FINDING AND SELECTING
A COMPUTER FORENSIC EXPERT
Forensic Tools
Understanding the tools used by the expert can also be important. This facet can involve issues related to the kinds of tools, the variety of tools and the number of tools.
With respect to the kinds of tools, the litigator may want to determine whether the expert has invested in mainstream forensic tools or are they getting by with freeware and other low priced alternatives. While it is nice to avoid needless markups, the lower priced tools are also commonly less feature rich and will require more labor hours to obtain the same results that might be automated in the higher priced tools.
Again understanding the specific tools owned and used by the examiner can be useful. Some tools are stronger in certain functions than others. So, again, it becomes important for the forensic expert to have diverse resources from which he can draw depending on the requirements of the case.
Forensic analysis tools are not the only kind of tool in the expert’s arsenal. In large complex cases it is also the ability to manage the data and marshal the facts. While spreadsheets, as an example, provide robust analysis capability they are size constrained. So, in large cases spreadsheets lack adequate horsepower. In large cases, database applications can become much more essential.
So, in large case the litigator may want to assess how well equipped is the expert to manage large volumes of data and analyze them. Even the forensic tools can have practical size limits such that the data must be piecemealed from those applications and placed in other, more capable data management systems.
Another issue could be the number of licenses of its tools a forensic examiner owns. In large cases, throughput can be essential and multiple licenses a must.
Another category of tools are those that the litigator can use to provide data to the litigator. If the data are comprised of lists then spreadsheets are litigator friendly. But what happens when the lists exceed the capacity of the litigator’s spreadsheets. How about different data types such as e-mails. Should those be provided as PSTs, HTML, or MSG type documents? Indeed there are many questions about how the expert can support the litigator’s needs in the kinds of tools that the litigator is capable.
Case specifics also provide a distinguishing attribute for the expert. After all, just like litigators can acquire specialties so can computer forensic experts. For example, the ideal expert for a computer security and network intrusion case may not be the ideal expert for a trade secrets, bankruptcy or family law matter.
The complexity of the case can also affect the skills of an expert. Perhaps the issues are rather simple or one dimensional. For example, maybe all that is needed is someone to determine when the computer was last started or whether a particular file exists on the media. These kinds of issues could be satisfied with a much broader range of experts and with less sophisticated skillsets.
So, case specifics can dramatically affect the selection process. What will be challenging for litigators is identifying and understanding how those case differences will manifest themselves in the skillsets of a forensic computer expert.
Industry Specifics
Industry specific background can also be helpful for the computer forensic expert. Activities, systems or artifacts that might otherwise go unnoticed could be recognized by the expert familiar with that industry. Also, experts familiar with an industry may be able to recognize omissions in preservation or production as a result of their knowledge.
The analysis of the expert’s relevant experience can be another important discriminating factor. He could have both or either related work experience but how do either of these fit into a litigation environment. For example, even if the expert has worked in other litigation cases, what does he do to validate a production. Does he take steps to identify omissions and/or manipulations or does he simply proceed with what has been given.
Can he work with imperfect information? Is he able to reverse engineer the work of opposing parties without documentation or other information gaps?
Training is another area that the litigator can use to distinguish computer forensic candidates. In this regard there are a number of training directions that the litigator may find of interest. Essentially there are the general training classes and there are the tool specific training classes.
The general training classes can involve fundamental issues such as file systems, operating systems, and software applications such as e-mail, application databases, and software applications in general. Such classes would reveal how these subjects work, how to interpret their metadata and how to extract and handle their artifacts.
As an example, consider the situation where the computers to be examined are Microsoft Windows based machines versus Apple Mac machines. The file systems that accompany these two different devices behave differently and leave different kinds of artifacts. Knowing about these artifacts, where they reside and how to interpret them can not only affect the expert’s opinion but influence the budget required to interpret them.
The other area where training can be influential is on the tools used by the expert to develop his own opinions as well as refute those of the opposing side. These days there are a number of forensic tools and no single tool will perform all evaluations. So, in order to perform a comprehensive examination the expert will likely need to have several tools in his toolbox and needs to be familiar with them whether through self training and seasoned use or formal training.
The need for tool familiarity is not limited to the performance of the expert’s own work. Rather, he will also likely need this familiarity to understand and evaluate the work of the opposing expert.
Printable Version
Page 3 |
