The role of the consulting expert often begins with the realization by a corporation that an employee who resigned, and is now working with a competing firm, may have taken sensitive company data. My first task as a consulting expert often is to evaluate and document early preservation and investigation efforts by a client’s internal staff, in order to properly interpret digital evidence later.

Whether it involves suspected employee data theft, a computer intrusion or other misconduct, it is rare for internal security, HR or legal departments to have not started their own investigation. Depending on the experience of the internal responders or IT staff, computer evidence will have been identified, perhaps preserved, and analyzed to some extent. The operational necessities for an organization to recover from internal or external misconduct will sometimes trump preserving evidence. Your outside expert will lend an experienced eye to initial investigation or preservation efforts and provide an independent assessment on the scope and effectiveness of those efforts.

Companies with well-trained and experienced IT and security staff often have resources for gathering computer evidence. The consulting expert’s role in documenting the effort helps give the legal team insight into the defensibility of evidence gathered by internal teams and can help early in the life of a case. Independent preservation, or at least review of the preservation efforts, may help deal with difficult issues that may arise.

In one case, the internal team for a large technology company performed analysis in an attempt to locate email messages that were central to litigation. The opposition had presented printouts that were purported to be copies of damaging email messages. Although the internal IT staff had done a credible job in their analysis, the opposing expert raised issues concerning their lack of independence and questioned their findings, and a consulting expert was called in. Joining the case as the trial date approached caused significant urgency and much additional work to prepare to address the issues raised. In the end we were successful; however, performing an independent forensic analysis earlier would have addressed the opposition’s claims and perhaps saved the client money.

Early in the life of a matter, your consulting expert can help evaluate the sources of data and provide you with information to help make important decisions. Did an intruder compromise personally identifiable information (PII) or other data which may trigger notification obligations? Will you pursue an injunction against a former employee suspected of taking proprietary data? Your consulting expert will provide you with an independent assessment of the situation.

It is common within organizations to have to sift through issues that have nothing to do with the matter in order to do the analysis necessary to answer important questions. Users may have personal reasons that they deleted data, which may turn out to have nothing to do with the matter at hand. IT administrators, who are pressured to get operations back on track, will focus on remediation, not necessarily gathering evidence that identifies the scope of an intrusion. Competition among business units in a large organization may have key technical staff taking a defensive posture, when the real issue is determining the scope of a data breach, not assigning blame. Your consulting expert must be effective in working through the people issues to get the data needed.

As your case roles into discovery, your consulting expert’s role will be to advise you on which sources of data you should consider for discovery. In addition, your consulting expert can assist you in negotiating other discovery issues, like the inspection of relevant computer systems. Understanding the landscape of your company’s IT infrastructure will help direct what data sources are relevant to your case. Unless you have staff dedicated only to e-discovery and computer forensics, they will always be distracted by operations of IT or other company matters. Your consulting expert will be focused on working your users and IT staff effectively and applying tested procedures to the analysis and processing of your computer data.

Having worked in many enterprise environments on computer forensics engagements, consulting experts know that your IT staff knows your systems best. The people sitting at the keyboard every day know your systems well and are the best resource the consulting expert has in investigating the incident or matter. Your consulting expert should balance working effectively with your IT staff and staying out of their way, however. Whether it involves different types of servers, backup systems, or understanding user laptops, desktops and mobile devices, your consulting expert will help you evaluate each of these and plan how they fit into discovery in your case.

As a consulting expert, once I have an understanding of the case and have preserved data from the relevant systems, I will prepare an analysis protocol to direct the forensic review done by my team. Taking into account the type of system, what we know of the case and where we need to look for evidence are among the steps I take in directing the forensic analysis. Although the number of cases I provide expert testimony on is small compared to the number cases I’m involved in each year, properly identifying, preserving and analyzing the relevant computer data in the work I do as a consulting expert is done with potential testimony at trial in mind. The forensic analysis protocols we use every day in our lab are sometimes translated to inspection protocols in certain cases. As a consulting expert, I view the inspection protocol with an eye toward protecting my client’s privacy and other such issues. In the next article in this series I will discuss working as a neutral expert. Among the issues I will explore in that article are negotiating analysis and production protocols as a neutral expert.