Expert Testimony: The “How To’s” for Selecting the Right Digital Forensics Expert

What is an Expert?

In the field of digital forensics, there is no governing body at the national or state level than accredits examiners is being competent in their field.  The industry does not have a bar exam or other system in place to ensure that experts in digital forensics possess even the minimum qualifications necessary to practice in this field.  This complicates selecting a digital forensics expert, and the complications multiply when numerous forms of digital evidence are in a case.  For example, an expert may be competent in computer forensics, but have no experience in mobile phone or GPS forensics.

Depending on your state or jurisdiction, the test used to determine whether or not expert testimony will be allowed by the court may be the Frye test ( Frye v. United States . 293 F. 1013 (D.C. Cir. 1923) 1 , Daubert test ( Daubert v. Merrell Dow Pharmaceuticals , 509 U.S. 579 (1993)) 2 , Porter test ( State v. Porter , 241 Conn. 57, 698 A.2d 739 (1997) 3 , cert. denied, 523 U.S. 1058, 118 S. Ct. 1384, 140 L. Ed.2d 645 (1998), Sec. 7-2 Connecticut Code of Evidence), 4 or other test outlined in that state’s code. Many states have practice manuals and a set of specific statutes that govern experts and expert testimony. Contacting your state bar association is an excellent way to locate this type of information. The Federal system uses Section 700 of the Federal Rules of Evidence, and specifically Rule 702 to define expert witness testimony.

Federal Rules of Evidence: Rule 702. Testimony by Experts:

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

No matter which rule governs your particular case, all experts must first qualify as an expert in any case in the United States where they will be asked to provide expert testimony.  When determining what expert is best for your case, it is important to establish a selection criterion. 

What evidence is part of your case?

If your case includes multiple types of evidence, such as computers, mobile phones, social media accounts, and call detail records, it is critical that your expert is qualified and all of these areas.  To cover all the bases, it may be necessary to have multiple digital forensic experts on a single case to cover all the forms of evidence. Given the complexity and myriad of sub disciplines within digital forensics, this is a highly probable reality.

What type of case do you have?

The expert you employee should have expertise and experience in a particular type of case that you have.  If you have a data breach with a loss of personally identifiable information, an expert in cyber security and protocols related to proper cyber hygiene is exactly what you need. However, that same expert may not have the correct tool set to handle a medical malpractice case where a mobile phone examination is needed to determine the location of a doctor the night before, or to recover deleted text messages that might be of evidentiary value.

The Prequalification Process

Once you have determined a list of potential experts, it is helpful to go through a prequalification process to determine which one is the best fit. Resumes and curriculum vitae should be examined, and the following questions can assist in the decision making process. 

Does the examiner have forensic training and experience?

Well a technical expert may have an impressive resume, digital forensics is a niche and specialized field.  Technical certifications related to networking, computer repair, or other information technology disciplines are not the same as digital forensic certifications.  There are numerous certifications specific to digital forensics that show a level of competency.  The certifications also greatly improve the likelihood that the expert will be able to qualify as an expert in court.

CASE EXAMPLE

In the NC vs. Cooper homicide case Google map evidence was critical in the defense of Bradley Cooper according to defense counsel. In order to proffer this evidence, the defense attempted to call Jay Ward as their expert.  Jay Ward had over 15 years of experience in network security and information technology.  Despite this, the court ruled that he could not testify to the evidence because he lacked the necessary qualifications:

"The State focused on Ward's lack of training and experience as a forensic computer analyst. The trial court agreed with the State and, on 19 April 2011, ruled that Ward could not testify specifically about the Google Map files."

https://lawprofessors.typepad.com/evidenceprof/2013/09/in-2006-i-was-living-inchelsea-one-day-my-wife-our-friend-and-i-went-to-thewhole-foodsin-chelsea-while-we-were-in-the-c.html#

What are the fees charged by the examiner? Are they reasonable? 

Wow there is a range of hourly rates within all professional services, there is a range that is reasonable.  If rates are too high it should raise suspicions, and if they are too low this is likewise the case. If they are too high, you're potentially getting fleeced, and if they are too low it should bring in the question if the expert has the appropriate tools and expertise to do the work.  Remember, anyone can hang a shingle on their door and claim to do digital forensics since there is no governing agency for the field.  The best way to get an estimate on appropriate hourly rates is to get quotes from numerous repeatable digital forensic companies.

What tools and software does the examiner have? 

Since there is no governing agency ensuring that a client will have an actual qualified examiner, knowing the tools and software that the digital forensics expert utilizes in the process of their examination is critical. This is because the true barrier to entry to actually doing digital forensics work is the cost to acquire the forensic tools and software to do the work properly.  A list of example forensic certifications and the corresponding forensic tools, software, and disciplines are as follows: 

Computer Forensics

Magnet Forensics Certified Examiner (MCFE)
Certified Expert in Cyber Investigations (CECI)
Encase Certified Examiner (EnCE)
Digital Forensics Certified Practitioner (DFCP)
Certified Blacklight Examinar (CBE)
Certified Computer Examiner (CCE)
Certified Forensic Investigation Professional (CFIP)
Certified Mac Forensics Specialist (CMFS)
OSForensics Certified Examiner (OSFCE)

Cell Phone Forensics

XRY Certified Examiner (XRY)
Cellebrite Certified Operator (CCO)
Cellebrite Certified Physical Analyst (CCPA)
Cellebrite Advanced Smartphone Analysis (CASA)
Cellebrite Certified Mobile Examiner (CCME)

Cell Phone Tracking and Location

Certified Telecommunications Analyst (CTA)
Certified Wireless Analysis (CWA)
Certified Telecommunications Network Specialist (CTNS)
Certified IP Telecommunications Specialist (CIPTS)

GPS Forensics
Blackthorn Certified Examiner (BCE)

CASE EXAMPLE

In a civil case that later became a Federal RICO case, the opposing expert was ordered by the court to provide forensic images (copies) of all the computers at the defendant’s location. The opposing expert used an information technology tool to make copies of the computers. This tool is not a forensic tool and does not have the capability to provide the forensic hash algorithms or cyclical redundancy checks that allow an examiner to know, without a doubt, that the evidence is above reproach.  Our examiner testified as an expert witness in the case explaining the problem with these copies.  At the end of our expert's testimony, the judge ruled from the bench in favor of the plaintiff due to the improper handling of the evidence by the opposing expert and the lack of cooperation by the defense due to their refusal to provide the original evidence items to us.

What to Expect from an Expert

When you contact a forensics expert, you may not know exactly what you need or where the Data will be located that could be a potential evidentiary value. Further, depending on the case, the steps that must be taken for a proper examination and very considerably.  An expert should be able to assist you in every step of the process, including: 

1. Obtaining evidence
2. An expert should be able to assist you in the technical portions when developing motions and orders to access evidence. In many instances, if the evidence is not asked for correctly with the proper technical terminology, it will result in receiving the wrong information, or nothing at all.
    
3. An expert should be able to assist you in determining where valuable data is to your case. This includes if the data is on local devices such as mobile phones and computers, network share drives, in cloud storage, or social media accounts.
   
   
   1. Analysis
   2. In order to perform an analysis, it is often required that a protocol be in place before an work can even begin. An expert should be able to assist you in creating a protocol for the examination of evidence, and this protocol should provide the necessary information to ensure all parties involved that the original evidence items will remain exactly as they were before the examination.  Every attempt should always be made in a digital forensics analysis to preserve digital evidence as a "snapshot in time" of exactly how they existed upon seizure or forensic imaging (copying). 
   3. Your expert should be able to verify the work of an opposing expert to determine if the findings are valid.  This involves performing an independent analysis of the evidence to ensure all the facts are accurate, and also that all of the evidence has been completely analyzed. It is not uncommon for some experts to find their alleged "smoking gun", and then proceed to end their examination prematurely as they have not taken all of the data into account.
      
      
      1. Court Preparation
      2. If a case is going to go to trial, your expert should be able to assist you in understanding what an opposing expert is going to say based upon their forensic report. Further, your expert should be able to assist you in writing direct examination for themselves, and in preparing cross examination for an opposing expert.

Expert testimony is the culmination of everything that goes into a digital forensic examination, from consultation, acquisition, analysis, reporting, and finally to the courtroom.  Selecting the expert with the appropriate technical expertise and experience is vital, but just as important is that expert’s ability to explain technical concepts, forensic procedures, and digital artifacts in plain language.  The use of jargon and acronyms is detrimental to the triers of fact.  At the end of the day, if an expert has an airtight analysis but cannot communicate effectively to a judge and jury, the words are meaningless.  As a final parting recommendation, when selecting an expert choose one or you can have a conversation with. If that expert cannot explain technical details to you in an accessible way, they likely don't understand what they are talking about themselves.

Lars Daniel, EnCE, CCPA, CCO, CTNS, CTA, CWA, CIPTS
Practice Leader – Digital Forensics
Envista Forensics