Most digital forensic practitioners possess an analytical mind. One of the reasons we become interested in the field is because we work to whittle down the digital elements of the case to try and present a clearer picture of the facts in the matter. Whether we are working in law enforcement attempting to implicate or exonerate a suspect, or at a corporate level trying to determine from where a threat actor may have originated, or in the private sector working litigation support in furtherance of a domestic or some other type of dispute, the ultimate goal behind the digital forensic processes and methodologies is to present these findings in a court of law.
To do that effectively, we need to obtain credentials – training and experience over time – so the court can effectively determine if we may be adjudicated an expert qualified to testify about our findings and potentially render an opinion about those findings. This process in the U.S. is called ‘Voir Dire’ (Old French for “to speak the truth”), but wherever the process may take place and whatever it may be called, it is a very pointed vetting of the analyst to determine their qualifications for the term “Expert Witness”. To that end, what types of questions should be asked to ensure that the analyst can be appropriately deemed an “expert”?
The Basics
All vetting of an expert incorporates basic information to help the court make a determination about the weight of their expertise. This is true regardless if the expert is a digital forensic analyst, a medical doctor or a roofer. Some of the basic questions/qualifiers are:
- Education level and degree program relevance to the field of expertise
- How many years have you been conducting the work for which the expert designation is being sought?
- Basic knowledge of the expert’s field of practice (i.e. definitions. See below)
- How long have you been employed in the field of practice/expertise?
- Do you have any current certifications relevant to the expertise?
- How many cases have you worked total (or average) annually since being employed in the field?
- Do you maintain current membership in any reputable professional associations in the field of expertise? e.g. IACIS, HTCIA, HTCN, ISFCE, etc.
- What percentage of cases in the course of your practice have you worked for plaintiffs? Defendants? Criminal Defense? Prosecution?
- Have you ever been excluded as an expert from a legal proceeding?
Most of these qualifications only serve to bolster the expert’s credibility, however the final point about being excluded from a legal proceeding is probably the most important and one that often gets overlooked. Every case has different circumstances, so the fact that an expert may have been excluded does not in itself mean they are not credible, but if they have been excluded, it is upon counsel asking the question to dive deeper into the circumstances. If it is determined that the expert lied or perjured themselves, that is a great point of concern and their suitability for present and future cases should be seriously re-evaluated. Credibility is the most important asset an expert can bring to the case and the weight of the expert’s credibility is the ultimate determiner of their expertise.
Beyond the Basics
Digital forensics is an ever-evolving field of practice in forensic science, probably much more so than many aspects of “physical” or crime scene forensics. This is greatly due to the evolving technologies and means by which to obtain and analyze data. As we all know, this proverbial ball is always moving down field, so keeping up with trends is of vital importance. The questions vetting a digital forensic analyst to be adjudicated an expert must also evolve and adapt over time.
However, beyond the very basic information about experience and education, there are some other important industry-specific questions that should be asked, which include:
- What is a digital forensic examiner (alternatively: What is computer and/or cell phone forensics)?
- Did you receive any special training to serve in digital forensics?
- May need to specify training as computer (PC/Mac) or mobile device forensics
- How many hours have you taken training in relation to digital data storage mediums? (Make sure you include high school and college courses associated with computers.)
- Have you taken tests and received certifications on computers and/or in digital or mobile forensics?
- Highlight the significant courses and certifications the expert has specific to digital forensics.
- NOTE: This may include courses offered by Guidance/OpenText, AccessData, National White Collar Crime Center, National Computer Forensics Institute, X-Ways Forensics, Cellebrite or other vendor-specific or vendor-neutral training
- Have you also trained or supervised other digital forensic analysts?
- Have you ever published any articles on digital/mobile forensics?
- How many cases, or what amount of data, have you worked on as a digital forensic examiner?
- Is there a process you follow when you conduct a computer forensic examination?
- What is that process?
- Chain of custody
- Create an identical bit for bit image of original evidence or forensically sound copy of mobile device, etc.
- How is the forensic copy validated as an exact copy?
- What is that process?
At this point, the analyst could be submitted to the court to be qualified as an expert. However, in many arenas, opposing counsel and/or the judge can ask the expert qualification questions to help vet their credentials as well. This is why the relationship between counsel and their expert is also of vital importance. Competent and thorough opposing counsel will also have done their research on the analyst to see if there are any glaring omissions or falsifications of their credentials. It’s an unfortunate fact that many legal cases throughout history have depended greatly on experts whose credentials were later determined to be less than accurate, or outright falsifications.
It bears further noting that an analyst’s public profile is open to scrutiny as well. Have they posted comments on LinkedIn or other social networking site that are biased, unprofessional or otherwise inappropriate? To the question about published articles, are any of their publications inflammatory or do they show an obvious slant to one side or another, particularly when taken as a whole? Being an expert witness is a professional endeavor and the expert should be held to a high standard with regard to professionalism and should further expect that any words that are in print and publicly available are subject to being brought up during a formal legal proceeding.
Wrapping It Up
Digital forensics is a unique field of forensic science which necessitates asking unique and often very technical and probing questions during the qualification or Voir Dire process. Preparation is paramount when subjecting your analyst to the justice system and all of the unknowns and potential pitfalls that can come with testimony in any legal proceeding. Many times, counsel on both sides will look at an analyst’s curriculum vitae and stipulate they are an expert in their field, but when freedom, large amounts of money, child custody or any number of life-altering circumstance is at stake, thorough and thoughtful counsel will scrutinize the analyst and their credentials in an effort to represent their clients zealously. Be prepared, be professional, be concise and be clear. But above all, be truthful. Credibility, once lost, is almost impossible to regain.