Expert Testimony: The “How To’s” for Selecting the Right Digital Forensics Expert
By Lars DanielNews Cybersecurity Week cyberweek
Sponsored by Envista Forensics
In the field of digital forensics, there is no governing body at the federal or provincial level than accredits examiners as being competent in their field. The industry does not have a bar exam or other system in place to ensure that experts in digital forensics possess even the minimum qualifications necessary to practice in this field. This complicates selecting a digital forensics expert, and the complications multiply when numerous forms of digital evidence are present in a case. For example, an expert may be competent in computer forensics, but have no experience in mobile phone or GPS forensics.
Knowing the questions to ask to help prequalify your expert is crucial, as well as understanding what to expect from their involvement. An expert should be able to walk you through every step of the process from their qualifications, to the tools they will be using, to their process, analysis, and testimony experience. Because ultimately, if an expert can’t help a jury comprehend how the evidence was derived, and what it means, you’re in real trouble.
Where Do I Start?
Depending on the case, the steps that must be taken for a proper examination vary considerably. Let’s start with two key questions:
- What evidence is part of your case?
If your case includes multiple types of evidence, such as computers, mobile phones, social media and call detail records, it is critical that your expert is qualified in each of these areas. Otherwise, it may be necessary to have multiple digital forensics experts on a single case to cover all forms of evidence. Given the complexity and myriad of sub-disciplines within digital forensics, this is a highly probable reality.
- What type of case do you have?
The expert you employ should have expertise and experience in your particular type of case. If you experience a data breach with a loss of Personally Identifiable Information (PII), you would need an expert in cyber security and protocols related to proper cyber hygiene. However, that expert may not have the correct toolset to handle a medical malpractice case where a mobile phone examination is needed to determine the location of a doctor the night before, or to recover deleted text messages that might be of evidentiary value. Though both related to cyber security and technical devices, the expertise required is largely unique.
The Prequalification Process
Once you have determined a list of potential experts, it is helpful to go through a prequalification process to determine which one is the best fit. To assist in this process, it might first be beneficial to understand how the Supreme Court of Canada qualifies an expert. In R. v. Mohan, the Supreme Court of Canada held that, “admission of an expert evidence depends on the application of the four following criteria: 1) necessity in assisting the trier of fact, 2) relevance 3) a properly qualified expert, and 4) the ‘absence of an exclusionary rule’ that would be offended by the admission of the evidence. The burden is on the party calling the evidence to establish that each of these components is satisfied…”1
Later, a restructure of the Mohan test known as the Abbey was put into place. This new structure allows judges to examine the four criteria first, without engaging as a “gate-keeper,” essentially determining the costs and benefits of including or eliminating an expert’s testimony.1
For your case to succeed, it is extremely important that the expert can pass the “expert witness test” and you are able to indicate, with pure precision, “…what the scope and nature of the expert testimony will be and what facts it is intended to prove.”1
To that end, when evaluating and selecting experts, in addition to examining resumes and curriculum vitae (CVs), the following questions can assist in the decision-making process.
- Does the examiner have forensic training and experience?
Whilst a technical expert may have an impressive resume, digital forensics is a niche and very specialized field. Technical certifications related to networking, computer repair or other information technology disciplines are different from digital forensic certifications. Numerous certifications specific to digital forensics can show an expert’s level of competency, which can improve the likelihood that the expert will be able to qualify as an expert in court.
For example, a U.S. homicide case, NC vs. Cooper, , Google Maps evidence was critical in the defense of Bradley Cooper, according to defense counsel. In order to proffer this evidence, the defense attempted to call Jay Ward as their expert. Jay Ward had over 15 years of experience in network security and information technology. Despite his knowledge and experience in IT, the court ruled that he could not testify to the evidence because he lacked the necessary qualifications.
- What are the fees charged by the examiner? Are they reasonable?
Within all professional services, there is a wide range of hourly rates, though there is a range that is considered reasonable. If rates are too high or seem too low, suspicions should be raised. If rates are too high, you’re potentially getting fleeced, if they are too low, you should question if expert has the appropriate tools and expertise to do the work. Since there is no governing agency for the field, essentially anyone claim to provide digital forensics. The best way to get an estimate on reasonable rates is to get quotes from numerous reputable digital forensic companies.
- What tools and software does the examiner have?
A true barrier to entry in properly executing digital forensics work is the cost to acquire the complex forensic tools and software. Knowing the tools and software that the digital forensics expert utilises in the process of their examination is critical because cases have been overturned from improper evidence handling.
To demonstrate, in a U.S. civil case that later became a Federal RICO case, the opposing expert was ordered by the court to provide forensic images (copies) of all the computers at the defendant’s location. The opposing expert used an information technology tool to make copies of the computers. This tool is not a forensic tool and does not have the capability to provide the forensic hash algorithms or cyclical redundancy checks that allow an examiner to know, without a doubt, that the evidence is above reproach.
In this same case, we were sent in as an examiner to testify as an expert witness and explain the problem with the forensic copies. At the end of our expert’s testimony, the judge ruled from the bench in favor of the plaintiff due to the improper handling of the evidence by the opposing expert and the lack of cooperation by the defense due to their refusal to provide the original evidence items to us.
Some vetted and approved forensic certifications, tools, software and disciplines you should look for include:
- Magnet Forensics Certified Examiner (MCFE)
- Certified Expert in Cyber Investigations (CECI)
- Encase Certified Examiner (EnCE)
- Digital Forensics Certified Practitioner (DFCP)
- Certified Blacklight Examiner (CBE)
- Certified Computer Examiner (CCE)
- Certified Forensic Investigation Professional (CFIP)
- Certified Mac Forensics Specialist (CMFS)
- OSForensics Certified Examiner (OSFCE)
Cell Phone Forensics
- XRY Certified Examiner (XRY)
- Cellebrite Certified Operator (CCO)
- Cellebrite Certified Physical Analyst (CCPA)
- Cellebrite Advanced Smartphone Analysis (CASA)
- Cellebrite Certified Mobile Examiner (CCME)
Cell Phone Tracking and Location
- Certified Telecommunications Analyst (CTA)
- Certified Wireless Analysis (CWA)
- Certified Telecommunications Network Specialist (CTNS)
- Certified IP Telecommunications Specialist (CIPTS)
- Blackthorn Certified Examiner (BCE)
What to Expect from an Expert
When you contact a forensics expert, you may not know exactly what you need or what data could be of potential evidentiary value. Depending on the case, the steps that must be taken for a proper examination vary considerably, and an expert should be able to assist you in every step of the process, including:
- Obtaining Evidence – An expert should support the technical aspects of developing motions and orders to access evidence. In many instances, if the evidence is not correctly requested with the proper technical terminology (i.e. in a court order), it can result in the wrong information or not enough information. Additionally, an expert should be able to assist in determining where valuable data resides in your case including if the data is on local devices, network share drives, cloud storage or social media accounts.
- Analysis – In order to perform an analysis, it is often required that a protocol be in place before work can begin. An expert should be able to assist in creating a protocol for the examination of evidence, and this protocol should provide the necessary information to ensure all parties involved that the original evidence items will remain exactly as they were before the examination. In a digital forensics analysis, every effort should be made to preserve digital evidence as a snapshot in time– exactly how it existed upon seizure or forensic imaging (copying). Additionally, the expert should be able to verify the work of an opposing expert to determine if the findings are valid. This involves performing an independent analysis of the evidence to ensure all the facts are accurate and all evidence has been completely analyzed. It is not uncommon for some experts to find their alleged “smoking gun” and end their examination prematurely, even if they have not taken all the data into account.
- Court Preparation – If a case goes to trial, an expert should be able to assist the client in understanding what an opposing expert is going to say based upon their forensic report. Further, the expert should be able to assist in writing direct examination for themselves and in preparing cross examination for an opposing expert.
Expert testimony is the culmination of everything that goes into a digital forensic examination, from consultation, acquisition, analysis, reporting and finally, to the courtroom. Selecting the expert with the appropriate technical expertise and experience is vital, but just as important is the expert’s ability to explain technical concepts, forensic procedures and digital artifacts in plain language, as the use of jargon and acronyms can be detrimental to the triers of fact. At the end of the day, if an expert has an airtight analysis but cannot communicate effectively to a judge and jury, the words are merely meaningless.
1Paciocco, David, and Stuesser, Lee. The Law of Evidence, 6th Edition. Toronto, ON, CAN: Irwin Law, 2011. ProQuest ebrary. Web. 31 October 2015. Copyright © 2011. Irwin Law. All rights reserved.
Lars Daniel is a Practice Leader of Digital Forensics at Envista Forensics and holds seven different certifications. He has provided forensic services to more than 600 criminal and civil cases and appeared as an expert court witness for nearly 30 of those. He has co-authored two books: Digital Forensics for Legal Professionals, and Digital Forensics Trial Graphics: Teaching the Jury through Effective Use of Visuals, spoken at numerous industry conferences, and provides training throughout the U.S.
Print this page
- Data Collections: Critical Link in Protecting Organizations Before and During Litigation
- VIDEO: The New Revolution of Digital Evidence