Five Questions to Ask Your Computer Forensics Expert

Whether you are at the outset of discovery or considering how to advise your client in responding to the defection of key employees to a competitor, asking the following five questions may help you find the right computer forensics consultant for your case.

Computer forensics experts are asked to wear a number of hats and perform various services. First, experts provide litigators with forensic analysis of data in support of pre-litigation investigations. For instance, if you suspect key employees who left your client's company may have taken a copy of the client list or other proprietary data, a computer forensics expert can perform analysis of computer systems which may uncover evidence that helps you decide to file a complaint or take other action in response.

Second, a computer forensics expert can also work to identify sources of data you may have a duty to preserve and produce during discovery. When it comes to computer systems, different stakeholders may respond differently to that legal hold notice you circulate. Users may delete data for various reasons, or IT administrators may choose which system they feel should be preserved without consulting you on how this impacts your case.

Knowing at an early stage what hat you need your expert to wear can help you hire the right expert for your case. It can also give you an additional resource for making key decisions. As your case develops and you amass items of key electronic evidence, a computer forensics expert can provide declarations, reports or expert testimony to authenticate evidence at trial or when the evidence of a data theft must be explained.

The field of computer forensics has grown in recent years, and there is no single path your expert must take to end up presenting computer evidence in your case. Your expert may have experience in information technology (IT), education in information systems, or come up through law enforcement or consulting industry ranks. Below are some questions you might ask the forensics expert you are considering hiring to ensure the individual has the background and experience you need to effectively try your case.

1. What are your credentials and background?

Understanding your expert's background and looking for exposure and experience in enterprise IT environments, communicating results of analysis and the ability to present technical ideas to those less technical are important traits to consider. Experience in managing complex case assignments or coordinating the execution of forensic protocols and reporting the results accurately is essential.

As noted above, many forensics experts come from different walks of life. A prior law enforcement officer may have done forensic analysis assignments surrounding the recovery of data involving the exploitation of children or other criminal cases, but may lack depth in corporate IT environments. A practitioner who has obtained forensics certifications as a discovery vendor may have performed many e-discovery collection projects but not have experience in preparing expert reports or declarations or in providing effective expert testimony. Depending on the type and needs of your case, finding out backgrounds may help you select the best candidate for you.

As mentioned above, you may have a case where theft of a client list may have occurred. In addition to reviewing activity on the former employee's laptop or desktop system for the use of external drives or transferring data to cloud storage, analysis may involve review of security or system logs or analysis of a customer relationship management (CRM) database. An expert who has experience efficiently reviewing disparate sources of enterprise data and expertise on his team to review database data or security log data may be best suited for this type of case.

Or, you may find that you are defending the company that may have hired employees who are now accused of having brought proprietary data with them from a prior employer. A computer forensics expert with experience in supporting litigation along with forensic analysis will help you consider what data you have a duty to preserve and produce during discovery. In addition, your expert should plan a focused analysis of the most important data sources. An expert experienced in discovery and defense cases will also be able to assist in negotiating inspection protocols that balance your client's privacy with discovery obligations.

2. How have you been able to save costs on previous cases?

Drawing on lessons learned by having worked through evidence issues in similar matters and environments may help you leverage computer evidence better than your opposition. In today's litigation environment where case budgets and estimating expenses are our daily concern, your expert's experience in managing forensic assignments and providing answers by focused forensic analysis or proper data collection will help you manage costs and work efficiently.

3. What procedures do you use to insure all evidence is defensible?

All computer forensics practitioners have a working knowledge of chain of custody practices and recording the hand-to-hand transfer of evidence. However, not all evidence handling practices are equal. Since there are varying levels of documentation practices, it is important to know how your expert ties to its source that smoking gun document you are working to have admitted into evidence.

Your computer forensics expert should be conversant in issues pertaining to the preservation and acquisition of computer evidence and the issues commonly raised during discovery of computer evidence. One of the common pitfalls in e-discovery may arise when a client decides to do a collection of computer data on its own. Simply copying data may change file attributes, and not preserving the right sources of data may lead to sanctions.

Although properly trained and prepared in-house forensics teams are more common and generally do a good job, a computer forensics expert can work with in-house teams or can, at a minimum, help you supervise and document a proper collection of computer records. In a decision last year, U.S. District Judge Shira Scheindlin cautions about poor methodology in self-collections and underlines the need to screen your computer expert to ensure defensible collections in e-discovery. Through proper preservation and collection procedures your expert will help you avoid the sanctions that may occur if the right data is not preserved properly.

4. Who will be doing the work at the keyboard and in the boardroom?

A good forensics team will include analysts with a mix of skills and interests. Your expert is not likely to be the person at the keyboard for every task. Your expert will, however, direct, review and interpret the results of preservation and analysis tasks. Certifications are important, but should be coupled with relevant experience. The makeup of the team supporting your expert may include staff with experience in enterprise systems, administration and analysis of user desktops and laptops, analysis of mobile devices and a broad set of forensic and system administration tools. Database skills and forensic analysis of structured or nonstandard data types may also be important to your case. The extended team your expert works with may also be a consideration. Many companies use contractors to collect data, and someone else may do analysis, while data is hosted for legal review by yet another entity. Make an informed decision regarding the services your expert and the team under supervision may be providing.

In addition to the makeup of the team that supports the expert in the lab, the client-facing portion of the team will help with interactions with decision makers and your legal team. You expert should have the ability to communicate technical ideas clearly to less technical executives or members of your litigation team while having the ability to interview a system administrator effectively. Just the right amount of "techie" quality to speak the language of your computer stakeholder is a plus. Your expert should then be able to interpret those ideas into language you and your client can also understand.

5. What is your experience in providing expert witness testimony?

Preparation for providing expert witness testimony begins with the first interaction with your expert. Documenting the universe of data considered, acquiring forensically sound copies of data, performing tested analysis protocols and delivering a sound report or declaration with support for opinions are all key goals for your expert. An expert with experience that spans different types of cases and both plaintiff and defense matters is less vulnerable to difficult questions during deposition. Your expert should be firm in the opinions he or she can support and understand the deposition process and providing effective expert testimony. Often attorneys have a working, but less accurate understanding of technical details. Your expert should be prepared to handle being asked the wrong question and either answering the question as asked or helping the opposing attorney by redirecting the question, perhaps stating "what I think your asking is . . ." and providing more accurate response.

Understanding when it is best to concede a small point or when to watch for rewording of responses to undermine your expert testimony makes up subtle points your expert should be ready to handle. Proceed with caution with a computer forensics expert who is either inexperienced or too flexible in stating opinions. In cases where I have successfully opposed another expert, I have found witnesses are the most vulnerable if they overreach in their opinions. Do not push your expert beyond what the data or your investigation will support. It is sometimes difficult to give an absolute answer on a key technical point; however, having an opposing expert show your expert could not support an opinion may be more damaging than a less than ideal opinion.

By asking a few key questions you can better understand your computer forensics expert's experience, background and approach to computer forensics and discovery assignments. When I left the government and began working as a computer forensics consultant, it was not uncommon to be opposed by an IT administrator, an inexperienced forensic analyst or a technician with minor, and perhaps unrelated, computer experience. In many cases today, it is common for the opposition to have hired an experienced computer forensics expert, and there may also be a neutral third-party computer forensics expert involved as well. In these cases it is important to understand the makeup and experience of the expert's team and their effectiveness as expert witnesses. For both small cases and high-stakes ones, screening your expert with a few key questions will help ensure your success.