A digital forensics expert can be used in a variety of ways: as an expert witness, for litigation support, to conduct Non-Invasive Data Acquisition (NIDA), to proactively investigate potential disputes prior to litigation, or to recover data negligently or intentionally destroyed.
Over the last several years commercial hardware and software vendors who specialize in digital forensic analysis tools and applications have made significant improvements in the methodologies necessary to analyze digital evidence. As a result, what was once an almost entirely ad hoc manual-analysis process is now structured to a point where years of experience and training are no longer necessary for the production of a digital forensic report. This increased the number of forensic examiners and lowered costs, but also reduced the depth of knowledge held by the average forensic examiner.
As a result, the reviewer of a forensic report should scrutinize the qualifications of a forensic examiner to avoid an unfortunate scenario in which the forensic examiner is not sufficiently qualified and, consequently, the underlying findings are not reliable. While no uniform set of standards exists to gauge the competency of a digital forensic examiner, reviewers should seek the most appropriate combination of certification, education, and real-world experience, given the case at hand. The examiner’s training will likely include a number of hours in the classroom as well as practical experience in the real world and in the lab. This training should be evaluated in terms of levels of experience and the quality of the instructors and institutions administering such training.
While individual vendor certifications certainly have value, the education marketplace is seeing the emergence of vendor-neutral certification programs to validate technology skills at various levels. This new industry may use establishing credentials as a means to further monetize a product. True expertise requires field experience in real-world situations and/or years of study. Thus, the bench and bar should interpret forensic certifications only as an indication of additional expertise that the forensic examiner possesses in a particular area, or in a specific type of software in the forensic field, rather than as a blanket qualification.
In addition to technical expertise, an ideal expert witness will have experience on the witness stand. Counsel will set the baseline requirement of a competent expert, but the ability to calmly and confidently relay findings while undergoing rigorous cross-examination is critical. Finally, a digital forensics expert can testify in federal and most state courts, but a written report is still mandatory unless otherwise stipulated or ordered by the court. This written report, if properly done, may in some cases negate the need to provide expert testimony.
In next week’s installment, I will go into the details of evaluating such a written report.
* by Daniel B. Garrie, the Senior Managing Partner at Law & Forensics LLC. He focuses on e-discovery, digital forensics, cyber security and warfare, data privacy, and predictive coding, and works with law firms, governments, companies, and non-profits around the globe.