banner ad

Share |

I receive many telephone calls and emails regarding questions about computer forensics expert witness services. I have created a frequently asked question list which is about fifteen pages long. What I have done is narrow the scope to the top ten items, which I believe is important in the selection and retention of a computer forensics expert witness, for your matter, with a brief explanation of each element.

Obviously, each case has a series of unique dynamics and elements, but I have composed this as more of a generic approach, based upon observation and practice.

1. Objectivity- A great computer forensics expert can approach matters with a fresh and impartial approach, to your matter. Someone needs to come in with impartial eyes to the litigation and be able to apply the findings, in the pending matter.

2. Testimony- In criminal prosecutions, "fact witnesses" may lack the ability to render opinions related to computers, whereas the computer forensics expert witness can and does testify in court and can render an opinion. These skills can enable testimony as to the support of alternative theories, when compared to "fact" witnesses.

3. Cost- The time involved in an incarceration or in a matter, involving money, such as in community property assets, can be very costly for a party. The objective of any great Computer Forensics Expert Witness is to approach every case, with impartiality and take the education and experience that the practitioner has garnered and apply it in your matter. There are two types of cases: private pay and Criminal Justice Act (CJA) / Public Defender matters. Private pay, is where the expert is retained, either by a party of counsel, whereas CJA and public defender cases, are criminal matters and borne by the government. Please consult with counsel, with regards to your matter and the options available.

4. Case Assessment- A knowledgeable expert will have not only a basic understanding of the processes and procedures involved with the computer forensics process, but will be able to understand the reports and other legal documents, in order to target an objective answer and potential dismissal, possibly at a pre-trial hearing, in criminal matters. The knowledgeable expert will have the tools, both the hardware and software tools, as well as the experience, to make value-added recommendations, to enable the best and optimal choices, in your matter.

5. Evidence Acquisition- It is imperative that certain protocols be in place, during the acquisition of evidence, either by Law Enforcement Authorities or by the Defendant's or Plaintiff's expert. This includes the use various tools, to ensure that the integrity of the evidence is maintained. Errors do happen and need to be identified as early as possible.

6. Evidence Examination- During this phase, the forensic image is taken and mounted to undergo the examination process. The first step is pre-processing the data, so it can be thoroughly examined. Depending on the amount, size of and the content of the media, this process can take anywhere from 1 day to 1 week, for one piece of media. Depending upon the pending matter, which may involve graphical images, serial numbers, phone numbers, documents, spreadsheets, the plan, developed in the assessment phase is tailored to the matter and an examination of what data is or in some cases was, on the hard drive.

7. Evidence Analysis- The analysis phase involves taking the information and literally, putting the pieces of a puzzle together. This can include the identification of users, programs, searches, connected peripheral equipment, networks, internet history, chat logs, the construction of timelines and again, is dependent upon the type of case. For example, in a search for assets, a focus would be first on spreadsheets and databases, document files, internet history and finally images, such as facsimiles.

8. Reporting the findings- The reporting ties all of the preceding phases together. A report, as well as graphical presentations. What once took several weeks, with the advent of automation, has resulted in higher quality and less hours of manual labor, in the production of reports and artwork.

9. Equipment and Communication- Obviously, having the basic equipment and software licenses is a key part of the equation, in the hourly rate. A seasoned expert will have the equipment to perform the work, with the exception of discrete materials required in the performance of your effort. Items such as unusual software licensing, hard drives or other materials, is not covered under the hourly rate. "Basic" items, such as software licenses, computers, write blockers, disk duplicators and so forth are. A well seasoned professional has the tools available to minimize your costs, while maximizing the effort. The ability to communicate the findings and concepts is a key factor, in your matter. The CFE needs to be able to not only express the facts, but create the exhibits that support the testimony that is provided. Therefore, the ability to communicate through voice and exhibits is paramount.

10. Time- Attorneys fees and costs are a major factor in any litigation. More often than not, people fail to realize that time is not their friend. It takes time to not only get the answers, but to obtain evidence, develop and examine alternative theories, prepare exhibits, consult with counsel and possibly appear at pre-trial hearings.

The following is based upon my observations and experiences as a computer forensics expert. Obviously, there can always be a priority shift or another dynamic or series of dynamics, which would impact your selection. Of all of these elements, time is the critical factor, for the seasoned professional. Waiting until the last minute or a poor choice, can not only negatively impact your matter, but may lead to a disastrous results or a catastrophic failure.

Please consider implementing these guidelines, in the pursuit of your particular matter.

Share |

Steven Moshlak has over 30 years of experience, in the realm of computer forensics, in the criminal, civil, administrative and Uniform Code of Military Justice arenas. Mr. Moshlak has worked for a number of tech-oriented companies and owns his own business, Mr. Moshlak has performed the recovery of deleted and performed the decryption of files of accounting programs, spreadsheets, zip, databases, e-mail and word processing documents. Serving, and have served as a project manager in the technological development and cost analysis of information technology systems; hardware and software, both commercial and under the Federal Information Security Management Act of 2002, (FISMA).

©Copyright - All Rights Reserved