Expert Witness – Computer Forensics – Expert Insights PC
Computer forensics is the intricate science behind investigations and analysis of computer data in order to find evidence and information pertaining to a legal case. This can range from scrutinizing messages on a smartphone device, to sifting through Gigabytes of data on hard drives, or even cloud storage. This month Lawyer Monthly hears form Craig…
Computer forensics is the intricate science behind investigations and analysis of computer data in order to find evidence and information pertaining to a legal case. This can range from scrutinizing messages on a smartphone device, to sifting through Gigabytes of data on hard drives, or even cloud storage.
This month Lawyer Monthly hears form Craig Reinmuth, a top professional in this segment and the President of Expert Insights, PC, a US-based computer forensics firm. Craig talks about his role, the difficulties therein and the win-win factor of involving a computer forensics expert firm in litigation proceedings.
In cases pertaining to digital forensic investigations, what is commonly involved in your role and how lengthy and complex can the investigation process become?
My role is directly tied to the complexity of the case. Costs are often a big concern with litigation. I therefore encourage counsel to consult with the expert as early as possible in order to develop a strategic plan that will be efficient in the long run. This includes discussions relating to the computers or devices that are most likely to contain relevant data, taking steps to preserve electronic data, and the approach to be taken to obtain the highest level of cooperation from counsel for the opposing party. Should opposing counsel not be cooperative, I will work with counsel in filing appropriate motions with the court to assist in assuring their client obtains the digital data they are entitled to.
What are the primary obstacles in obtaining evidence and facts in order to provide a thorough analysis of digital information?
There are two primary obstacles. Number one, cooperation of counsel. The quality of upfront meet and confer conferences to come up with a mutual agreement significantly enhances cooperation. To gain said cooperation, instead of going after 20 to 25 laptops, an agreement can be made to limit the initial imaging to four or five computers of key people. Based on the review of the data contained on those four or five, sufficient relevant information may be obtained, or you may only need to collect one or two others. Also, assure them procedures will be employed to seclude privileged communications from searches.
Number two, spoliation. Naturally the preference is for the data to be preserved so that it can be ascertained which party is making valid claims. But if the data has been erased beyond recovery, this cannot take place. Nonetheless, I believe digital forensics is a win-win situation. If the data is there, we get to the truth. If it is not there, the party pursuing the digital data is likely to have even a stronger case and win the case based on spoliation alone. At a minimum, material sanctions or adverse inference rulings can be obtained.
How does Expert Insights provide a different approach to the digital forensic process?
Firstly, by not accepting “no” for an answer. Digital evidence leaves behind a trail. By reviewing recovered deleted files, text messages, internet activity, smart phone data, USB history reports, “recent” file activity, “cookies,” GPS data, and information from the registry, a timeline can be put together that will often solve the mystery. A review of this information will also make it clear what electronic data has not been submitted that should have been (e.g. backup drives) and other locations relevant data may reside (e.g. cloud).
As contrasted to electronic discovery, digital forensics can trace documents that were permanently erased prior to submission of the device (volume shadow copy of hard drive), track where the person has been going on the Internet (which can expose what they were researching), and where they may have dumped copies of relevant or confidential files for their future use. “Recent” file activity can disclose activity the individual was up to prior to release of the computer.
Second, by finding ways to provide assistance in every stage of the litigation process, including developing case strategy, the discovery process, analysis of the data, and providing testimony (See table below). This includes developing a clear upfront understanding of the facts and legal positions of the parties prior to reviewing the digital data.
Can the analysis of a large amount of electronic data take a long time? How do you minimize this while still obtaining the required results?
Yes it can. To minimize the time: 1) Be selective with the electronic discovery you collect (see above); 2) Be very cautious with the search terms used to search for relevant data; and 3) Don’t lose site of the core issues of the case.
Does the investigation process differ significantly in complexity according to the digital platform (i.e. mobile phones, hard drives, and the cloud)?
Yes and no. What is most important is using the most appropriate and technically advanced software for the location from which you are going to obtain the data. Specialized forensic software to analyze data on a smartphone, data on a hard drive, or internet activity is different. Some of the analytical procedures remain the same however. Advances continue to be made in the ability to obtain data from the cloud.
You define digital forensics as ‘an art as well as a science’; could you please explain?
Digital forensics is a science and as much as it is a highly technical arena. It requires extensive training and experience. The expert really needs to know what they’re doing, even more so than other areas of expert witness testimony and must stay on top of ever-changing updates to software technology. It is an art from the standpoint of how the expert utilizes their knowledge and experience. How they are able to “think outside the box” and come up with alternate ways to obtain data when they come to roadblocks. The expert’s ability to present technical and complex findings in a clear and understanding manner is also an art for a digital forensics expert.
Is there anything else you would like to add?
Approximately 95% of all data generated today is placed on a computer or phone, and less than 10% of that data is printed out. So whether an executive is: responsible for human relations and suspicious of an employee’s loyalty or false accusations; in finance and suspicious of fraud; or inside counsel involved in unfortunate litigation, it is imperative to examine digital data. And smartphones should be placed at the top of the list… people don’t leave home without them!