention it briefly for the purpose of comparison.
The opposite of SF would be to illogically and haphazardly gather data that may or may not be relevant to the case (who cares if it makes sense, just pull the plug and gather everything). You would form your theory of what you or your client thinks happened, and force all of your evidence into that theory. You would ignore any evidence that was contrary to that theory, and think anyone who actually questioned what you did or the way you did it, is just plain wrong.
When asked questions like, "Did you perform Registry Analysis, Memory Analysis, or Pcap Analysis" you say..."Yes...I found nothing of evidentiary value". Then I may ask, "OK, what kind of analysis did you perform? What were you looking for?" You would answer something like, "I did analysis...I didn't find anything".
You would then defend your lack of findings by stating that the evidence was not clear what took place. While you can never be 100% certain of what happened, based on my analysis and experience, there was no breach that is evident.
This may sound ridiculous, but it is sadly true. There are still investigators that think like this, and cases that work like this. Do you know of any? I would love to hear your stories of Bizarro Foreniscs! Email them to me and I will create a blog series with the best of the worst. Should be entertaining!
I am working on my example now. It's pretty bad...and yes...we found the breach and it was ugly!