In a previous article in this series, I explored when to call a computer forensics expert and the various roles we may take in your case. Since I left U.S. government employment in 1999, I have worked as a computer forensics consultant in civil litigation, both working with and being opposed by practitioners who have entered this field from various disciplines. Early in my computer forensics practice, I could have been opposed by an IT administrator or software developer; later it was more common to encounter practitioners with some computer forensics experience and training. As the field has grown, I now frequently encounter experienced forensic practitioners with significant training and preparation.
Today, it is likely that your computer forensics expert will be opposed by an experienced practitioner. It is important to ensure that your forensics expert is a good fit for your case and the specific issues and technology at hand. In addition, he/she should be ready to withstand opposition by a credible expert.
The bulk of the work we do as computer forensics experts in discovery projects starts with user Windows or Mac computers, standard email systems and network file storage. Considerations, when deciding if you are going to use an internal IT resource or an outside consultant to deal with data you are obligated to restore, should include not only the financial cost of the collection of data but also the cost of issues that may arise if preservation obligations are not properly met or managed. Depending on the scope of the case, you may choose to hire a discovery vendor with limited forensic resources or look for a specialized computer consultant whose focus is preservation and forensic analysis. Early in the life of a case, your investigation of the matter will run concurrently with fulfilling litigation hold obligations. Preserving the right data for anticipated litigation and determining if an employee you hired brought proprietary information from a competitor’s IT environment will require those skills.
The second step in investigation is usually properly preserving data. The first step is usually interacting with legal counsel, executives and system administrators, possibly along with HR and other stakeholders, to plan the investigation, identify relevant sources of data and schedule the preservation of data. In less complex cases involving few systems, the skill set you need may be adequately performed by a small local vendor who can obtain a backup of a Windows PC for production of the user’s files. Even in a smaller scale project, your vendor should document chain-of-custody, properly use tested forensic software and hardware tools and keep accurate records of their work.
If you use internal resources it is even more important — and less often done well — to have technical staff keep good records of their preservation and collection efforts. Internal IT staff will likely not have testified before, so they will be better prepared if they keep good records. IT administrators who I have worked with over the years may not have always taken the time in their busy schedules to write reports or keep chain of custody records, but they generally agree that it is a good idea to keep an accurate log. Systems people understand logs and will need less coercion to maintain a summary of information about their work. If you need to hand off data at a later date to a forensic consultant or discovery vendor, such a log will be a valuable tool in understanding what was done with the data early in the matter.
There are times when it is important to bring in an experienced computer forensics expert with a credible team to support your investigation and discovery. In certain types of cases, it is important to respond quickly in order to preserve data that may change or be affected by user actions in the normal course of business. In addition, consider if you need an expert that has certain skill sets on his/her team. Experience in other operating systems or other enterprise systems is not in every consultant’s tool kit. Querying proprietary database systems, performing analyses of servers or workstations that run on operating systems other than Windows or Mac OS, reviewing massive data sets for signs of a computer intrusion, and performing analysis of software versions in IP cases all call for advanced skill sets.
In larger matters, with multiple locations and large technical issues, your computer forensics expert should have a mix of analysts on staff. Credible teams that I have worked with (and against) have had both senior experts with deep experience and other specialists who could focus on specific data sources. Having a mix of team members that hails from IT administration, law enforcement and IT security backgrounds helps to round out a top-notch team for larger litigation projects.
As I mentioned earlier, there is no single path to becoming an expert in computer forensics. Also, there is no single licensing authority or certification. When you review the resume of a potential expert and his/her team, look for relevant experience. For example, if your case involves the Linux operating system, ensure that the team has relevant experience performing analyses in that environment. Attorneys who I have worked with may have seen a technical resume and assumed that any experience with computers was enough. In a case that I mentioned in a previous article, the forensics practitioner had no apparent Linux experience and the case centered around file creation dates on a Linux system. Although I assisted in preparation for his deposition, he was de-designated before we had the chance to examine his lack of relevant experience. Perhaps the opposition realized that their expert was not a good fit.