Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Is deleted-but-not-gone electronic evidence a “bet the case” concern? Ask convicted financier Frank Quattrone, domestic diva Martha Stewart or accused murderer Scott Peterson. Ask anyone at accounting giant Arthur Andersen. Wait — you can’t do that. Arthur Andersen is gone, hoisted on a petard of e-mail and shredded work papers. Far more information is retained by a computer than most people realize. You could say that a personal computer operating system never intentionally erases anything, even when a user deletes a file. Instead, PCs just hide a deleted file’s contents from view, like crumbs swept under a rug. Computer forensics is the identification, preservation, extraction, interpretation and presentation of computer-related evidence. It’s reconstructing the cookie from the crumbs. But unless specialized tools and techniques are used to preserve, examine and extract data, and proper interpretive skills are brought to bear, evidence will be lost, overlooked or misinterpreted. Everyone uses computers. If you’re a prosecutor, litigator or in-house counsel, a computer forensics expert is in your future. You must know how to choose a computer forensics professional for your side and/or how to challenge your opposition’s choice. It may not be as easy as you would think. Computer forensic examiners aren’t licensed. No standardized exam establishes their competency. Anyone who knows a bit from a byte can put “computer forensic examiner” on his or her business card. Nevertheless, a cadre of formidably skilled and principled computer forensics examiners remains the core of the profession. The challenge is to tell one from the other and to help the judge and jury see the difference, too. FINDING AN EXPERT The best ways to find a good computer forensics expert are the same techniques used to find experts in any technical discipline: Ask other lawyers and judges who to use and avoid, and delve into the professional literature to spot scholarship and leadership. If you practice in a small community and can’t secure local recommendations, contact one of the professional associations for computer forensics examiners (the High Technology Crime Investigation Association, at www.HTCIA.org is the largest) and get the names of nearby members. Internet searches for experts may turn up worthwhile leads, but don’t judge qualifications by where the expert appears in a search engine. It’s just too easy to buy or engineer favorable placement. Instead, use the Internet to troll for publications and for networking. The non-commercial Electronic Evidence Information Center (www.e-evidence.info) is a superb starting point for a wealth of information on leading computer forensics practitioners. Many experienced examiners come from law enforcement and the military. Look for, e.g., former Department of Defense, Internal Revenue Service, Federal Bureau of Investigation, or Secret Service credentials. Sadly, child pornography makes up the bulk of work in law enforcement, so ask about broader experience with other computer crimes. Extensive experience on the civil side is a plus. Plenty of computer savvy folks lacking forensic training or experience offer their services as experts. But just as few doctors are qualified as coroners, few systems administrators have any forensic qualification. A background in law, law enforcement or investigation is important, whereas programming experience has little bearing on computer forensic ability. Be certain to obtain the witness’ resume and check it for accuracy. Look for membership in professional associations, formal training and certification. Has the expert published articles on computer forensics or regularly participated in online computer forensics forums? Read these contributions to gauge knowledge, commitment to the profession and communication skills. WEIGH IMPORTANT QUESTIONS Weigh the following when evaluating qualifications: � Is the examiner certified? An increasing number of organizations offer certification in computer forensics. Some indicate real expertise and others mean little. In evaluating certification, find out exactly what the expert had to do to be certified. Was written testing required? Was there a practical component? What about peer review and a minimum experience threshold? Who taught and certified the expert? Do any applicants fail to obtain the certification? Was expertise certified in a discipline or in the use of a particular tool or software package? � How much time has been devoted to computer forensics? Question the focus of a CF expert wearing many hats for hire as, e.g., PC repair specialist, network installer, programmer or private investigator. A large firm’s far-ranging claims of expertise may be justified, but for the solo or small shop expert, “dabbling” in computer forensics is not an option. � How experienced as a witness? If the expert you’re evaluating held up in past courthouse challenges, chances are he or she will again. Look for experience in the type of case you’re handling. A veteran of pornography prosecutions may not be well-suited to a case of sexual discrimination or intellectual property infringement. Because you can’t conduct an effective examination if you don’t understand what the case is about, be certain your choice knows the ins-and-outs of civil litigation. Talented experts convey hyper-technical concepts without lapsing into jargon or acronyms and communicate using simple analogies. � How much classroom training? Ideally, a computer forensics expert has been formally trained and can demonstrate dozens or hundreds of hours of classroom work. However, some of the best qualified experts in computer forensics have little or no formal training in the discipline. They’re largely self-taught and have been at it since the dawn of MS-DOS. These veterans, too, should be able to demonstrate time in the classroom … as the instructor. � What will it cost? Good computer forensics is expensive. Even a basic computer forensic examination costs several thousand dollars or more. A complex exam can run to six figures. One veteran examiner analogizes that a top-notch cardiac surgeon can teach anyone to perform a routine heart bypass in an afternoon — it’s just plumbing — but the necessary expertise and attendant high cost springs from the decades it took to learn what to do when things go wrong. Your expert should clearly communicate hourly rates and anticipated expenses, but there are typically too many variables to quote a bottom-line cost. If you can supply reliable information about the systems, electronic media and issues, experience may permit the expert to project a range of expected cost. Recognize that competent examiners routinely decline requests for a “two-hour quick peek.” No one wants to be taken to task in court for missing something because they didn’t have time to do the job correctly. � References. Before you commit to spend thousands of dollars, ask for references and call attorneys who’ve worked with the expert. Some client identities might be withheld as confidential, and those supplied probably won’t be the disgruntled folks, but you’re sure to glean something useful about billing practices, reporting skill, discretion, preparation or professionalism. If nothing else, an expert unable to identify satisfied clients might not be the one for you. � Beware of the Tool Tyke. Poorly-trained experts rely on software tools without understanding how they work. They’re tool tykes. Of course, all of us trust technologies we don’t fully understand, but an expert should be able to explain how a tool performs its magic, not offer it up as a black box oracle. Tool tykes dodge attacks on their lack of fundamental skills by responding, “The tool is not on trial,” or citing how frequently the testimony of other witnesses using the same tool has been accepted as evidence in other courts. The use of proven tools and software is essential, but even a rock-solid tool in unskilled hands is unreliable. Forensic software suites are principally designed to automate repetitive tasks that would otherwise be performed manually. Your expert should understand those underlying operations, not just know the keystroke required to initiate them. � Educate Yourself! Working with your expert will be easier if you learn all you can about computer forensics. The more you know, the more you will be able to choose well! Craig Ball, a member of the LTN Editorial Advisory Board, is a trial lawyer, consultant and computer forensics examiner, based in Montgomery, Texas. Subscribe to Law Technology News magazine.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.