Authors Graeme Horsman and Brett Shavers on Defining Digital Forensics Expertise

Christa: Who is the digital forensic expert and what is their expertise? That’s the question posed in a new paper. Published at WIREs Forensic Fcience, the paper explores the concept of a digital forensic expert witness, while also considering whether this term may now be potentially misleading to judges, attorneys and others outside of this domain.

This week on the Forensic Focus podcast, we’re rejoined by both authors, Graeme Horsman and Brett Shavers. Graeme recently transferred from his lecturer role at Teesside University to an academic role at Cranfield University. And Brett is a private sector forensic analyst and consultant known for the books he’s authored and his website, dfir.training.

I’m your podcast host, Christa Miller. Gentlemen, welcome back!

Brett: Thanks.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Graeme: Thanks for having us.

Christa: So to start with, where exactly did this article come from? Was it personal experience, or things you noticed other people talking about in the community? A mix or other factors in it?

Graeme: So I’ll go first. So from my perspective, I think it’s really important that I’ve got the academic — my eyes are academic in this, so that’s my viewpoint on it. I’m not a practicing practitioner anymore, or anything like that. So my observations here are sort of not targeted at anyone in particular. I’m not having a go with people or anything like that.

What it is, is it’s my observations of the classification of the — when the use of the term “expert” that I’ve seen, you know, in literature, in practice. And I’ve seen it used as a term quite often in our field. And it’s not just our field. It’s used [as] a term in all sorts of fields.

So my original observations were based on, well, what does that term, what does “expert” mean? What does our field mean? And anyone that’s in our field knows that it is huge, and it’s got lots of different areas and aspects to it.

And I only know little bits about little things, if that makes sense. I certainly don’t consider myself to know half of the things that this field entails in terms of analysis, but it does make — it intrigued me, the fact that you might wanna stick an “expert” title on that. And I was thinking, would I stick an “expert” title on my knowledge, and why and when would I put that on there?

So that kind of got the ball rolling in terms of my interest, but I obviously I sit behind an academic desk. So I don’t think I can bring everything to the table here. So I was really interested to reach out to Brett, who brings a heck of a lot more experience to it than what I do, and a different insight from loads of different angles.

So I guess I had a curiosity, and I felt that there were some areas to tease out in terms of, you know, maybe we should explore this in a little bit more and what does expertise mean? And particularly with our field that is massive and vast.

And Brett is, you know, practicing in this area, has got way more experience than me. So I reached out to Brett and I wanted his viewpoint on this as well. So maybe Brett’s probably got some points as well, that he feels where he might come from on this topic as well.

Brett: Yeah. I was, like I said, I’m flattered that he asked me for my opinion, I guess, for that. But yeah, I looked at it from the other aspect that’s — I just gave some perspectives from the practitioner, I guess, you know, that I’m — from being on the hot seat, I guess, as an expert and the things that I’ve seen.

And that’s kind of where we merged the academic view versus, you know, the guy in the hot seat. So that’s a good question on expertise. So it was a great paper that he had an idea with, and I really just gave a few ideas to a lot of his writing.

Christa: So my next question is, on that note, how often you’ve each been approached to testify. So Graeme, it doesn’t sound like you have at all. So Brett, for what expertise — I know, I think you’ve testified quite frequently as an expert witness — in what regards, and as we’re watching the field mature and diversify in different aspects of digital forensics, including multimedia, et cetera, what expertise have you contributed to expert witness testimony, and then you know, where, where are you seeing requests come in now?

Brett: Well, I think it depends on the engagement, I guess, for one. Where, and on the private side — well, let me back up a second. So in law enforcement, you know, I’ve been subpoenaed probably three or four times a week for years.

Christa: Wow.

Brett: But not all of those go to trial, obviously.

Christa: Sure.

Brett: And then — because, you know, so many plead out and/or cases are dismissed or those sort of things, and even testifying with those, almost none of ’em. I mean, very rarely were there expertise testimony required in law enforcement, because it’s not really necessary.

And then in the private sector — and I’m just talking from my experience and people that I spoke to that work, you know, like I do — with the initial engagement, it’s usually the attorney’s strategy, I guess, do I want to hire an expert? Or do I want to have a consultant?

Because there’s a lot of legal ramifications with that. You have a work product, discoverability and materials and all these other things that are going on and conversations between the client and the expert, or the consultant.

So that really depends on the strategy of the case and the engagement. So there’s been many where you engage as just a consultant that would turn into an expert witness or vice versa. So it really depends on the engagement.

And even then, going to trial, there’s only been — of all the testimony, I think the percentage of actually qualifying for expert is low compared to testifying in general, just because it’s not necessary in many cases. It’s your fact witness testimony of, “This is what I saw, this is what I did, this is my report” is usually enough.

It’s just when the, if the court’s confused with bickering witnesses, you know, when conflicting testimony, that’s when an expert witness really starts to come into play with, more or less try to solve, what we think is going on here. So as far as the number of times, I think it’s small, percentage-wise.

Christa: Okay. One thing you mentioned briefly in the article was the risk of liability for forensic practitioner, who’s testifying as an expert. What is that risk? I think you mentioned miscarriage of justice. But within that, are there different factors that are going into that?

Graeme: I was just going to provide a brief overview. I was thinking it would depend on jurisdiction, I imagine, where you’re operating and where you’re practicing as to what quite you would be subject to, from your pure definition of your expertise, or your misjudgment of your expertise, and the product that you produce, I guess. But Brett, if you want to, I don’t know if you were about to expand upon that.

Brett: Yeah. The personal reputation liability, if you’re claiming to be an expert and you’re not, or if you’re a fraud, number one, but also if you claim to be an expert and you’re not fraudulently pushing the boundaries, but you’re taking on more than what you should be taking, because you’re risking your reputation in that way.

And as far as miscarriage of justice, people lie, you know, and they lie in court, they lie under oath. So that would be an obviously gross miscarriage of justice if you have an expert who is lying to win and that’s [an] ethical topic, of course, but that happens.

So that’s the liability, but if you’re truthful in what you’re doing and you’re factual then really the liability should not exist. It’s just that if you’re going beyond, either inadvertently or intentionally, that’s the problem.

Christa: Yeah, yeah, yeah. Makes sense. With that in mind, getting more into the substance of the paper: you wrote about expert obligations to define the scope of their expertise particularly given attorneys who only minimally vet experts they hire. So given that a single crime can touch multiple operating systems, databases, memory, video, pictures, et cetera. What’s a reasonable balance between generalists and specialist practices?

Brett: Well, I guess —

Graeme: I think this is difficult.

Brett: Yeah. I think the balance is, it’s — so much rests on the witness. Because, and now let’s do the private sector, I guess, version first. Whether you have an attorney — because usually it’s an attorney, right, who may or may not have a lot of computer knowledge other than turning on a computer and maybe some, “I know what e-discovery is, I know what metadata is,” that sort of thing.

And then when they’re hiring, let’s say an expert, and looking at a resume, it says “expert,” right? In many attorneys’ eyes, that means “expert in all things computers.” So it’s up to the expert, or the witness who may be qualified as an expert, to say, “Yeah, I’m an expert in Windows,” for example, “but not Linux or not Sun systems,” or not whatever.

It’s up to that expert to really balance: “If you get me on the stand, I can testify for these things, but [for] these things you’re gonna need somebody else.” So I think the balance is for the expert to determine. The attorney’s not going to be able to determine how good of an expert you are, because they’re going to naturally assume that you’re an expert in everything.

And just a quick aside, in one case where I was testifying [as] a deletion expert — in that specific thing for deletions — and going through qualifications in court, I was qualified as a a computer forensic expert. I mean all things expert. And even I’m telling the attorney, “I’m just talking about this one thing, not all things,” but the qualification came out to be an expert in all things. And obviously I’m not an expert in all things, but that’s something on attorneys.

Christa: So I guess another way to ask that is how deep should a practitioner’s expertise get to be considered courtroom ready expertise? Or does it even matter, Brett? I mean, it sounds like based on that one example that that maybe it’s not as much of a big deal or maybe it should be a bigger deal?

Brett: Well I guess it depends on the case, on what you’re testifying to, how deep you’re going to go for being an expert, if it’s really specific, obviously you wouldn’t be very specific, but if it’s not very specific, if it’s just general internet browser history, for example, that’s kind of across the board, you can really cover a lot, but if it’s something very specific to an OS or very specific to a certain artifact, then I guess it really depends on the case, on the evidence that’s being questioned.

Christa: OK. So another term that came up in the paper was “knowledge creep,” which you defined as “the act of overstating their expertise by assuming they possess knowledge that actually exists beyond their current remit,” “they” meaning forensic practitioners. Could you give a few examples of what’s a reasonable extension of knowledge versus an overextension?

Graeme: I think that the “knowledge creep” concept is really straightforward as a concept, but really difficult to evidence in the way that you’re suggesting there. So the idea is that you can assume knowledge based upon linkage, if that makes sense.

So, “I’ve examined a browser before. I know all browsers because they all allow me to access the internet,” for example, but actually in reality, that’s not the case. Artifact types will be different. Maybe the high level processes will be very similar, but your interpretation of what that looks like on a disk is, maybe requires a little bit more knowledge.

So knowledge creep was this idea that you can assume knowledge of something, because you’ve seen it before in a, what you might think is a related entity, but actually there are different aspects to it.

So maybe I examined version 1 of Chrome and actually now we’re on version 20, and you might assume that you know Chrome because you’ve seen Chrome prior to this. But actually, in the 19 version iterations that you’ve seen from there, we’ve got some substantial differences in the way that that browser operates and stores trace evidence on the disk, for example.

So that’s the concept of knowledge creep. When do I think — this is really difficult because you essentially open yourself up a little bit and actually you’ve gotta make this decision, I think, on an individual basis, and everyone has to be honest and open and evaluative of their own knowledge — but I think ultimately you have to think what is an acceptable level of it?

And you have to manage that yourself. So maybe I’ve seen version 2 of Chrome and I’m now examining version 3 of Chrome. I think you could probably assume that that might be a safe level of “creep” and that you still need to evaluate and assess your bit of knowledge there for that additional browser.

But if you are assuming that, “I’ve seen Safari, but I’m going to examine Opera” (I don’t know. This is a very basic example.) You can’t — that to me is probably an exacerbated creep of knowledge: “I know all browsers because I’ve seen one,” and I think what you’ll see is that that leap will be much smaller in reality, but I think we just need to be careful.

And I think really the concept is there to sort of say, “Look, be careful, just because you’ve seen it in one form, things can massively change.” And I guess, let’s say even just one variation between an iteration of an app or something like that, if they choose to fundamentally change the type of storage or login mechanism, you might be starting again from your interpretation of that app’s trace, if they went from one database type to a totally different flavor, or different login style.

So even the version type between apps, it’s a very arbitrary way of defining creep. And that might, you might think on paper, it’s not a lot, but it could be massive. So which is where your question’s really difficult. And I’m not even sure that it can be answered.

I think every practitioner has to think, right, “Does this look like something that I’ve seen before?” And then I think the only real way that we can combat it is the good ability to test, validate, reconstruct, assess our own understanding of the trace, and that’s slightly a different issue.

But I think it’s a concept that where we might subconsciously assume knowledge of something because we’ve seen it. And actually we just need to step back and think, “But have I seen this in enough detail to really fully understand it? Or am I at a conceptual level?” or that sort of thing. That’s what I think. That’s probably how I would describe it. I don’t know if I’ve answered your question, but I think I have.

Christa: Yeah, I think we’re getting into more of a professional development / career tracking sort of realm. And one thing that stuck out to me in the paper was your suggestion that practitioners should conduct genuine self suitability assessments before offering services as expert witnesses, or at least accepting an attorney’s approach.

So I wanted to find out what, how — I guess that first step in developing that expertise is the assessment. Does it consist of the framework that you set out in the article? “I maintain expertise in the areas of, acquired via, and evidenceable through” a particular means, or is it something deeper?

I mean, you also mentioned the case outcomes, practitioner capacity contributions to the community, et cetera. What’s the mix there, of that kind of self suitability assessment and how often should assessments like this be connected?

Graeme: Okay. That’s quite a big question.

Christa: I know.

Graeme: I think it’s — I don’t think there’s one answer to it, and I think it’s about defining your knowledge and objectively being able to evidence it. And I don’t think that there is a set of objectively criteria that you would roll out on every instance, but obviously you can think of some that would be more useful than others.

I don’t think it’s about quantity. You know, you don’t have to have a hundred to be amazing at something. I think it’s about the quality of the objective evidence that you can put forward.

But I do think that, I think Brett said at the start about, “I’m a computer expert.” Well, computers are exceptionally complex, wide variety. We can infinitely increase the capability and capacity of our computers. So we don’t know everything about them, which is why I think when it’s the self-assessment, it’s like, “Well, what do I know in enough detail to be good at knowing that bit of that computer?

And if I think I’m good at it, and I think I’m an expert at it, well, if someone says, ‘Well, why do you think that?’ Then I need to be able to bring back something to this table and say, ‘Well, I’m an expert, because I’ve done this.'”

And that could be formal qualifications, but again, we have to be tentative around formal qualifications. It could be testing and validation, and, you know, gotta be conscious about that. Could be “I published a paper” or something, “and I’ve developed a method that’s now being used by, you know, X, Y, and Z,” but we maybe have to be conscious of that.

I think everything has to be evaluated for quality, but I think there has to be something, bar just saying that I know these little bits. I think we need to move to this point where — I don’t think we need to move to, but I think it would be good practice to get into the habit of [moving from] the generic, “I’m an expert in this big sphere of ability” to thinking, “Well, actually, no, what little morsels or parts of it am I good at, and why am I good at them?”

So qualifications would be good, but obviously a lot of qualifications provide you with a grounding, but not necessarily specific expertise. You might have gone on to write a book in that area, or you might have gone on to produce a method that the community thinks is the bee’s knees in terms of how we do something. There’ll be ways to evidence it.

I think what we need to — I think the flip side of the coin would be, “I’m an expert in this. Well, why? Because I think I am, or I’ve done a case in this before,” which is great. You’ve done a case in that before, but that’s not necessarily, as you assume that that case was brilliant and went right and you did everything perfectly, but you might need to think a little bit more around how you would evidence that bar, that single one previous look at it or something like that.

Does that make sense? And maybe Brett has more info, well, more thought on this than I put forward there.

Brett: I think yeah, it’s a combination of everything that you’ve done and are doing. And like I said, writing books, or teaching, or developing processes, all those lead to expertise.

But there’s a small point about expertise in court — let me try to bring it back to a court. So there’s kind of like a banter among us, the field, of who’s an expert. Either nobody’s an expert because, “You’re not smarter than me or not smarter than that person,” and then “Nobody should be an expert because that’s arrogant” or whatever, and those things.

And so, “We’ll never know everything, therefore you can never be an expert.” So I think that thinking of, “You can never be an expert because it’s infinite knowledge with computers. It’s infinite, things that are revolving around computers.

But I think for the expertise, or the qualification of an expert, it’s a judge — or magistrate, or a court — saying, “Yeah, you’re an expert because we need your opinion to help find facts in this case.” So it really comes down to the court saying you’re an expert. For, like Graeme was saying, someone to say, ‘Yeah, I’m an expert.”

Well, it’s kind of meaningless because it’s, I’m saying I’m an expert. Who’s going to debate me? It doesn’t really mean anything. And I mean, expertise — I think practically, it’s like if we’re all reading the same book and Graeme is one chapter ahead of us, well, practically he’s an expert because he knows a chapter ahead of everybody else. So practically he’s an expert, whether it be how to fix a car or a computer.

In court, if you know more than the court, if you know more than the judge, more than the attorneys, and as least as much as your opposing expert witness, then practically you’re an expert.

So I think for us personally, we really dive deep and become an expert. We really take a lot of training. We really read a lot of books. We do a lot of practice, we do a lot of those things. So I think we, a lot of us, are — could be qualified as experts in court just because of the work that we do intently, but we really put ourselves down on how much we know, because we know how much we don’t know.

So, but going into a trial — and typically they’re not so — it’s not that difficult to be qualified as an expert in court. It’s very simple. The bar is low. Do you know more than an average, the lay person? If you know more than a lay person, well, you’re an expert.

I mean, that’s what it comes down to. So you may not have ever examined Windows 11, but if you’ve done Windows 10, I think theoretically, you could still be an expert in court to testify on your first case of Windows 11, because you’ve done so much on Windows 10 and prior.

So I think, like Graeme was saying, all these things to do, to create your expertise for that — and I say “opportunity to be,” because not everyone goes to court to testify, and we have so many people who never testify, never had to testify, their job doesn’t require testifying.

And even those who do testify as consultants or in a case, very few of those will qualify as an expert because it’s not needed. It’s, “Well, we trust your report. We trust what you’re saying. It’s true. So why would we need your opinion?”

So for the expert — for the court qualified experts — I think they’re fewer than the world, the ocean of experts, because there’s a lot of experts out here. Graeme’s an expert, obviously, in many things because of everything he’s done, and you’re an expert in many things.

And so as far as building expertise, I think we all build it by the work we do, the, the things we read, the things we write, the work that we’re documenting and researching. So we’re all building toward expertise. It’s just that, what is an expert? The court qualification is the only differentiary factor that I see.

Christa: So I guess with that in mind, and as practitioners are looking at their professional development, do you feel that they should be conducting their operational work with an eye towards qualifying and testifying as an expert witness in a particular area, say, whether it’s Windows forensics or memory forensics or whatever? Or does it really — is it sort of ancillary to the main mission of what digital forensics is all about?

Brett: As a practitioner I never have looked at — I mean, it’s just personally my opinion — looked at becoming an expert in anything. I’ve never said, “Well, I’m going to prepare for a trial, and I want to be qualified expert in this subject. So I’m gonna work toward that subject.” I’ve never done that just because I don’t know what the next case is going to be, or the next trial’s going to be.

So if [it’s] memory forensics, for example, well, I want to qualify as an expert [in] memory forensics. So I’m going to dive deep in memory forensics for that. I may never ever go to trial for memory forensics ever. I’m gonna build up an expertise just in case, but if that’s my goal and intention, I’m gonna be really disappointed all the time, and I don’t think it’s going to be a good way.

So the way I look at it is, if I have a case that’s a, we can say file copy, “Was a file copied, when, who did it” kind of thing. If that case I’m engaged with, then I’m going to really dive deep into that subject matter because it’s going to trial, it may not go to trial, but it’s going to go to trial. It’s headed toward trial.

So that I will work to become an expert on, not for the sake of becoming, “I want to be qualified as an expert, get a gold star,” it’s because I want to know what I’m talking about, what I’m testifying on, when I’m doing that.

So I would do, that’s the only way I look for working toward expertise is, there’s a goal and a mission. There’s an end product that I need to do, whether I reach that or not, it’s headed that direction. So personally, I don’t think it’s a good idea to pick a topic for the sole goal of being a court qualified expert because it may never happen.

Christa: Okay. Okay. On that note, actually, you made a point earlier that few cases ever make it to trial, at least in the United States. So for experts who, or practitioners, who are interested in potentially becoming qualified as expert witnesses, how can they obtain that testimonial experience? Are there moot courts that they can participate now, or if there are just not, should there be? And not just for the experts, but for the lawyers as well, to to be able to practice asking questions?

Brett: I guess the only way to get experience qualifying as an expert is to be on the stand. I think that’s probably the first way. But to get there, I think there’s pretty few courses and training in mock testimony. And I don’t know why, other than it’s not exciting.

It’s not, and it’s embarrassing. To be cross examined on the stand is not fun whatsoever, because your integrity’s questioned, your credibility is questioned. You’re insulted. I mean, all these things can happen and we don’t, I mean, if we’re honest, we say what we feel and mean, and we’re true and then we’re getting attacked for it, it’s not a comfortable feeling.

So the experience, I think to have a — and I remember there was a course on expert witness testimony. I forgot who put it on, but it didn’t last long. And I think it’s because maybe people don’t want to go pay to get beat up, you know, “Here’s a thousand dollars. Beat me up.” I mean, it’s a good thing to do, obviously.

Christa: I would think that you would wanna do it in kind of a training, controlled setting rather than actually at trial.

Brett: Yep. But it’s it’s easier to put off the pain just in case you don’t need it. You know, trial prep sometimes includes, you know, the attorney prepping, but even then it’s not a mock trial. It’s more of a sit down of, “Okay, here’s some questions, here’s some tips.”

Basically, it’s not really mock trial for trial prep. So that’s a drawback there. And I mean, even police academies, there’s a little bit of court testimony practice, but not a whole lot. We’re all into data. That’s, every course is data. We have very little in ethics, very little in testimony. It’s all about data, as if that solves all the problems.

But it’s in trial that’s — the data’s great, but if you’re not testifying well enough, it’s meaningless. So as far as to get that practice, you’ve got to do cases, and you have to hope those cases go to trial, and you’ve got to hope that your prosecutor, your client is going to prep you and then you go do it.

Christa: I can imagine, training-wise, that’s a challenge in terms of… I mean, you mentioned throughout the paper that technology is changing so rapidly, so it’s either focus on the rapidly changing data, or the kind of structural supports around it maybe, or around the justice system when it comes to the data?

Graeme: So I think it, you know, you’d be less likely to catch up with technology in terms of knowing every little bit, but if you’re very good at your ability to test, validate, interpret, and those core skills of, “If I don’t know something, how do I find out?”

And the “find out” bit, you do really well and you can always do it really well, then you’re never going to know everything, but if you have the skills to find out, then I think that that bridges the gap.If someone brings me a phone tomorrow and I’ve never seen an app on it that I’ve, you know, but I need to investigate it, I’d like to think I’ve got the skills to test, validate, and run through the functionality and pick apart the bones of it.

And I think that’s the gap-bridger. You shouldn’t have to have seen App A a hundred million times and have gone through [it]. You can see it once, but once might be enough if you’ve really picked it apart and validated it and interpreted it.

Christa: Final question. So we’ve been talking about individual experts and and their expertise particularly, and we talked about professional development. You wrote about training and certification together with casework and research that make for expertise. But as you also stated, this is a moving target. So to what extent should practitioners really focus on building their own expertise versus connecting with other experts that they can recommend when an attorney needs it?

Graeme: So I’ll go first. I’ll have a little go at this question. And I think that there’s an element of experience gathering, hopefully good, positive experiences. Because obviously that’s the thing with experience, you could gather bad experience, but you don’t know it’s bad at the time, or vice versa. And obviously you can gather objective qualifications, which you can evidence objectively.

And those sorts of things, I think from a skill perspective, it is those skills that allow you to find things out and find them out reliably that that will help build your expertise. And it will help stop you from becoming stuck with, “I only know this and I can’t get any further.” You should never be in a position, I don’t think, where you can’t become better because you can’t afford to go on a training course or something like that.

I think you can still gather and become a good practitioner and gather expert knowledge by being good at fundamentally learning how things function, the reverse engineering of data on media, why it’s there, how it’s there, coming to reliable conclusions from being able to test and evaluate the traces and what they mean.

So I think that you shouldn’t be pigeonholed into a box because you can’t afford to get out of it. I don’t think this is a money thing. I think this is a, “What are the fundamental skills does practitioner need to get more knowledge and get it reliably?”

And you can engage with the community in lots of different ways and develop methods from your own testing and evaluation and have them critically evaluated by other peers in the community and things like that. So you can increase your ability that way.

But I think the second part of your question there was, “Well, how do I get the right expert?” Was that, is that my interpretation correct? How do you know you’re the right expert for the job, is that what you mean?

Christa: Yeah. That, and how do you make sure that the client gets the expertise that they need, even if you’re not the one that can supply it?

Graeme: So I think that it’s the self assessment, isn’t it, in some respect. It’s the knowledge creep, the self assessment, it’s everything rolled into one. It’s, “I’ve got a job — a case — and I think it’s on this.” They may not know the full details of it, but they know probably what they want in some respect, or at least a starting point, it’s that critical evaluation of you.

And because of all the things Brett said previously, you don’t want to necessarily run into this and be like, “Yeah, I’ll do it, I’ll do it,” and then get there, and maybe you can’t, or you can’t do it as good as you should be able to do it. It’s sitting down thinking, “Am I the person for that job? And do I have the objectively evidenceable knowledge to go with that, that I can do this?”

And if I can’t, maybe it’s sort of stepping back from it and saying, “You know what, I’m not that person, but I do maybe know someone who is that person,” rather than maybe saying, “Well, you know what, maybe I’ll just try and gather that knowledge on the way through this case or something like that.”

So it’s difficult when it’s that real critical self assessment, I think, of saying, “You know what, all of the factors aside, can I do this?” And not just, “Can I do it,” because anyone can do it. It’s, “Can I do it to the standard that I need to do it to?”

And not just — I don’t think we’re in the discipline where “Have a go” is a good idea. Necessarily all of the — you’re having a go because you know you’ve got the skills and ability to do the job effectively and quality standards are maintained. If it’s a fishing trip to just see if I can do it, that might have some more consequences, and maybe Brett also has some views on this as well. But yeah, I’ll pass it over to Brett just to see if he has any other views too.

Brett: Yeah. One thing about being an expert, “expert” seems to be a dirty word. I think online people say “I’m an expert,” and you get kind of slammed for saying that. And I’ve never claimed to be an expert. I’ve only said I’ve been qualified as an expert in court, that’s it. Personally, that’s all that matters to me anyway.

But being an expert is kind of a, I’m not going to say “arrogant,” but it’s a, you’re exuding some confidence that you know something. So it’s a strong personality trait you’ve got to be able to have to say, “I’m willing to be court qualified as an expert,” or “I know this,” but within that expertise, there’s that humility you must have that says, “But I’m not an expert in this subject.” Or, “I know internet browsers. However, my expertise stops at this level, because I don’t know this internet browser, I don’t know it on this system, I don’t know this version.

So you have to have the the ability to say, “Yeah, I do know A, but I will pull back myself when it gets to B or C. I don’t know that far.” So that’s the part of being an expert, and I’ve seen those who say, “I’m an expert in A,” and then when they reach B or C or D they just keep going, claiming expertise without having it.

What that does, that negates expertise across the board. That means you’re not an expert whatsoever because you must know where your limits are and you must be able to say, “This is my limit. I cannot go any further. You can call this person or call that person to continue it.”

But if you don’t do that, you’re not an expert. You’re worse than an expert, or a non-expert, because now you’ve — it’s not to defraud, but you’re just, it’s not that humility you must have. You have to have the arrogance of, “Yeah, I I know,” but you’ve got to have the humility to say, “Yeah, but I don’t know this much.”

And even to Graeme’s point on the developing processes and peer review type of processes, I think that’s a great point to have. Well, for example, I’m writing, finishing a book on X-Ways forensics. And what I’ve offered whoever uses X-Ways forensics, if they have a process that they developed in that software program, whether it be — there’s one for hashing, there’s, someone submitted some other things.

So they can submit a process to me. And Eric Zimmerman and Troy Larson, we’re all going to look at these processes that they developed, and we’ll peer review them, and if it works, we’re putting it into the book.

So you have a book on this software program, and we have contributions from X-Ways users, forensics users and things that they used it for, and it looks good. So now it’s going to be published in a book. So for their expertise and their knowledge of a process, that maybe they developed or they perfected, that builds toward their expertise.

So they can legitimately say, “I wrote something that’s been peer reviewed. It’s published, it’s in use by thousands of people across the world.” So that is one nugget of expertise. So these contributions don’t say, “I know everything about a software,” or “I know everything,” but it says, “For this part, I know this, and this is what I’ve done, and it’s been peer reviewed.”

For that, expertise is, I think, qualification. Beyond that, that’s a different subject. You need more stuff for that, but that humility of knowing what you don’t know and saying, “Yeah, I don’t know.” You know, it’s embarrassing to say, “I don’t know,” but it’s one of those things as part of being an expert, there’s a lot more times you’re gonna say, “I don’t know,” than “I know.” And as long as we can do that, I think that the expertise is better.

Christa: Yeah. And it comes back to Graeme’s point, as well, about the skills that you need to go from, “I don’t know,” to, “Now I do know to be able to test and evaluate.”

Graeme: Yeah. I think that if you — so for example, if you don’t, if you judge expertise based on purely what you’ve seen, I guess, then you’re going to, everyone’s going to stop and we’re gonna have loads and loads of things that we haven’t seen for the first time, or, have seen for the first time.

And then all of a sudden we paralyze the entire discipline from not being able to offer commentary and support in an expert way for things that we need it. So we can’t just put too many arbitrary factors and say, look, you know, because everyone’s expertise will stop. We’ll grind to a halt and we’ll find we can’t do anything.

So we have to have some flexibility in moving your expertise forward. Because of the pace of change and things like that, the fact that we’ve got so much stuff coming through all the time and what do we do when we see it for the first time?

But that’s the fine balance. I think it’s just, how do we do it? How do we get someone to a good quality level of knowledge when we’ve never really seen it that often before, but we need to trust someone, because someone needs to interpret and explain that information who has said it in a reliable way at a level that we might need them to do it, so that we can progress forward with some of the cases that involve that technology or something like that.

So it’s a tricky one. It’s a tricky one. I certainly don’t think that we’ve maybe solved any problems or anything like that. I don’t — all we’ve, I think we’ve done is probably highlighted some discussion points that exist in this area. And maybe just to insinuate that there’s maybe a bit of self criticality and reflection just to think, “Am I? Am I not? If I am, why am I?” And maybe think along those terms and things like that. Yeah. That’s what I’m thinking.

Christa: Makes sense.

Graeme: I hope so.

Christa: It does. Graeme and Brett, thank you again for joining us on the Forensic Focus podcast.

Graeme: Thank you.

Brett: Thank you.

Christa: Thanks also to our listeners, you’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. Stay safe and well.

2 thoughts on “Authors Graeme Horsman and Brett Shavers on Defining Digital Forensics Expertise”

  1. Personally I think being an expert in this field is essentially impossible, whilst having been often used as one, and in reality it best comes down to a way of thinking, acting, and operating. There’s simply too many pieces of software/hardware/OSes, versions of these, configurations of them, and all the infinite permutations thereof. Even the lead developer for just one single large piece of software would likely be far from truly knowing everything about it, and that’s without getting into every version of it, and the above permutations.

    Possibly the most important thing for an expert is being aware of how much you don’t know (which is often strongly correlated with experience – not in the way many might think – but in that the more experienced you are the more likely you are to be aware how much you don’t know or can’t be truly certain of).

    Being aware of this, and then writing reports/statements with this always in mind, I believe is critical, and possibly even more critical than testing.

    You might have cause for methodical testing of something and reporting on those results to back up your assertions…but that alone is at best an indication of the results in one set of circumstances/configuration/etc. The permutations of OS/software/hardware and configuration/state of any/all of those on any given system are endless and might all potentially impact things.

    A good expert should be able to state what they found, where they found it, perhaps what it indicates, and if necessary why (experience/testing), but also be able to accept that X COULD have happened. If they’ve phrased things correctly, whether written or orally, nothing they’ve said will be contradicted by the assertion of another possibility. They should be able to accept “yes that could have happened” or “yes they could have done that”.

    The balance to be struck is factual reporting wherever possible, supplemented then well qualified (meaning caveated) opinion or interpretation intended to guide the reader/listener/court/judge/anyone.

    Sometimes the best way to bridge the gap between these alternative possibilities, and the explanation/interpretation given by an expert, is not through weighing the credibility of the expert or saying they’ve tested something therefore it must be true, but by the variety, volume, and nature of evidence supporting something.

    An expert might have to rightly agree concede that “piece of evidence H could have occurred by someone doing X/Y/Z”. It would then be up to the court to decide whether they think that’s likely in the context of all the other evidence. In this context, if you’ve got hundreds of different examples, spanning various devices/artefact types, and/or tallying with real world evidence….everyone can start to take a view on whether the alternative explanations still hold water (chances are they probably won’t most of the time). The variety/volume approach also provides a further backup to issues with tools (don’t get me started on ISO!) and I would argue the single biggest risk of miscarriages of justice come not from rogue examiners, or malfunctioning tools, but from the lack of time given to examiners (or experts) to do a more thorough job.

  2. In the law in England and Wales the role and limitations of expert evidence is defined (for criminal matters) in Criminal Procedure Rule 19 (CPR19). It includes references to the formal declaration you are required to make and the contents of an expert report. The latter includes a section about the expert’s qualifications. O
    One declaration includes whether the expert has been subject to adverse judicial criticism.
    All of these are powerful deterents against over-claiming scope of expertise.
    There is also judicial guidance provided in the evaluation of novel scientific evidence (which is a discretionary variation on the Daubert criteria).
    Plus: remember that expert witnesses can be and are cross-examined by a lawyer supported by another expert.
    My concern about some of the discussions about forensic science standards and regulations is the failure fully to integrate into actual court procedure.
    (The CPR stuff is all on the web)

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...