FORDHAM FORENSICS When It Really Matters770-777-2090

• About
  • Home
  • Gregory Fordham
  • Contact
• Services
  • E-Discovery
  • Computer Forensics
  • Forensic Accounting
  • Computer Security
• Specialties
  • Trade Secrets
  • Government Contracts
  • Construction Contracts
• Partners
  • Elijah
  • Celestial Defense
• Case Studies
• Articles
  • Accounting Publications
  • Computer Publications

Contents

Introduction

What is a Computer Expert

Finding an Expert

Selecting an Expert

• Price
• Area of Expertise
• Relevant Experience
  • Preservation
  • Analysis
  • Processing and Production
  • Procedural Matters
  • Testimony
• Industry Specifics
• Presentation Skills
• Educational Background
• Training
• Licenses & Certifications
  • Licensing
  • Certifications
• Criminal Versus Civil
• Forensic Tools
  • Preservation
  • Analysis

Conclusion

Inquiries

Fordham Forensics of Atlanta Georgia is a very skilled and experienced provider of expert computer forensic services including expert testimony. To learn more about how computer forensics applies to your issue or the preservation and analysis of servers, cellphones, desktops and laptops, and other personal storage devices contact us to speak with one of our forensic experts or call

770-777-2090
E-Mail

 

 

Related Articles

Do Computer Forensic Experts
Need a PI License in Georgia?

Selecting an E-discover Vendor:
A Best Value Approach

 

Finding and Selecting
A Computer Forensic Expert

Gregory L Fordham
(last updated April 2016)

We live in a digital world and there is hardly a dispute or litigation that does not involve computerized devices or their data.  The dispute may not involve a lot of data but it likely will involve some kind of computerized device or data even if it is a single text message, e-mail, voice mail, transaction record, web search, document, etc.  As a result, there is hardly any case that is not a candidate for a computer forensic expert or consultant whether that need is technically or economically based.

Despite the widespread presence of ESI [Electronically Stored Information], does every case actually require it?  For example, consider a payment dispute for services or products.  One might think that the simple production of the contract and proof of non-payment is all that would be required.  It is amazing, though, how such a seemingly simple case could morph into something requiring ESI. 

For example, when the contract was breached by failure to make payment the issue of liability may be settled but the other elements involving causation and quantum, could still be unresolved particularly if the contract is not yet complete.  Consequently, proof elements could quickly expand into complex damages issues like mitigation. 

Such a turn could also quickly shift the burdens from the defendant back to the plaintiff.  While the defendant may ultimately owe something, it may not be the full amount sought by the plaintiff.   Furthermore, the ESI necessary to prove such a defense could reside in untold gigabytes of ESI proving or disproving the plaintiff’s efforts to mitigate and whether new volume was actually replacement volume. 

What is more, once litigation became eminent, did the plaintiff adequately preserve the relevant evidence particularly after receiving the defendant’s answers indicating that the claimed amount was not owed and various defenses articulated?  Clearly, a computer expert could be essential for a variety of reasons.

The importance of a computer expert is not driven solely by the ubiquitous nature of ESI.  Nor is it tied solely to technical evidential issues and expert testimony.  Indeed, there are numerous economic reasons as well.  After all, computer related expertise is essential throughout today's litigation lifecyle. In other words it is not just evidential issues. Indeed, the management and administration of the entire litigation process is highly automated or should be in order to analyze the data and marshal the facts economically and effectively. The inexpert handling of the computer issues not only affects the evidential issues but can mire the entire case in a quagmire jeopardizing a merit based outcome. To illustrate how much a knowledgeable computer expert can cut costs and improve the effectiveness of litigation review the articles Selecting an E-Discovery Vendor: A Best Value Approach and Eleven Steps to Designing an E-Discovery Protocol: A Systems Engineering Approach to Modern Litigation.

Consequently, there is probably greater payoff for using a knowledgeable computer expert than any other discipline involved in litigation.  Both clients and their counsel should recognize this reality and learn how best to employ the skills of computer experts to not only win the case from a technical evidential perspective but also to manage it efficiently and economically. After all winning on the legal question without an economic victory as well is just losing in a different way.

The following sections provide guidance to clients and litigators on the work of computer forensic experts and the factors that should be considered to find and select them.

What is a Computer Forensic Expert

In order to find and select a computer forensic expert, one must first know what they are seeking. Computer forensics is the application of technical knowledge, skill and experience to legal problems involving digital evidence.  Since over 98 percent of all information is stored on a computer, computer related legal problems can manifest themselves in a myriad of ways that range from identification of data sources and then progress to preservation, selection, examination and presentation of the data.

The term expert has a special meaning when used by litigators and others in the legal profession.  In their vernacular the term “expert” most often means a witness that testifies about subjects involving scientific, technical or specialized knowledge and renders an opinion about the evidence in a case. 

Experts are the only witnesses that can provide testimony and opinions on subjects involving scientific, technical or specialized knowledge.  Other witnesses, known as fact witnesses, cannot.  In fact, fact witnesses are prohibited from providing testimony about scientific, technical or specialized knowledge. 

Fact witnesses are so named because they limit their testimony to facts about which they have personal knowledge, although in certain circumstances a fact witnesses may also provide opinion testimony or what is known as a "lay opinion".  Lay opinion, however, is limited to the actual perception of the witness or what might otherwise be helpful to understanding their testimony.

The prohibition against fact witness testimony based on scientific, technical or specialized knowledge is intended to avoid situations where experts testify in "lay witness clothing" and avoid the special disclosure and evaluation procedures established for experts.  When the special procedures for experts have not been followed expert testimony and opinion have not been permitted, although witnesses have still been permitted to testify about factual matters.

The reservation of scientific, technical or specialized knowledge to expert witnesses and its exclusion from fact witnesses can have significant consequences for even routine cases where computer forensics was used for tasks as seemingly simple as preserving Electronically Stored Information (ESI) or culling the ESI for responsive documents.  After all, when testifying about the collection the explanation would involve discussion of the tools, equipment and procedures used to ensure accurate collection of the data such as write protection, error detection, data verification, data security and chain of custody to name a few. Similarly, testimony about the culling or search of the ESI for responsive documents would involve explanation of technical issues related to linguistics, statistics and technology. 

While the collector or operator could testify about the procedures used to preserve or select ESI for production, only an expert would be able to testify about the technical aspects of the collection or the selection and render an opinion about the adequacy of the procedures and whether they satisfied the technical requirements of the discovery.  Thus, if the validity of the production were ever challenged, opinion testimony regarding the accuracy or inaccuracy of the production would only be permitted by way of expert testimony and not through lay opinion by others involved.

While some have tried to side step the expert classification by claiming that collectors, selectors and even analysts are essentially fact witnesses because they simply push the buttons of the specialized tools and software that they use to collect, select, analyze and present the evidence; such claims have not been successful.   Where this logic has failed is in the interpretation of the data produced by the computer forensic tools and software.

The interpretation of the data is often dependent on the expert's knowledge of the forensic tools and software, which are not usually "familiar in everyday life".  In addition, the expert's knowledge of the data types and the evidential media on which the data are stored such as its filing system and data storage structures are, also, not usually "familiar in everyday life".  In fact, courts have analogized the interpretation of computer forensic reports (as would be produced by imaging tools, search engines and analysis software) to specialized medical tests and interpretation by police officers of slang and code words used by drug dealers, which they have deemed specialized knowledge of an expert.

While expert witnesses are qualified by way of their knowledge, skill, and/or experience it is not necessary that they possess a high degree or the highest degree of knowledge, skill and/or experience.  Rather, as previously indicated, they must simply possess a level of knowledge that is not “familiar in everyday life” or “in possession of the jurors”.  Perhaps most important, however, is that regardless of their actual degree of expertise, the testifying expert must be helpful to the trier of fact in understanding the evidence. 

Clearly, qualification as a forensic expert can be a low bar, since there is probably little about any aspect of computer forensics at any stage (whether collection, selection, examination or presentation) that is “familiar in everyday life” or “in possession of the jurors”.  So, it is possible for ESI collectors, for example, to qualify as an expert and testify as an expert, assuming that the rules for experts, such as timely disclosure and production of a report, have been met.  When these requirements have not been met then “expert” testimony has been prohibited. 

Of course, whether the expert survives beyond qualification and actually advances the case can be a different matter.  Thus, while the bar for qualification as a testifying computer forensic expert may be low, a higher standard is probably desired by the client and its attorney.  In fact, they should seek someone that fits the more commonly used definition of an expert which is a person having a high degree of knowledge or skills in a particular subject and not just someone whose knowledge exceeds the jurors.  

While the term “expert” in a legal context will most often refer to testifying experts, the term can also refer to non-testifying experts whose purpose is to assist with trial preparation.  Generally, these kinds of experts can include jury selection experts, presentation experts and even experts in the same fields as other testifying experts.  In fact, in large complex cases it is common to have both a testifying and non-testifying expert in the same technical field.  The difference is that since the non-testifying expert is not normally subjected to examination by the other party, the non-testifying expert may be more informed about strategy or case weaknesses so that his expertise can be used to enhance those areas of the case without fear that the results of those consultations will be disclosed to the opposing side.

The importance of the non-testifying or consulting expert is not limited to technical evidential issues.  Indeed there are many areas including procedural areas where an expert’s knowledge and skills are invaluable for efficient and economic case management. After all, a lot of litigators lack even basic spreadsheet skills. Even if they possessed advanced spreadsheet skills, there is still a quantum leap between those and what is needed for the collection, analysis, exploitation and management of diverse data types in a complex data management system. Furthermore, performing them in the most efficient manner possible is important for the client and is critical to ensuring a merit based outcome.

An example of a procedural matter where a computer expert's skills could be very useful is the development of the discovery plan and protocol. A plan and protocol that incorporates the most efficient and effective methods for collecting and culling large data populations could provide huge savings considering that about 74 percent of the discovery budget is consumed by document review. Therefore, those processes and procedures are a huge target for improved efficiency.

So, unlike other experts, the computer forensic expert can affect the evidential issues as well as procedural and case management issues across the entire litigation effort.  As a result, the inexpert handling of the computer issues not only affects the evidential issues but can mire the entire case in a quagmire.  Only this quagmire also contains land mines in the form of sanctions for unreasonable errors, should they occur. Consultation with a computer expert can help less sophisticated legal professionals avoid those problems entirely.

Finding a Computer Forensic Expert

Once the lawyer has determined to use a computer forensic expert the next likely hurdle will be how to find one.  Of course, there is always the old fashion way that is probably used most by lawyers.  That is asking around with other firm members and colleagues about experts that they may have used in the past and would recommend.

Performing searches on the internet is another common method of finding experts.  If their websites exist then evaluating the content of those sites can help identify candidates.

Besides searches of the internet, those with access to case decisions can also search those for instances where experts are identified.

Of course beyond that are the usual directories.  Some of the better known are Martindale Hubbell, AMExperts and then various industry or geographically specific directories such as construction industry directories or local bar association directories.

As computer forensics has become more common, there are also professional associations that can provide member lists.  For example, the International Society of Forensic Computer Examiners (www.isfce.com) is one professional association where individuals can be found.  In addition there are also tool specific certifications like Guidance Software’s EnCE [Encase Certified Examiner] and Access Data’s ACE [Access Data Certified Examiner].

Clients often have technology staff in-house that help with the administration of their systems. Nevertheless, client personnel are not a good source for forensic expertise and there are several reasons that this is true.

First, they are not normally involved in forensic processes to begin with. Rather they support the organization in the execution of its mission, which it not litigation or forensic services. The difference is often like the difference between the infantry and the special forces. Both may be able to fire a rifle but the ways in which they use them are entirely different. Even the ammunition is different because a forensic expert will likely have different tools to examine media and its contents than a client's in-house technical support staff.

Second, another drawback to using client personnel is that there will be "combat". Litigation is not just using a weapon to fire at paper targets. Further down the line there will actually be contact with the enemy, so to speak. Unless the client personnel has done that kind of thing before, they likely are a less attractive choice than someone that is combat experienced.

Third, a lot of what happens in even the early stages of the collection and analysis process is to prepare for the "combat" that will happen later. Thus, considering less capable client personnel could be like bringing a knife to a gunfight.

Finally, in a recent survey of IT security professionals less than 8 percent would recommend using an outside consultant to assist with the analysis of a data breach; but, more than 50 percent of those same respondents claimed that their staffs lacked the tools or the training to determine the cause of the breach. (see, Four Reasons Why You Need Fordham Forensics to Investigate Your Intrusion and Data Breach.) These survey results are highly relevant to the selection of a forensic expert particularly when one considers that client IT personnel are more closely aligned to the breach issue than to providing litigation support services. Thus, if they are not well prepared for something more closely aligned with their actual job function, how well will they perform on something that is not aligned to their job function?

Selecting a Computer Forensic Expert

Once you have located potential candidates, or at least sources for potential candidates, the next step will be selecting a computer forensic expert. Naturally, the case specifics will influence your selection. The case specifics not only include the nature of the case such as bankruptcy, system intrusion, contract dispute or fraud to name a few but can also include the complexity of the case--at least with respect to the digital evidence. What will be challenging for litigators is identifying and understanding how those case differences will manifest themselves in the skill sets of a forensic computer expert.

There are a number of features that can influence a selection decision.  The criteria that are likely most useful are the area of expertise, relevant experience, industry specifics, educational background, training, licenses and certifications, criminal versus civil experience, presentation skills and forensic tools. Each of these are discussed in the sections that follow.

Price

How much things will cost is always a consideration. Remarkably, price is more often the last thing to consider when selecting a computer forensic expert. If the expert crumbles under pressure or cross examination; if his analysis is faulty; or if he lacks the aptitude to advance the case either by finding important evidence even when deliberately hidden by the opposing party or overcoming obstacles erected by opposing counsel to frustrate discovery, then having paid him anything is too much.

The reality is that computer forensic expertise is not a commodity like some kind of hardware component that one plugs into their computer. Furthermore, the expert is not simply a facilitator or button pusher on software that every computer expert uses. While a lot of computer forensic experts use the same tools, so do carpenters; yet, some are much more skilled in using those tools than are others.

Price is also hard for clients to evaluate because they have to understand what it is they are actually buying for that price. In many cases, the difference in price is a difference in the services being delivered and both clients and counsel often lack the skills and expertise to understand and evaluate the consequences of those differences. Furthmore, clients or counsel may think that they only need a certain service provided but often times what that really means is that client and counsel do not have a good understanding of the situation or the requirements, at least from a computer forensic perspective. Recall no one thought that the ship Titanic would ever need its life boats.

Often times technology buyers take a commodity based approach because they think everything about technology is just a commodity and one solution is just as good as another. If one were digging a ditch, one might think that they could buy the cheapest shovel if one shovel is as good as another. The problem with such an approach is that the job might be better performed with a back hoe. In those cases, buying a shovel is simply the wrong choice because the backhoe can dig the ditch faster and more economically then an army of men using shovels--even if the men are lower priced. If the ditch is of any real size, using the more expensive back hoe can save overall project costs. After all, when one is digging for gold using the right tools can not only better ensure hitting the mother load but finding it faster and at less over all costs than using less effective tools..

While it might end up that clients only need a certain service performed, litigation in general and computer analysis in particular is often like digging in the dirt for buried treasure. It is hard to know exactly what one will encounter once the excavation begins. Will the treasure actually exist? Will some other excavation method be required? How will one know if what is found is actually fools gold? Consequently, what clients should value most is a talented treasure hunter that knows how to both find the treasure as well as how to plan, manage and execute the most economical expedition.

There are plenty of reasons why finding the lowest priced forensic expert simply does not make sense, particularly when that savings means less capability. At the end of the day, the computer forensic expert will be a small part of a client's litigation costs. It is not unusual for counsel costs to surpass the computer forensic expert by magnitudes of 10, 20 or even 30 to 1. Thus, the cost outlay for the computer forensic expert will likely be small when compared to the total project costs. As a result, a litigation matter will not become more economically viable simply by choosing the lowest priced expert. On the other hand, the consequence of choosing a less capable expert can be colossal both in technical terms and how it hobbles the case such that overall project costs skyrocket. Facts can be pesky things. A good computer expert can provide a case with all kinds of good facts that can really make a difference in both the outcome and what it costs to get there.

If there is a redeemable characteristic to the low priced vendor, it is that the opposing side may well have followed that line of reasoning. If one is ever confronted with adverse findings from an opposing forensic expert, the reality could well be that they have come from the low priced vendor or from even an otherwise capable expert whose capabilities have been hobbled by the shortsighted thinking client or counsel. So, if the claims come as a surprise, do not be too quick to abandon ship.

Clearly, while price is part of every calculation, the price problem for selecting a computer forensic expert has more than one variable which must be resolved. Thus, it is not as simple as finding the lowest priced expert, since such a solution might only cause the other variables to increase disproportionately. As a result, there are many things that need to be considered when selecting selecting a compter forensic expert and many of those are much more important than his unit cost.

Area of Expertise

Perhaps the first area that should be considered when selecting an expert is whether he has the kind of expertise that is required.  Computer forensic is not a monolithic subject.  In fact, like law itself, there are many nuances and they can vary quite a bit. 

Legal practitioners tend to think of computer experts in terms of the computer equipment related to personal or business activities.  In other words, imaging hard drives and examining their contents.  Even under that umbrella, however, there can be significant differences between phones, personal computers, servers, network switches, routers, firewalls, application software or databases. 

Things can be even more esoteric with other peripheral systems like surveillance/security systems, restricted access/security systems, video/audio systems, phone systems, etc.  All of these could be important in the right case and are further support for why litigators may need to use an expert just to help them identify what kind of expertise is actually required.

Even after the right systems are identified there can still be differences with which to distinguish experts. For example, phones can be distinguished by their technology such as Apple, Android, Blackberry, Windows or other smart phones.  Similarly, the different kinds of personal computer systems such Apple, Windows, Unix/Linux, etc. can have significant distinguishing differences. 

Of course, these are just examples and not intended to be an inclusive list.  Furthermore, the area of interest may be more software related than hardware related.  The point is that the litigator needs to realize that the field is not monolithic and there are significant differences between all kinds of systems and applications.  Consequently, when selecting an expert the litigator should have some appreciation of the differences and select an expert with the appropriate expertise. 

Of course, in mainstream areas like the Windows world, the population of experts from which to select is abundant.  In the more esoteric areas, experts with the desired expertise may be harder to find.  In those cases, the litigator may need to settle on an expert capable of identifying the problem and developing a solution.  After all, a talented expert without specific expertise may still be a far better selection than one with some expertise that is otherwise unremarkable.

Relevant Experience

The analysis of the expert’s relevant experience is another important discriminating factor.  The particular factors that one should consider about relevant experience depends on where in the litigation lifecycle the expert will be used.  After all, the interests are different depending on whether he will be used for preservation, analysis, processing and production, procedural issues or testimony.  In addition, within each of those categories the expert’s relevant experience can be assessed from two different angles--specific and related experience. All of these considerations are discussed in the sections that follow.

Preservation

The preservation phase is probably one of the most import phases of the entire litigation lifecycle.  Unlike its paper counterpart, electronic data degrades with continued usage and even the passage of time.  Simply continuing to use a computer can alter important evidence like date stamps and application meta data.  With respect to system meta data. the continued use of a computer completely destroys important artifacts like file pointers, browser history, recycle bin activity logs, and system event logs to name a few that can be essential to evidence authentication and/or revealing actual system usage.

In the preservation phase there are two areas where the forensic expert can be essential.  Those areas are identification of potentially relevant ESI that should be preserved and then actually conducting the preservation effort

When identifying potentially relevant ESI for preservation the forensic expert can provide several valuable functions.  The first is identifying the sources of ESI.  Properly identifying ESI is not necessarily as simple as asking the client where their data resides.  The client and its technology personnel are likely inexperienced in litigation matters and may think quite narrowly.  Their limitations may involve the actual devices as well as the extent of the data that they contain. 

The expert should be seasoned in litigation requirements and know to how to develop a conceptual model of the client’s systems that not only includes formal system components like servers, personal computers and phones but informal components like flash drives, external hard drives and home computer devices.  There could still be other formal system elements worthy of consideration such as backup system, communication systems and document management systems.

A computer expert should know how to define the population and then peal each layer in order to identify those elements likely to contain potentially relevant ESI warranting preservation.  As the expert learns about the target’s system, he is likely better able to identify that when one type of system or usage occurs then another is likely to exist as well. 

While the final decision belongs to the litigator, the expert can present the litigator with intelligent options. For example, if there is detailed backup history then a separate preservation of a server or a least a forensic preservation may not be necessary.  Similarly, if the key personnel only used their assigned equipment and never logged into a server as an operator then the server is not likely to contain the kinds of forensic artifacts that could be obtained only from a forensic imaging of a server.  So, again there is no need for that kind of expenditure and effort. 

The expert may also know to inquire about retirement and replacement policies at the target and history of equipment used by key personnel in particular.  He would also know to inquire about device usage policies and be able to confirm representations when conducting his inquiry or at the time of actual preservation.

Another reason for using the expert for the identification process is that as he learns the system he can determine the best methods for performing the actual preservation.  This latter phase can include both the timing of the preservation and the best method of preservation while considering how to reduce disruption and overall costs.

During the identification process the expert can likely also provide feedback to the client and litigator about estimated costs and timing so that reasoned decisions can be made.  In the end, the expert is well positioned to testify about the process and justify the reasonableness of the approaches taken.  After all, the preservation standards are for potentially relevant evidence and it is not a standard of perfection.

So, there are a lot of benefits to using an expert for both the identification and actual preservation of ESI during the preservation phase.  When selecting an expert for this process, the litigator should consider what experience the expert has had in this kind of effort.  Specifically, exactly how skilled is he in conducting the preservation phase.  It could be that his vast experience is comprised mostly of analysis and testimony based on media that was captured by others and supplied to him.  So, it could be that his preservation experience is rather limited both in terms of the identification, the actual requirements for identification, and even in conducting the actual preservation for the various types of equipment that could be encountered.

So, if he is being used in the identification phase, one obvious consideration is whether he has served in that capacity before.  An equally important factor could be whether he has had to defend any preservation that he has performed in the past or attack any preservations performed by others or whether, once again, his work has been limited to the actual analysis and findings phase.

If he is being considered for the actual preservation phase, then the things to consider are whether the expert is experienced in preserving the types of devices that need to be preserved?  Personal computers can have different preservation approaches than enterprise servers.  Phones can have still different approaches.  Also, there can be different approaches for Microsoft based systems than Apple based systems.  If the interest is e-mail servers, document management systems or other application databases there could still be other approaches to the preservation problem. 

If the expert has participated in the identification phase then the device population should be fairly well understood and determining his experience and capability should also be rather straightforward. 

When it comes to preservation another factor to consider is that the reality is often different than the plan.  The differences often involve the number of devices, types of devices and size of devices.  So, the last thing to consider about the expert’s relevant preservation experience is his ability to improvise and adapt when field conditions differ from the plan.

Analysis

If the need for an expert is further along in the lifecycle, such as analysis, the question is whether the expert even has analysis experience or is his experience mostly in the preservation phase?  If he does have analysis experience how much does he have and is it with the kinds of equipment that are part of the preservation collection.  Once again, there are different analysis approaches and requirements between the types of equipment like personal computers, servers or cell phones, and even between the systems like Microsoft and Apple.  So, how well does the expert match against the actual equipment to be analyzed.

For the litigator, it can be difficult to assess whether the expert has analysis experience.  Yes, he may have analyzed similar devices but what kinds of analysis has he performed and what is his actual level of expertise? 

There is more to device analysis than the files themselves.  A lot of forensic artifacts are in system meta data.  The location and structure of those artifacts is different on a Windows machine than on an Apple machine, for example.  So, when selecting experts the litigator may want to consider talking with the expert about the nature of the case and inquire about approaches that are available for conducting the analysis and then try to speak with the expert about the specifics of the different device types and his experience with them.

The analysis may not be related to the facts in the litigation, however. Rather, the analysis may be about the authenticity of the evidence and whether it is reliable. So, even in garden variety e-discovery cases there is need for analysis.

The reliability of the media and the digital data it contains can be readily determined. It does not even require production of the entire media. Indeed, it can be accomplished by examination of certain files that will not be directly relevant to the issues in the case but will be directly relevant to the to determining the adequacy of the digital data. (see Computer Forensics and the Judicial Arms Race)

Without validating the evidence significant resources can be squandered on a wild goose chase. In addition, the arguments will be more protracted and less definitive since the ammunition needed to actually win the argument may not have been included or otherwise improperly obscured.

Another factor to consider with respect to analysis experience is whether the expert’s experience includes the type of case for which he is being considered.  For example, if the case is a family law matter, it may be useful that his experience includes family law matters. 

Going further, it will be useful if his experience tracks with the specific interest in the case.  For example, one of the interests in a family law matter is detection of hidden assets when resolving the property settlement agreement.  So, the question is whether the expert has that kind of experience in family law matters or has he worked mostly in other areas of family law matters like the fidelity or aberrant behavior areas.

If it turns out that he has not worked on hidden assets that may not be a fatal weakness if he has worked in other kinds of cases where hidden assets are also of interest.  For example, in trade secrets and bankruptcy cases there is also interest in hidden assets.  Remarkably, the skill sets are similar if not identical even though the fact pattern is different. 

Similarly, the aberrant behavior aspects of a family law matter could have similarities with a workplace harassment issue or even aberrant workplace behavior.  So, if the expert is not an exact match for the specific interests of the case then the litigator should consider inquiring about other types of cases where the skill sets could be similar.  Of course, the litigator may have to rely on the expert to identify similar cases after speaking with the expert about the nature of the specific case. 

One might need to give the expert time to explain how he thinks that his experience will fit into what litigator perceives is needed for the case.  The litigator may need to follow up and assess what other benefits could be offered from a management issue and discuss where the expert  thinks problems could be encountered and how he could help get around those issues.

Another element of interest should be how complex his cases have been.  Was everything sitting out in the open or were things a little more subtle.  What is his experience with anti-forensics techniques like file wipers, of course, but also reformatting, drive swapping, counterfeiting, file churning, clock manipulations and a whole host of others.  Again the litigator may not be knowledgeable enough to ask about specific scenarios and may have to rely on the expert to identify and discuss his experiences regarding anti-forensics along with any standard procedures that he employs  for that purpose.

In the final analysis the question is what does the expert do to validate a production. Does he take steps to identify omissions and/or manipulations or does he simply proceed with what has been given. If the media has been specially prepared for his review by the opposing side, then it may not reveal anything when examined solely based on its actual content.  It is only when the “pedigree” is examined that forgery could become obvious.

A final consideration is can he work with imperfect information in the event that not all discovery requests are granted by the court? In addition, is he able to reverse engineer the work of opposing parties without documentation or when other information gaps exist?

Processing and Production

The largest consumer of the litigation budget is processing and production of the digital evidence  and its related document review effort.  From an economic perspective, it is a big target that can have a big payoff if done right.

The processing element typically refers to the effort required to convert the digital data into usable form for review and subsequent production.  The most economic solution to the processing and production problem is not as simple as selecting the lowest unit price.

In the digital age, manual review is not really practical for both economic reasons as well as accuracy reasons.  Manual review is the most costly part of the processing and production effort.  Also, the human factor in manual review is well known for errors.

As a result the best way to manage the problem is through the processing phase where automated techniques are used to perform volume reduction and eliminate manual review as much as possible.  Thus, the kind of computer forensic expertise that both a client and a litigator seek during this phase is one that can reduce the volume of data that will be subject to document review.

There are actually a number of techniques that can be used to accomplish these goals such as various computerized search techniques, meta data. filtering and analytics to eliminate unresponsive and irrelevant files, removing known files, identifying and removing duplicates along with other productivity related processes.  An expert could help design the battery of techniques that would be used to maximize the effectiveness of the processing phase in order to minimize the effort needed for the review and production efforts.

The particular techniques and things to consider when selecting a processing and production expert are discussed in a separate article titled, Selecting an E-discovery Vendor: A Best Value Approach.

Procedural Matters

Procedural matters are another area where an expert can make a significant contribution to the economics of a case.  Legal problems involving digital evidence, computer forensics, is a very complicated subject and involves more than checking off paragraphs in the rules of procedure.

The completion of Rule 26, for example, results in a discovery plan.  That plan could be analogized to the plans for building a house.  Certainly, the plan could be the equivalent of something crafted on the back of a napkin.  Or it could an “architectural” view or a “plan” view of the final product.

The best approach for house building, however, is known to be an engineered drawing.  While it takes more on the front end to develop the engineered drawing, it will have payoff on the back end by speeding final production and avoiding disputes that could derail the entire effort.

Under the home building analogy the expert serves as a design consultant having specialized knowledge about technology and processes that can be woven into the final design document—the discovery plan.  The final plan should involve numerous technical methods such as those previously discussed in the processing and production as well as procedural techniques like multi-tier discovery. 

The multi-tier discovery would use a staged approach designed to avoid full scale processing and production, at least until the risks are better known.  The multi-stage approach would attack the discovery process in stages starting with the devices and custodians believed to have the most relevant evidence for the case.  Perhaps the entire dispute could be resolved after that initial review without having to process the entire population.

In addition, the expert may be able to suggest specific tests that would be better able to identify the specific documents of interest or identify various other system related artifacts that would be dispositive to the matter.  Even if not dispositive to the entire matter, the expert’s work may be able to eliminate custodians or devices from further consideration the related processing and production.

Using a multi-tiered approach could also prove the validity of the discovery plan prior to committing huge resources in the same fashion that construction and manufacturing practices use “prototyping” or “proof of concept” methods prior to committing to full production.  For example, the search techniques being used to identify responsive and relevant documents may or may not work as intended.  It is better to prove the merits of the methodology before committing full resources to full production.   The expert and his special tools could likely help in this process long before the data is processed and placed in any document management system used for the litigation.

The discovery plan may also be able to simplify the processing and production matter through the development of a protocol.  The protocol is an agreement between the parties describing exactly how the processing and production will be conducted.  So, the protocol can be analogized to the contract that the homeowner enters with its home builder.

The protocol can be very detailed.  In fact, like the engineered drawing analogy, the protocol can go a long way towards streamlining the overall discovery process because the parties discuss and agree to the attributes in advance.  The advance agreement can streamline the process and eliminate unnecessary efforts by incorporating the processes discussed previously to gain efficiency like multi-stage discovery as well as others suggested by the expert.

Again, developing the protocol can be tedious but the advantages to long term efficiency are significant.  For further information on protocol development consider the article, Eleven Steps to Designing an E-Discovery Protocol.

Testimony

The reality is that a lot of lawyers are not well versed in computer issues and really do not know how to thoroughly examine an expert’s work. This even applies to the retaining counsel who may view the selection of experts as only another piece of evidence. Thus, their concern is simply whether the expert's opinion supports the needs of the case.

To a certain extent, the fact that an expert's opinion supports the needs of the case would seem obvious; yet, the shortcoming is that counsel may not have fully revealed what the needs of the case actually are to the expert. Had retaining counsel explained the case more fully the expert might have still been able to provide the opinion but at the same time recognized that the precise manner envisioned by counsel was not persuasive nor meaningful.

For example, litigators may want to make a point about how files were deleted from the media after a certain date. The evidence may well support that files were deleted after a certain date. If retaining counsel has not taken the time to examine the issue and explain the case with the expert it will not be until opposing counsel cross examines the expert that the retaining counsel learns that the files were all deleted as part of routine system maintenance and not done by a deliberate user action, which is where client counsel was wanting to go.

If litigation is like chess then testimony is like the end game. One will never get a chance to play the end game if one has a weak opening and middle game and picks an expert that is not really competent in the disciplines described elsewhere. Similarly, the advantages gained by a great opening and middle game can be squandered with a weak end game. Thus, an expert's testimony skills can be an important consideration.

There are two attributes that should be considered when evaluating an expert's testifying skills.  One is whether the expert has testified before.  The other is the sophistication of the examination to which he has been subjected by opposing counsel.

In regard to the first, has the expert testified before, the interests are twofold.  One is where has he testified.  Ideally it is best that he has testified in courts similar to the one in which the case will be decided.  The other is that his opinions have not been rejected for some reason and he was prevented from even testifying.  Clearly, satisfying both of these criteria will help smooth the qualification process.

In regards to the second, there are actually several consideration. One is whether the expert has been subjected to stiff interrogation during deposition and cross examination at trial or some motion hearing. In other words, how well can the expert handle the fastball and did it effect any of his other performance when opposing counsel tried the equivalent of the brush back. 

Of course it is not just an expert's performance against a power pitcher that should be considered. The other involves the finesse pitcher that may try to neutralize an expert by mischaracterizing his opinion or restate his findings. If opposing counsel is somewhat successful, even without the expert realizing the significance of what opposing counsel was trying to accomplish because the retaining counsel had not taken adequate time to prepare the expert or allow him to review letters, deposition transcripts or motions so that he could be aware of opposing counsel's "theories", then the expert's opinions could be successfully neutralized. In such a case, retaining counsel is not likely to undo the damage on redirect because it might be a subject that he has never discussed with the expert. In such a case, retaining counsel is likely to follow the old adage that one should not ask questions when one does not already know the answer. Consequently, in that case, retaining counsel is likely to sit quietly even though there could have been ample means to "toss the grenade" back at the enemy before it actually exploded.

Of course, it is probably not practical to prepare the expert for every conceivable tactic that opposing counsel could try. Consequently, when selecting an expert, it is important to realize that in more cases than not the expert is on his own when defending his opinions against opposing counsel. It is good to know that the expert not only has the technical skills to defend his opinions against the so called "power pitcher" that will make a direct assault but also has the experience to recognize and defend his opinions against the "finesse pitcher" that is happy to work the "corners", so to speak.

Clearly, the fact that a computer expert has previously survived testimony in depositions or trial may not be that comforting. Thus, it is important to understand just what kind of opposition he has experienced.

In order to evaluate the expert’s testifying experience the litigator probably needs to learn the cases in which the expert has testified and then evaluate the attorneys that he opposed.  Of course the litigator may be able to shortcut this exercise by questioning the expert about his experiences and to what degree he believed they had been challenging and why and whether the expert considered the opposition a "power pitcher" or a "finesse pitcher" and the ultimate outcome.

When evaluating the expert's testifying ability, it could also be useful to discuss how he could assist in the examination of the opposition's witnesses such as their 30(b)(6) technology person, key personnel and how they used their computer hardware or software and, of course, the opposing expert. Using an expert is all of these situation is particularly important, since counsel if all too often unable to differentiate a good story from just a well prepared story.

Industry Specifics

Industry specific background is not essential for expert qualification, although it could result in   knowledge not familiar to the trier of fact.  Also, industry specific background can be helpful for the computer forensic expert.  Activities, systems or artifacts that might otherwise go unnoticed could be recognized by the expert familiar with that industry.

For example, they may already be familiar with certain applications and know how to interpret their data.  In the preservation phase they may know that participants in that industry typically have certain systems or data that should be included in the preservation.  Also, experts familiar with an industry may be able to recognize omissions in preservation or production as a result of their knowledge. So, industry specific knowledge could be a real cost saver.

Presentation Skills

While there is no expressed qualification requirement for presentation skills, there often is a requirement that the expert be useful to the trier of fact.  Typically, one interprets usefulness in technical terms but technical competence may not be the only consideration.

Indeed, an expert that communicates as technically as his expertise may not be of any use to anybody.  Thus, a good characteristic of an expert is one that can “translate” the technical aspects of his expertise into something understood by his listeners.  In addition, there may be several languages or dialects in which he needs to communicate.

When communicating with jurors and even the client he may need to explain his findings in everyday terms and analogies.  When communicating with the legal team, he may need to explain his findings using concepts they would easily understand, although sometimes the computer expertise of the legal team is not that advanced either. 

An expert’s presentation skills are not just important while testifying at trial.  Indeed, they are important throughout the entire litigation lifecycle that can include briefings with the legal team and the client as well as formulation of tests and procedures for advancing the case.

Interestingly, advancing the case is not just about sifting and interpreting evidence.  It can include using his expertise to counter the obstacles devised by opposing counsel to stifle discovery. In this regard, there are two ways that the expert can help.  The first is uncovering the flaws in the opposing side’s claims that requests are overly burdensome or assisting counsel in devising techniques for overcoming their objections or their requests for overly burdensome discovery.  The second is devising techniques for sifting data efficiently when opposing counsel has delivered “quicksand”. 

So, the expert must fill many roles. It is not enough that he find interesting artifacts.  He must also be a teacher and a strategist.  The expert must be able to educate client and counsel about differing ways to obtain relevant evidence that is important to the case as well as the significance of his findings. At the same time he must help them understand how those artifacts and the media or devices on which they reside will effect case strategy for better or worse.

While the technical skills of the computer forensic expert can be quite significant to the case from an efficiency and effectiveness perspective, the evidential value of the expert is his opinion and its aid to the trier of fact. While those opinions will actually be delivered as testimony, the manner in which they are initially articulated through the discovery process is a report. Of course, other vehicles could also be possible such as Affidavits or Declarations but the most likely method will be through a report. Thus, a significant consideration about an expert's presentation style can be his report writing capability.

Many of the forensic tools used by experts possess report writing tools.  While these tools can be useful for experts, who already understand all of the attributes they contain, they are not typically good for anyone else. The reporting tools contained within forensic analysis tools provide little more than a means to accumulate the more significant data that has been analyzed in a central medium that simply facilitates locating the items that have been tagged as more significant. Thus, these reports are often no more than raw data dumps of items that the expert wants to be able to find again easily.  Furthermore, they do not provide a means to summarize the raw data into something that makes its significance more obvious and is well suited as an exhibit for trial or deposition.

An expert's writing style and ability to communicate in writing can be important. The subject matter is often very technical but the findings must be comprehended by many with far less understanding than the expert. Thus, communicating that knowledge and presenting it in an easily comprehensible fashion such that its significance to the case is easily understood is very important.

While important, the expert's writing style is not all that matters. The report should contain sufficient evidential matter to support the expert's opinions. After all, if the opinion is to survive and advance case, there must be some comprehendible basis for the opinion.

A good way to assess the expert’s presentation and communication skills would be to share some case specifics with the expert and let him explain how well his experience fits with the specifics in this case.  Such an approach not only provides a means to assess how well he communicates but it can help confirm the litigator’s assessment of the expert’s relevant experience.  In the process, the expert may be able to recognize that what the litigator thinks is needed may not actually be a good idea.  In that case, this could be a good opportunity to put things back on track.

Counsel may also want to inquire about the expert's experience writing reports including the style he uses for writing reports. While counsel may already have an idea what he needs for the case, he also needs something that will be useful to the trier of fact and something that will seem like a bunch of disjointed, mind numbing data points.

Educational Background

While the expert should have knowledge "not familiar in everyday life" or "in possession of the jurors", a formal education is not a requirement for qualification. Besides, the issue at hand is not likely a problem in a text book and the mere fact that he made a passing grade on some test does not mean that he will even be useful to the trier of fact.

Evaluating a computer forensic expert’s educational background is not like evaluating those of a licensed engineer, medical doctor or accountant.  By comparison to these other professions, the entire computer industry is relatively new.  Someone with twenty years experience dates to a time when there was not even an abundance of degreed offerings, if any.

While there are more generalist degree programs today such as computer science, information systems, software engineering and the like, even they are not designed with the skills that computer forensic experts are likely to use.  So, there may be no real advantage to experts having such credentials.  So, an educational degree may be nothing more than a means to separate candidates.

In more recent times, there are degree programs in computer forensics that are starting to appear in college curriculum.  While these are likely to provide a good foundation to those having them, again they are only a foundation.  If anything, their usefulness may signal the seriousness at which the holder, pursues his career.  On the other hand, in some esoteric areas it is unlikely that a worthy expert would have need of generalist designations.

Training

Training is another area that the litigator can use to distinguish computer forensic candidates.  In this regard there are a number of training directions that the litigator may find of interest.  Essentially there are the general training classes and there are the tool specific training classes.

The general training classes can involve fundamental issues such as file systems, operating systems, and software applications such as e-mail, application databases, and software applications in general.  Such classes would reveal how these subjects work, how to interpret their meta data. and how to extract and handle their artifacts.

As an example, consider the situation where the computers to be examined are Microsoft Windows based machines versus Apple Mac machines.  The file systems that accompany these two different devices behave differently and leave different kinds of artifacts.  Knowing about these artifacts, where they reside and how to interpret them can not only affect the expert’s opinion but influence the budget required to interpret them.

The other area where training can be influential is on the tools used by the expert to develop his own opinions as well as refute those of the opposing side.  These days there are a number of forensic tools and no single tool will perform all evaluations.  So, in order to perform a comprehensive examination the expert will likely need to have several tools in his toolbox and needs to be familiar with them whether through self training and seasoned use or formal training.

The need for tool familiarity is not limited to the performance of the expert’s own work.  Rather, he will also likely need this familiarity to understand and evaluate the work of the opposing expert, if there is one. 

Licensing and Certifications

Licenses are typically issued by governing bodies like state or local governments and usually attest to the owner having accomplished a certain level of competency.  Certifications are typically issued by groups like professional organizations, trade associations, product manufacturers, etc. and also are supposed to represent a certain level of competency.

Licenses and certification are usually not required for expert qualification.  At the federal level it is black letter law that licenses and certification go to credibility and not qualification.  At the state level things can be different, however.  The state can require licensing or certification as part of expert qualification, although most states follow the federal rules where licensing and certifications go to credibility. One would have to check with their individual state law—both evidence and occupational licensing statutes. The following sections further discuss the significance of licensing and certifications when selecting a computer forensic experts.

Licensing

In federal court state licensing boards have no say in the qualification of an expert.   As mentioned earlier, it is black letter law that licensing goes to credibility.  Moreover, there is a long line of case precedent where State licensing boards have been rejected where they are in conflict with federal regulation.

In state court, several states have imposed licensing requirements of experts in civil malpractice situations and medical testimony in their evidence statutes.  The lack of other licensing requirements appearing in the evidence statutes tends to undermine any argument that the occupational licensing statutes should even be considered. 

With respect to computer forensic experts there has been a movement by the private detective industry to claim that territory for itself.  These efforts have largely been accomplished through pronouncements by the regulating boards claiming dominion over that territory.  They seem to make these pronouncements without consideration of the evidence statutes, their actual authority or the intent of the legislature. 

While the PI Board in Georgia has issued an opinion that computer forensic experts need a PI License, the Board’s opinion was issued only after two legislative efforts to accomplish that goal had failed.  So, the Board’s opinion may be nothing more than attempt to achieve its membership goal without any actual legislative authority.  In addition, there is considerable case law in Georgia, outside of civil malpractice cases, where forensic experts were not required to have any kind of license.  In fact, arguments against unlicensed experts in Georgia, outside the civil malpractice area, have been characterized as “meritless”.

An evaluation of all states is beyond the scope of this writing; however, an article titled “Do Computer Forensic Experts Need a PI License in Georgia” examines the issue in Georgia.  Although the article examines the issue from numerous angles, it considers decisions in a few other states, as well, in support of its conclusion that a PI license is not required in Georgia either. The reader could certainly mirror the effort in that article when examining its own state law requirements in regards to forensic expert licensing requirements.

If it turns out that a license is required then one should look for experts having the requisite license.  If a license is not required then one may still prefer experts having relevant licensing for credibility reasons. 

With regard to the PI license requirement for computer forensic experts, the PI license issue is quite misleading. As mentioned above, licenses tend to indicate that the holder has some kind of proficiency in the skill covered by the license. This is not the case for the PI license, however. The PI profession does not teach its members computer forensics and computer forensic proficiency is not even tested on its exams. Thus, when examining an expert with a PI license one should realize is that what those license holders have been tested on is surveillance, weapons handling, funeral escorts and a number of other traditional law enforcement tradecraft. In fact, many have highlighted that PI literature often directs its members to retain an expert when their cases involve computer forensic issues. Clearly, there is no comfort to be had or basis for selecting a computer forensic expert based on the possession of a PI license.

With respect computer forensic certifications, there are several, although like educational degrees, professional certifications in computer forensics are rather a recent commodity.  So, it could be likely that computer forensic experts will not have forensic certifications.  Of course depending on the nature of the case a forensic certification may not be necessary.

Certifications

Computer forensic certifications generally deal with media files systems, operating systems, and interpretation of their artifacts.  In some scenarios such as network or software functionality the classic computer forensic skill set may not be needed.  Rather, more traditional computer system operation is all that is necessary.

So, litigators should realize that with respect to computer forensic certification there are relatively few and most of those are tools specific.  Examples of tools specific certifications are the Guidance Software, the makers of EnCase, EnCE [EnCase Certified Examiner] and Access Data’s, the makers of the Forensic Toolkit, ACE [Access Data Certified Examiner].  Of course there are still others but these two examples are probably the best known.

Examples of the non-tool specific certifications are the Certified Forensic Computer Examiner (CFCE) that is offered to law enforcement personnel only by IACIS.  Another generalist certification is the Certified Computer Examiner (CCE) offered to anyone by the International Society of Forensic Computer Examiners (ISFCE).

Beyond these classical forensic certifications are numerous operational certifications.  Some of these include those offered by vendors like Microsoft such as the Microsoft Certified System Engineer (MCSE) and Microsoft Certified Professional (MCP) to name a few of the Microsoft certifications.  Many other vendors offer their own certifications as well such as Cisco Systems with their Cisco Certified Network Administrator (CCNA). 

There are also generic certifications offered by industry associations such as the Computer Technology Industry Association (CompTIA).

Criminal versus Civil

One might consider using an expert with a law enforcement background.  These individuals tend to make great witnesses for juries because of their instant credibility. 

If the case is a civil matter, however, there are other things to consider.  After all, the differences between criminal and civil cases are more than the law.  Indeed, the capabilities of the experts are shaped by the procedural differences as well as the cultures spawned by those procedures.

In criminal cases the bar is higher than in a civil matter.  In addition, prosecutors can have larger case loads than their civilian counterparts.  Both of these factors can pressure them and their experts to focus on the low hanging fruit.  The net result is that an expert grounded in criminal cases involving child pornography may be more accustom to finding the sure thing than going the extra mile to pursue issues that require research, testing, extensive analysis or marshaling complicated fact patterns.

Another difference is that in a civil case the opposing side often has considerably more notice of the impending production than a criminal defendant served with a search warrant.  As such, in a civil matter it can be more important for the computer forensic expert to know how to find traces of what had been on the computer than finding the files themselves.

Also, criminal experts may not be accustomed to the discovery that occurs in civil proceedings.  Thus, they may not be proficient in report writing, giving depositions and revealing and supporting their evidence and opinions prior to testifying at trial.

Forensic Tools

The specific tools used by the expert can affect the qualification of a testifying expert.  In that case, therefore, they should be accepted, reliable and reliably used.  It is helpful if the expert has been trained in their use, although that is not absolutely essential if he has adequate experience and knowledge about their use.  After all, having attended a training class may not actually be a guarantee of anything.

As a result of the tool’s significance in qualification, the litigator will want to know something about the tools used by the expert.  While the litigator may not recognize tool names provided by the expert, the litigator should have them revealed and discuss their acceptance with the expert.

The number of tools that are available is also much greater than in years past and the number continues to grow.  Some of the tools are freeware while some are quite expensive.  Although there is no definitive correlation between tool price and adequacy, the litigator will still likely want to inquire. 

While there are some very good freeware tools, they may not be as feature rich as the ones with a price.  In that case, the less feature rich tool could require more labor hours for the expert to accomplish the same result as the one where the work is included in automated features.  So, free may not always be good.

The specific tools used by experts will depend on where in the litigation lifecycle they are being used.  Typically, preservation is different from analysis which is different from processing and production.

Preservation

There are a variety of preservation tools that create forensic images. Forensic images are different from the images created by a client’s technology personnel in that forensic images capture the entire media.  Thus, they capture the active data, the deleted data and they even capture areas of the drive where user data would never be stored.  The images typically created by normal technology personnel focus on the active data only.

While the forensic tools are often capable of collecting some smaller segment of a storage media, like the active data, those kinds of images are generally specifically identified as logical images, for example, or some other restrictive container name.

The kinds of tools that an expert will need can vary based on the type of equipment being imaged.  The differences tend to be the interface that the storage devices use to transfer their data.  For example, internal hard drives use one kind of interface while external devices like flash drives tend to use a different interface.  So, the expert needs to have the kind of equipment capable of handling these different interfaces.

The expert is also expected to preserve the data without altering the original evidence.  Typically the only concern for alteration is system meta data.  It is unlikely that any preservation or collection method would change the data contained within the files themselves. 

In any event, the protection of the original evidence is done with write blockers that prevent the collection system from altering the original media but in some cases the imaging method itself may be capable of collecting the data without altering anything even without a write blocker.

Additional considerations to the preservation mechanics themselves involve verification and redundancy.  The verification confirms that after the imaging is completed that the image the original media.  Calculating the verification typically means reading the data twice—once when the image was created and then again after creation.

When creating images it is best to create redundant copies.  It is not likely that the device on which the image resides will fail but it does happen.  In that event, it is best to have  second copy of the image.

While the approach and technology used by an expert for preservation is one thing to consider, another is the preservation capacity that the expert could deploy.  It is not unusual for preservations to involve many devices and their media.  In addition, the preservation window is typically narrow.  So, the expert needs to have adequate capacity to get the job done within the time constraints.

Analysis

There are no specific tools required for qualification of the expert, although whether one has knowledge about the tools can be important to determining whether the expert has knowledge useful to the trier of fact.  Clearly the expert should have knowledge about his own tools but how about those used by the opposition?  Actually, it is good that the expert has expertise in many different tools and the mainstream tools in particular.

When considering the tools used by the expert there are actually several considerations.  These considerations are the kinds of tools, the variety of tools, the number of tools and how long have they been using them. 

With respect to the kinds of tools, the litigator may want to determine whether the expert has invested in mainstream forensic tools or whether he is using freeware and other low priced alternatives.  While it is nice to avoid needless markups, the lower priced tools are also commonly less feature rich and will require more labor hours to obtain the same results that might be automated in the higher priced tools.

Again understanding the specific tools owned and used by the examiner can be useful.  Some tools are stronger in certain functions than others.  So, again, it becomes important for the forensic expert to have diverse resources from which he can draw depending on the requirements of the case.

Forensic analysis tools are not the only kind of tool in the expert’s arsenal.  In large complex cases it is also the ability to manage the data and marshal the facts.  While spreadsheets, as an example, provide robust analysis capability they are size constrained.  So, in large cases spreadsheets lack adequate horsepower.  In large cases, database applications can become much more essential. 

So, in large case the litigator may want to assess how well equipped is the expert to manage large volumes of data and analyze them.  Even the forensic tools can have practical size limits such that the data must be piece mealed from those applications and placed in other, more capable data management systems.

Another issue could be the number of licenses of its tools a forensic examiner owns.  In large cases, throughput can be essential and multiple licenses a must.

Another category of tools are those that the litigator can use to provide data to the litigator.  If the data are comprised of lists then spreadsheets are litigator friendly.  But what happens when the lists exceed the capacity of the litigator’s spreadsheets.  How about different data types such as e-mails.  Should those be provided as PSTs, HTML, or MSG type documents?  Indeed there are many questions about how the expert can support the litigator’s needs in the kinds of tools that the litigator is capable.

Conclusion

Despite the increasing availability of computer forensic experts, selecting them is becoming more difficult.  It is not that there are fewer of them.  Quite the opposite is true.  There is much more to choose from and as such the search can be more complicated and time consuming. In addition, as digital data and digital evidence permeate society and the law, the encounters have more variability.

Furthermore, computer forensics is not some kind of single subject discipline.  While most people may think of computer forensics as hard drive examiners, the field is much more diverse than that.  Also, as computers continue to permeate more and more of our society and legal system, the number of specialties and nuances increase accordingly.

Unlike other experts, the computer forensic expert can contribute to every phase of the litigation lifecycle. Also, the contributions of a computer forensic expert are not just evidential in nature. Indeed, there are also procedural and economic contributions that can be made by the computer expert. So, it is not just about case decisions. Rather, it is also technological and how the technology can be used to litigate faster, cheaper and better.

Clearly, there is much to consider when selecting the right computer forensic expert.  One size does not fit all.  Making the correct choice can involve a multitude of considerations involving the particular phase in the litigation lifecycle where the expert will be used as well as the technology involved. So, picking the right computer expert is a case where the answer clearly depends.

 

Inquiries

To learn more or
discuss a specific matter,
contact us.

 

 

Home	Forensic Accounting	E-Discovery	Accounting Articles	Case Studies
Gregory Fordham	Computer Forensics	Computer Security	Computer Articles	Contact
Last Updated:April 15, 2018 Copyright ©2012-2014 Fordham Forensics, Inc. This site is for information purposes only. For assistance with a particular matter contact a representative.