What is a computer forensics expert witness? What is computer forensics and a computer
forensics expert witness? What is E-Discovery or Electronic Discovery? What percentage
of computer forensics expert Witnesses has been performing Computer Forensics for
over five years? What is the definition of an Expert Witness?
As early as 1980, the simple definition of an Expert Witness, is one who is "A person
is qualified to testify as an expert if he has special knowledge, skill, experience,
training or education sufficient to qualify him as an expert on the subject to which
his testimony relates." (Calif. Evidence Code sec 720)
Since the advent of the personal computer, it has made life considerably easier for
the average person in the ability to communicate and perform tasks which required
days of manual labor in hours. Productivity gains, in the form of the ability to
re-use drawings or the ability to edit pages papers, without retyping and reformatting
the entire document, such as a term-paper, thesis or dissertation, proposal or legal
complaint. The fax machine will eventually become obsolete as document scanners
are used in the storage and transmission of documents, either by courier in optical
or magnetic media or by e-mail. Some individuals will use the Internet for research
and others will for purposes that are not so nice.
This is where the art of computer forensics, the ability to provide expert testimony
comes into play and so do I, Steven Moshlak. A good forensics professional needs
to be "...half-engineer, half-lawyer and half-computer" to complete the mission,
YOUR MATTER! The individual performing the forensic investigation need to approach
ANY situation in with an unbiased approach in order to present an opinion based upon
the facts and not swayed by "the color of money."
Depending on what your matter is, criminal or civil, the role of an Expert Witness
is to provide testimony based upon facts and the utilization of his / her life's
experience. In the area of criminal law, law enforcement has taken on a role to
curb, if not try to eliminate computer crime. As ideal as this may seem, as fast
as one scam is quashed, another three pop-up in its place to make life miserable
for one or more poor end-users. The Federal Bureau of Investigation's Organized
Crime Division, Texas Rangers and the U.S. Army's CID, USAF's OSI and USN's NIS units
have some of the most talented individuals within their respective organizations.
Ironically, because of re-organization and re-prioritizations a large part of the
civilian computer crimes are now investigated either by a Regional Computer Forensics
Lab or one operated by state and local law enforcement agencies. Granted that most
law enforcement agencies do not have a "crime lab," they rely upon sworn personnel
to perform the intake, the investigation, the computer forensics and testify to the
effect of what they find (not necessarily what they have not been trained to locate).
Speaking of training, most attend a three to five day seminar (probably on a December-February
class in Florida, Nevada or California), "become certified," generally speaking,
have less than 20 hours of total hands-on training on one tool and are then recognized
as "experts" by the courts. However, certain agencies, in order to maintain "checks
and balances" retain experts in their field, rather than run the risk of a conflict
of interest issue, have Special Investigative Divisions. Other issues include whether
they do have the "latest and greatest" tools which have the ability to be accurate
and they have the know-how is something that your attorney will question.
I, as well as a number of other experts, believe that one tool isn't enough and that
verification and validation is required before a factual finding of guilt is found.
We use the latest tools from AccessData and Logicube; the same people who supply
government agencies their tools, as well as Eurosoft and a number of other tools.
From a case perspective, peer-to-peer networking is an example. The risk of having
a peer-to-peer network is that it opens up a can of worms by letting others view
or storing incriminating data on a defendant's computer.
From a civil perspective, the computer has become a "treasure trove" of information.
Whether it is a corporate CEO trying to "bury" his assets, emails or other incriminating
memos, if it is on a computer or server, it will probably turn up. Most family law
issues (Divorce, spousal and child support) have become increasingly more dependent
upon computer data, simply because of the traceability in data regarding assets has
become very important. E-mail can point to issues ranging from inappropriate conduct
to the proof of innocence or the act or complicity of an act of a crime or tort.
There are other factors, such as HIPPA, Sarbanes-Oxley, Clinger-Cohen and numerous
state regulatory issues regarding privacy issues and truth in corporate reporting.
Corporate leaders and members of the medical community are becoming more reliant
upon the usage of computers to manage their affairs and by doing so, in the event
there is a single point of contact failure, a requirement exists for someone who
is responsible to examine the computer for evidence on their behalf. This may include
password recovery and data forensics when building a time-line of events.
If you have any questions, please feel free to contact usand we will be happy to
talk with you about the concerning issue.
Yes, about the question of "What percentage of computer forensics expert Witnesses
have been performing Computer Forensics for over five years?" Of an unscientific
poll, approximately 10% have responded that performed they have performed this work
out of 3200 responses. By extrapolating this figure, there are very few with 10,
15 or even fewer with 20 years or more of experience, tools and knowledge. Whomever
you select, choose the right person or company that will meet your needs.