To begin, the reviewer should focus on the manner in which the evidence was acquired. The report should establish if the original evidence was acquired by a duplicate bit-by-bit image of a hard drive or by live acquisition. While the manner of acquisition is dictated by the circumstances, a bit-by-bit acquisition is generally more reliable than a live acquisition because opportunities for error or failure are reduced.
In addition to the means of acquiring a digital image, reviewers should be aware of the format of the imaged data. The two primary formats for images are E01 and DD. E01 format is created using Encase software by Guidance Systems, and is considered to be the most popular software used for imaging, although other programs can create images in this format. The DD (Raw) format will create multiple files of a set maximum size (e.g., on a 40GB hard-drive, the output might be 20 2GB files), which must then be reassembled into a whole before the files can be viewed.
Forensic Report Should Provide Sufficient Details to Replicate Findings
A digital forensic report should document with sufficient detail the steps undertaken by the examiner such that an independent third-party could replicate the conclusions. This also means that the forensic images should be available for copying by a third-party. Generally, when the forensic images are not available to replicate the findings of a digital forensic report, it is a red flag. Reports with conclusions that are not reproducible using copies of the forensic images and similar analysis software should be granted little credence, absent exceptional circumstances.
In Nucor Corp v. Bell, an expert offered testimony on evidence that the opposing party had used a non-traceable wiping program to clear evidence from a laptop. The court denied a motion to exclude the expert’s testimony. The spoliation case was based on the examination of a hard drive with large blocks of zeros surrounded by data. The court found that the method used by the expert sufficiently filled the analytical gap between the data and the opinion. With a nod to the Daubert factors, the court noted that the expert had tested a hypothesis as to how the blocks of zeroes had appeared on the drive, and had replicated the pattern of zeros. The court also admitted evidence resulting from a load-progression test that was found capable of repetition, as the expert had thoroughly documented each step in the test to establish that data had been written to the hard drive in the predicted manner. This case demonstrates the critical value of making sure the forensic report contains sufficient detail that the findings can be duplicated independently.
Structure of A Digital Forensic Report
Generally, the forensic report is outlined as follows:
1) Brief summary of information
2) Tools used in the investigation process, including their purpose and any underlying assumptions associated with the tool
3) Evidence Item #1: Employee A’s work computer
a) Summary of evidence found on Employee A’s work computer
b) Analysis of relevant portions of Employee A’s work computer
i) Email history
ii) Internet search history
iii) USB registry analysis
c) Repeat steps above for other evidence items, including work computers and mobile devices etc.
4) Recommendations and Next Steps for counsel to continue or cease investigation based on the findings in the report
The report should not volunteer superfluous information which may be vulnerable to scrutiny under cross-examination. Further, all findings should be accurately qualified as to the limitations of the particular tool(s) used, the applicability of the current technology and industry-standard best practices, the methodology or techniques (such as search criteria or formula), and the scope of the investigation.
The scope of the investigation is limited by relevancy and also by budget (i.e., time), which almost always places legitimate and significant constraints on what data is found or not found and the inferences to be drawn therefrom. Moreover, the digital forensic report only investigates those areas where responsive evidence can be found (e.g., in a case investigating the theft of proprietary software code, it would be irrelevant to discuss a search for pornography on said hard drive, and law enforcement officials may require a separate warrant to conduct such a search.).
Further, when evaluating a digital forensic report, a reviewer should evaluate the substance of the report to ascertain if there is information overload. The digital forensic report should provide a cohesive and logical framework on its face and not delve into the underlying technical minutiae that could distract from its conclusions.
Examiners must resist overtures by attorneys, however well-intended or abstract, to submit any testimony or work product that is disrespectful of the truth, including overstating, understating, or omitting findings. The findings should be concise and carefully circumscribed. The report cannot be tailored to support a particular outcome, as a material omission may constitute fraud.
Many examiners use a variety of tools and it is important that the reviewer understands their genesis and purpose. The tools a forensic examiner uses should be explicitly stated in the report to assist the reviewer in understanding potential issues surrounding the conclusions the forensic tool is being used to support.
As the use of technology becomes increasingly ubiquitous, it is likely that digital forensic experts and their reports will become commensurately important to litigation.
Commentators have expressed the view that rather than asking whether the expertise presented is “science” or “non-science,” courts should inquire into the methods that the experts are using. Along with reliance on experience, there must be room provided for innovation. “[T]he existence of data showing that engineers, or physicians, or psychologists, or forensic scientists, can measure or diagnose or predict or correct certain conditions does little if anything to support an inference that they possess the requisite expertise for another task or condition for which there are no data” (David L. Faigman et al., Modern Scientific Evidence: The Law and Science of Expert Testimony § 1:25, at 70). This means that reviewers should engage in an analysis that identifies the nature of the problem and assesses whether data supports a conclusion that “necessary expertise exists to offer a dependable opinion on that problem.”
In summary, the Daubert factors aid in the gate keeping analysis for digital forensic expert testimony in certain situations. To the extent that forensic science methods have been tested in similar factual circumstances, and that those methods have been subjected to peer-review, and/or have a known error rate, it seems appropriate that the court take these factors into account when such methods are presented as expert evidence. As digital forensic science advances, information about methodology should become available as common techniques mature. General acceptance of a technique may be relevant in the types of cases that arise again and again, such as spoliation of evidence cases requiring file recovery or forensic comparison. Nonetheless, cases involving the expert testimony of computer scientists are rife with unique factual situations that may require an innovative approach by the expert. Consequently, it is critical that the bench and the bar determine whether the facts of a case are such that a traditional technique can be applied before determining whether a Daubert analysis is necessary.
* by Daniel B. Garrie, the Senior Managing Partner at Law & Forensics LLC. He focuses on e-discovery, digital forensics, cyber security and warfare, data privacy, and predictive coding, and works with law firms, governments, companies, and non-profits around the globe.