Skip to content

The Discovery Standard

Discovery News

The Discovery StandardSubscribe

The Discovery Standard

Skip to content

Tech Tips

Determining the Need for Forensics

Thomas E. Williams, Director, Data Collection & Forensic Services

Would you ask a reputable doctor to perform brain surgery for a common headache? Certainly not. Often, however, clients ask experts to perform forensics on discovery data, when a simple review of the documents collected in litigation could reveal the needed information.  

 

Forensics can be very expensive. It involves paying an expert or team of experts to carefully comb through potentially massive amounts of data. While the following is not a comprehensive list, here are some questions you should consider prior to engaging a forensics expert:

  • Has data been manipulated or deleted?
  • Is there a unique challenge, like encrypted or foreign language data?
  • Is this review worth the expense? Will the forensics cost more than the value of the litigation?
  • Are you investigating some incident? If so, using forensics for a specifically-targeted search may be your best bet.
  • What do you hope or expect to find? Have you examined what was presented in a “non” forensics environment? Did you find what you were looking for? Are you aware of other documents that were not found when you looked through the electronic documents the first time?
  • How much are you willing to pay? Be aware that depending on how deep you need to go, and how much data exists, considerable costs are a distinct possibility.
  • How long will it take? If the practitioner is very busy and has limited resources, it could take a long time. Federal and state agencies typically run a six-month backlog regarding computer forensics.   

Typically, experts are engaged to conduct forensics with a purpose such as investigating the misconduct of an employee, inappropriate use of the Internet, or theft or fraud against the company. An example might be a call on a Friday afternoon along these lines; “Help: our CEO and CIO left for the Cayman Islands this afternoon and all of our money is gone! Can you examine the computer assigned to them right now?” While this scenario may sound like an exaggeration, unfortunately the truth is often not that far from it. Such cases are clear-cut, excellent situations for forensics.  

 

Who is doing your forensics?
Just as you would not want a junior associate to handle your own capital trial, or a recent medical school graduate to handle your triple bypass surgery, experience does matter. Make sure your forensics partner is experienced.  

 

Always use a reputable, neutral, and disinterested third party. This step avoids the appearance of possible problems with the data collection or analysis. While a company forensics person may be of the highest caliber and as honest as the day is long, work done internally can lead to questions about thoroughness or suggestion, as it can be inferred that a company employee can be encouraged to protect the company rather than be a finder of fact. 

 

At the very least, verify a potential partner’s training. Some desirable credentials include:

  • Federal or Local Law Enforcement Training (FBI or DHS Training Center )  
    • SCERS, CART, NWCCC
  • Vendor Specific Training
    • AccessData, Guidance Software, NTI, Paraben, etc.  
  • Certifications 
    • Did they pay for, complete, and pass the certification course?
    • Certifications include: ACE, EnCE, PCE, MSCE, etc.  
Some additional questions include the following:  
  • What is their experience: private industry, public sector, etc.?
  • How many years experience do they have?
  • How many machines have they imaged or examined per month or per year? (If you do not ask these questions, the other side certainly will! It is better to know this ahead of time than to be surprised.)
  • One of the most important questions to ask is this:
  • Have they testified? When? Where? About what?

Expectations and Reports

Discuss your expectations with the consultant in advance. Make sure they re-state your expectations and can meet them. Be cautious of groups that “promise the moon and the stars” tomorrow. You may be disappointed. Forensics is a time-consuming “art” rather than an exact science.

Some additional questions to ask:

  • What tools do they use?
  • Have they ever collected data in a foreign country?
  • Do their tools “see” foreign language characters?
  • Can they print non-English documents to send to translators, or will the document look like machine language gibberish?
  • What format will the report be in? Tech heavy forensics folks do not always give legal minded folks a report format that they understand or can use?
  • Can you get a CV for the person doing the work?
  • Can you review the training protocol of the group doing the work to learn if they are up to date on their training?

As a parting thought, make sure your vendor is not married to one tool or methodology. Remember, there is no magic bullet. A combination of knowledge, instinct, and insight into the case will help you get the most out of forensics.

^ Return to top

Author Bio:

Thomas E. Williams is Director of Data Collection & Forensics Services at LexisNexis® Applied Discovery®. Mr. Williams, a former federal agent, is responsible for working with the clients to assist in designing data collection strategies so electronic documents can be harvested efficiently and in a forensically sound manner when the need arises.

Test 1
Test 2
Test 3