For convenience, digital forensics examiners will be referred to as experts throughout this book, even though the term “expert” is a legal term and is only valid in a court of law when someone passes the qualification tests of the court to be accepted as an expert.

As there are different subdisciplines in the area of digital forensics, there are different types of digital forensics experts. Some specialize in one area of technology, while others may have expertise in many areas including computers, cell phones, cell tower technology, video, and so forth. This chapter discusses why and when you should engage an expert in a matter involving digital evidence.

While it seems that the answer here should be obvious, our experience over the years has shown us that many attorneys choose not to hire experts in cases involving digital evidence.

In some cases it is a matter of expense; in other words, why pay an expert’s rates when you can have a computer specialist do the same thing much less expensively? This is most often seen in domestic cases where money is a serious issue or where the extent of what is being sought is pornography or Internet history and maybe some e-mails. Testimony is very rare in domestic cases as the evidence is primarily used to force one side to admit to an affair or to settle some dispute rather than go to court. If there is no need to be concerned about chain of custody, authenticating the evidence, or having to appear in court, then hiring a non-expert could save the clients some money if they can engage a computer technician to recover this information at a small percentage of the cost of a engaging a fully qualified expert.

The question is whether or not the higher rate you may need to pay to engage an expert will provide the appropriate value to you or your client. Value can be somewhat determined by the risks for the client in not engaging a qualified expert. In cases involving large amounts of money or criminal cases where the client’s freedom is at stake, the cost of engaging an expert is very small in the grander scheme of things.

In a civil case where tens of thousands to millions of dollars are at stake, paying a digital forensics expert a few thousand dollars is a small part of the overall cost of litigation.

In criminal cases where your client is facing loss of freedom or even loss of life, the cost of engaging a digital forensics expert should not even be a consideration. One thing you can be certain of in criminal cases involving electronic evidence is that the prosecution will have a digital forensics expert on their side.

Proper collection and protection of digital evidence, efficient and accurate analysis of digital evidence, and the ability to properly interpret the results of examinations are all critical factors in knowing whether you need to hire an expert.

The proper interpretation of digital evidence is critical. There is a school of thought that digital evidence either is there or it isn’t, and that is the sum total of an examination. Reducing the value of a digital forensics examination to this binary type of thinking is a mistake. Even with a single piece of digital evidence, there can be more than a single interpretation of that evidence. A good expert can use the entire body of digital evidence to come to a conclusion that takes into account the possible variables. There are many times when something can be proved conclusively concerning digital evidence, but just as frequently it often comes down to an expert opinion based on the interpretation of the evidence.

It is not uncommon to see experts make overstated claims concerning what digital evidence might mean in a case, or to simply interpret digital evidence incorrectly. It is even more common to see non-experts used in cases make interpretations that are flat out wrong, damage evidence in the process of their examination of the evidence, and fail to keep any kind of chain of evidence.

In cases that are complex and involve multiple computers, computer users, accusations, and complicated timelines, the use of an expert is even more critical. As more data is added to a case that must be analyzed and put into the overall context of the case, the ability to properly tie together seemingly disparate information and explain it in an understandable manner could be the difference in winning or losing.

Without a competent expert on your side, you are at the mercy of the conclusions drawn by the opposing side’s expert. In situations like this, you need an expert to act as an equalizer; to determine whether or not the opposing expert has performed a sound forensic examination, to verify whether their claims concerning digital evidence in the case are accurate, and to combat those claims if necessary.

When should you hire a digital forensics expert? The short answer is as soon as you determine that any type of electronic evidence will be part of your case.

Engaging a digital forensics expert early in your case will benefit you in many ways, especially if you have evidence that must be collected or a large volume of evidence that must be analyzed.

Performing tasks related to collecting and analyzing digital evidence takes a lot more time than you might think if you are not familiar with this type of evidence. The increasing size of hard drives makes them more time-consuming than ever to collect, process, and analyze. Hard drives are now being sold at your local electronics store that can contain three terabytes of data. That is roughly three thousand gigabytes or three million megabytes. Think of it as approximately 2.6 million floppy disks. That is a lot of data.

When you are presented with a case where original evidence must be collected, getting access to and subsequently getting a forensic copy of the evidence is a time-sensitive operation to make sure that evidence that may be critical to your case is not destroyed. Allowing an electronic device such as a computer, cell phone, global positioning unit, or one of the many other types of device that can contain evidence to continue to be operated raises the probability that evidence will be lost during the normal processes of the device. Many devices including computers and cell phones perform automatic updates to the operating system software that can modify the contents of the storage in the device, affect the way the device functions, and also modify the revision number of the software. Delays in completing forensic collections also increase the risk of evidence being intentionally destroyed or destroyed in the normal course of business where a company’s data retention policy may include periodic disk-cleaning operations or purging of e-mail stores.

In cases where the other side has already collected and possibly analyzed electronic data, you will need time for your expert to perform his analysis. There are an alarming number of cases where the attorney has waited until the eleventh hour to contact an examiner to perform a collection or to do an analysis. A couple of cases in point: An attorney contacted a firm on a Friday afternoon. He and his client were scheduled to be in court on Monday morning where the client must either take a plea bargain or go to trial. In another case, an attorney brought in a global positioning unit to be forensically collected on a Wednesday and the attorney needed to have an expert report completed that following Monday. The collection wasn’t possible because the unit’s batteries were dead and the attorney did not have the power cable for the unit. Even with ordering a replacement cable overnight, the deadline was missed, caused by the delay in collecting the evidence.

In cases involving deleted items that are the basis for a spoliation claim, understanding how data is deleted and recovered, and what system artifacts are created that can be used to figure out how, when, and who deleted the data is a complex process involving computer time stamps, analysis of system artifacts like thumbnail caches, and examination of the raw data on the hard drive of a computer. These types of analysis require not only a skilled examiner, but the proper forensic tools to locate and examine these specific types of evidence.

Failing to make a decision to hire an expert early in the litigation process can lead to incomplete analysis, increased costs, and in some cases, failure to comply with court orders that may lead to sanctions or inadmissibility of evidence critical to your case.

This chapter examined the need to hire an expert and when to do so. The need to hire an expert is dependent on several factors including the presence of digital evidence, the cost factor, the type of case, and the need to get a proper examination and interpretation of the evidence. Hiring an expert early in the litigation process can help to ensure that evidence is not lost and that your expert has sufficient time to perform a thorough and complete analysis and can help to prevent incurring extra costs.