Checklist for Selecting a Digital Forensics Expert

Home

These devices typically include; personal computers, servers, networks, portable digital assistant devices and digital storage media. As modern economies make more pervasive use of these devices, it is a reasonable proposition that the effective use of this digital data will be influential for successful legal outcomes.

Background

Both individual litigators and corporate counsel have become aware of organizational data retention policies and associated repositories of digital information utilized in computerized office administration systems, including email and electronic messaging, and information technology systems which support core business functions such as human resources, finance, logistics and production functions. These are complex, technology-based systems that have a vast array of data forms, types and storage structures. The proper forensics recovery of these data forms is a technically complex and artful set of procedures conducted by qualified digital forensics experts. Most corporations and law firms have limited digital forensics resources and generally need to rely on outside forensics experts for these specialized services. Given this situation, the following is a framework for finding and properly utilizing the proper forensics expert for your legal needs.

Questions for Your Particular Case

Does your case deal with individuals or groups of people who make use of computers, networks, electronic messages, cell phones or paging devices? Can information derived from these devices be useful to your litigation?
Have you considered obtaining a list of these devices in use by the person(s) of interest? Do you have indications that these devices are or are not available for your discovery?
Have you planned and prepared written discovery requests related to these devices and their information? Do the familiar tools of interrogatories, requests for certain types of production, preservation notices, and depositional plans been properly coordinated among the parties in force? Do these interrogatories encompass digital devices and digital information?
Have you considered the utility of focusing on the electronically native form of requested documents and emails rather than the typical printed document? It is important to note that the native digital form production makes use of meta-data (data about data), is more useful and available for computer searching using key terms and enables the use of more advanced “social group” analysis and email forensics analysis. The use of scanned paper documents in the typical “tiffed” scanned form, sharply limits forensics analysis and utility of these types of materials.
To what extent do you feel that certain electronic documents have been archived, “deleted,” removed or altered? If this is indicated, you should promptly consider preservation action because as time progresses, digital data becomes increasingly difficult to fully recover.

If these aforementioned issues point to the potential utility and critical importance of discovery of digital data, the use of a qualified digital expert should be considered.

Locating the Forensics Expert Candidates

1. Recognize that digital forensics is an emerging profession. The relative professional competencies, knowledge, skills and experiences are quite varied among different forensics examiners. In the US, there is no single de-facto certifying entity responsible for assuring the competency of a particular digital forensics examiner. Therefore, legal professionals should understand that locating the right forensics examiner is time-consuming but necessary in order to make use of the right forensics examiner in your particular case.

2. The legal professional should recognize that digital forensics is not simply recovery of data. On the contrary, digital forensics is much more complex set of investigative processes. Digital forensics is normally construed as the coordinated and proper conduct of these processes:

Planning and implementing a protocol for the production and forensics examination of the digital devices.
Digital device identification, characterization and photography.
Notions as to type, serial identification and physical anomalies.
Data acquisition and verification from a particular digital device.
Documentation of the chain of custody activities involving the device and data stored on the device.
Forensic recovery of files, meta-data, deleted files or fragments.
Application of key search terms to the forensic dataset.
Preparation of an understandable and legally sufficient expert report.
Depositional and testimonial services as necessary.
Certified return or destruction of digital materials, when so ordered.

In certain case matters, the forensics expert can also provide technical insights and advice about digital devices of potential interest, as well as possible sources of more forensics discovery and the ability to help in constructing additional discovery requests and depositional questions to support your litigation efforts. An experienced forensics examiner can also help discuss the efficacy of statistical sampling and testing of certain digital archival data in various situations. Sampling can be an effective risk management and cost control technique.

3. You should consider asking other legal colleagues about their experiences with digital forensics examiners in past legal activities. You should also consider asking your colleagues about opposing forensics experts in past matters involving their casework. Do not fail to contact the local “techno-lawyer” and ask for potential referrals for names of forensics examiners.

4. I recommend preparing a list of requirements for the type of litigation and the potential type of digital systems (personal computers, servers, networks, etc). Have your legal staff contact about 5 to 7 potential candidates. Your staff should request that these potential candidates to send three items:
Current and full CV.
A set of at least 3 professional references.
A sample engagement agreement or letter.

5. You or your staff should carefully examine the CV. Does the CV clearly disclose the candidates’ educational background? Does the CV contain a listing of technical forensics skills, qualifications and certifications? Professional, certification-level training should be specific and help you gain assurance that the candidate examiner has a mastery of the scientific theories, procedures and techniques to produce reliable investigative results and expert conclusions.

6. Carefully review the past cases and the types of litigation which the examiner has identified in the CV. Are there discernable patterns, plaintiff versus defendant, civil or criminal, and certain bias in terms of law firms? Is there a specialty focus on certain types of litigation, i.e., intellectual property, child pornography, misuse of information technology?

7. The candidates’ references should be contacted and questioned about the candidates’ skills in these areas:

Ability to work in accord with the litigation schedule.
Ability to effectively communicate in non-technical jargon with the legal team.
The overall quality of the forensics investigation and report.
The relative quality of any deposition and testimony.

Finally you should consider making enquiries about both the perceived value and costs with the particular forensics engagement.
8. Based on this information and these insights, you should then consider setting up interviews with the top forensic examiner candidates. I recommend these to be, at least 1 hour and conducted at your offices.
9. Each of the candidates should be asked to bring to the interview these items:

The current CV with case histories.,
A sample of completed forensics report.,
A depositional record which involves the expert providing testimony about a forensics matter.,
A written description or illustrative example of the digital forensics protocol that specifies the planned set of procedures the examiner will utilize in the case involving the type of devices involved in your litigation. This may consist of: computers, workstations, servers, networks, electronic message repositories, closed circuit television, fax machines, voicemail, cell phones or paging devices.

Interviewing the Forensics Expert Candidates

Consider disclosing some particulars about the case to the extent necessary to determine that the expert is not conflicted in terms of past work, associations, business or personal relationships.
Gain assurance that the offered CV is factual and correct. Make sure the candidate understands the requirements of factual representation of education, skills, knowledge and experience in this documentation.
Ensure that you are satisfied that the candidate has the necessary education, training and experience commensurate with the planned digital forensics examination and expert testimony that you envision the expert will required.
Discuss some particulars about the types and expected number of devices involved in your litigation, e.g. computers, mission-critical servers, networks, electronic messages (email stored in mail repositories, digital images contained in closed circuit televisions, cell phones or paging devices). You should closely question and receive positive indications that the candidate understands the overarching principles, proper uses, and potential limitations of the necessary forensics hardware and software, as well as the methods and procedures as applied to the forensics tasks in the particular matter.
Question the forensics examiner about his/her knowledge of precise procedures and systems to duplicate, authenticate, recover, handle, preserve and examine digital evidence.
Review the sample forensics examiner report. It should be clear, substantive and offer a set of explicit expert opinions. Look at attached exhibits and graphics. These should be professional in appearance, illustrative of the opinions and technically correct. You should question the examiner about the utility and experiences of demonstrative exhibits in any recent forensics engagements.
Look at the sample deposition. Was the testimony successful in both form and substance? How did the candidate handle opposing questions? How did the examiner defend the expert report and the factual basis for the findings and opinions presented at deposition? Review how the examiner followed counsel’s instructions, dealt with objections and effective use of recesses. Test the candidate with certain “interrogation” style questions and observe responses.

8. Assess the written description of the digital forensics protocol and support set of procedures. Is the description logical and clear in tone? Does the document represent an understandable and objective methodology as to forensics duplication, recovery, preservation and examination of digital evidence? Are there explicit phases for protocols and technical references contained in the protocol descriptions?

9. Ask the examiner about completion of any professional competency or proficiency tests. What constituted the competency or proficiency test and who administered? Were certificates provided to those examiners who passed these types of tests, or were these tests, in fact, simple training attendance certificates?

10. Inquire as to the extent of continuing forensics training and proficiency training and tests over the past few years. What was the training, what was the topical matter?

11. In the form of an adversarial question, ask for disclosure about any personal history or adverse employment, as well as any administrative or legal investigation or any convictions involved with any ongoing, completed or contemplated proceedings. Ask about uses of controlled substances and request the examiner make an agreement to take random drug tests with supporting polygraph tests as necessary. Carefully assess the candidate’s reactions to stress and the candidate’s ability to truthfully respond to difficult and intensive sets of this type of questions.

12. Review the business terms contained in the sample engagement agreement or letter. Ask about time and cost estimates and the availability to commit to the necessary work schedule.

13. Resolve, to your satisfaction, the overarching question - Does the particular forensics examiner have the education, relevant skills, experiences, qualifications and character to conduct a proper forensics investigation and deliver meaningful reports and effective testimony that deals with the particular digital devices and media in your litigation?

14. Finally, subjectively assess the overall appearance, professional demeanor and potential perceptions of the candidate forensics examiner in the context of an independent expert witness in courtroom settings.

Retention of the Forensics Examiner

After you have selected the forensics examiner, ensure that the engagement documentation specifies these details; retainer, billing matters, scope of work, timetables and the role of the independent expert. Ensure that certain items such as times to commence work, proposed schedule for forensics examinations, and delivery of the expert work product, interim and final reports are clearly established. Notices about presence of contraband, confidentiality, protection of information and opposing discovery issues should be clearly framed. Given the complexity of your litigation, you may want to consider periodic status updates and schedule review meetings as the forensics investigative work progresses.

The value proposition for your digital forensics examiner
The selection and engagement of a qualified forensics examiner should help you accomplish your litigation plan and support your legal work. Conceptually, the professional forensics examiner should support these objectives:Offer your litigation team additional tools and insights about digital data in your litigation plan.

Increase your capacity to effectively deal with digital data as a form of discovery and evidence.
Help frame the potential efficacy of several advanced forensics procedures including statistical sampling, recovery of encrypted data, social networks, data hiding discovery, and analysis of graphics imagery.
Establish a capacity for successfully interpreting both the users and uses of digital data related to your matter.
Development of expert testimony, supporting facts and demonstrative exhibits necessary to support the theories in your case.
Help defend or assert claims involving the potential of discovery abuse or spoliation involving computer data.

Many attorneys recognize the potential stakes and how critical digital forensics may be to future success in many types of litigation. The effective engagement of competent digital forensics resources to support these needs is essential to successful practice in these litigation matters.

* Larry R. Leibrock, Ph.D., is the Chief Technology Officer for eforensics LLC (www.eforensics.com), a company that specializes in digital forensics and enterprise forensics discovery. Dr. Leibrock can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it

New layer...

CLE Programs