Thursday, December 17, 2015

Neutrality in Digital Forensics



December 17, 2015

Neutrality in Digital Forensics

Let’s be honest, everyone has biases about many things in life.  Whether you have a bias against people’s behavior during a full moon or a bias for or against the police in an investigation, biases come in all shapes, sizes and varieties.  Some are politically-motivated, some are based on upbringing, some are rooted in personal experience and some are just ill-conceived notions of behavior or situations based upon a minimal representative sampling.  Regardless of the origin of personal bias, let us also be clear that it has no place in digital forensics.  Period.



Neutrality in Practice

Neutrality is defined as “the state of being unaligned with or supporting any side or position in a controversy.  The “controversy” we would generally be referring to in digital forensics is the legal case or dispute in which we are analyzing digital evidence to prove or disprove a theory – That’s an important distinction to neutrality in itself – to prove or disprove the theory.   You see, when a claim is made, whether it be by the government, another party involved in a divorce or a corporation, the heart of the forensic methodology is to prove whether or not that claim is valid through analysis of evidence.  Unfortunately, my experience (and perhaps my own bias) is that this doesn’t always happen.  

For example, an analysis by the government showing the existence of illicit images on a computer hard drive is in and of itself potential evidence of a crime.  However, some examiners may stop at simply finding and reporting.  But there is often much more to the story.  Where did the images come from?  How did they get there?  Who downloaded or transferred them?  Is the prime suspect the only one who had access to the computer?  What is the overall number of other images (i.e., legal adult images) that exist in relation to the illicit images?  All of these things have the potential to be mitigating and/or exculpatory factors.

I’ve had this discussion with my colleagues in law enforcement multiple times.  The argument on their side always is, that the pictures are there so the suspect is guilty.  My argument is that if you don’t do a thorough enough forensic examination, you could be missing key pieces of evidence that could prove that they are in fact not guilty, which is also your responsibility as a public servant operating under good ethical principles.  I have worked these cases from both “sides” and I can say that I did not appreciate this until I left government work.  I will also say that the evidence and analysis much of the time shows that the suspect was, in fact, guilty.  But that doesn’t mean that we should assume they are always guilty and start cutting corners.  That’s a slippery slope from which we will all have trouble recovering.



Neutrality is key in these examinations, but I also understand it’s difficult.  As a law enforcement investigator, I was once charged with writing a search warrant for electronic evidence and conducting a forensic examination based upon very anecdotal information, only some of which could be substantiated.  My supervisors were convinced that the suspect was guilty and I did my due diligence on the case, ensuring that I was thorough and remained neutral.  In the end, I found no evidence of their guilt.  Absolutely none.  My supervisors were incredulous.  Did I do something wrong?  Not at all.  I did my job the way it should be done, but unfortunately may not be all the time by everyone.  I remained neutral and with an open mind.  Was this a waste of time and resources?  I’ll let you decide that for yourself.

Neutrality is just as important in non-criminal cases.  Think about how much raw emotion encircles a divorce, especially if there are children involved, yet we must remain neutral.  After all, it could be the utter lack of evidence in an infidelity claim that turns the tide and keeps that family together in the end!  In corporate IP theft or fraud cases, someone’s job, livelihood or reputation is on the line.  The ability to examine the evidence presented with a neutral mindset could make the difference between condemnation and vindication.  So as you can see, neutrality is important to everyone in all cases, regardless of the dispute.

You Found Nothing, Now what?

Whenever we are able to prove the claim through digital forensic analysis, the client (for lack of a better term) is generally quite happy.  However, more than once, I have conducted thorough, thoughtful digital forensic examinations and reported back to the client and/or attorney that I’ve found little or no evidence that supports their claim.  To say that the party on the receiving end of these reports is usually quite surprised would be an understatement.  So now that you didn’t find anything, what are they supposed to do?  There are always alternatives.

First, is there more evidence to examine?  If they are convinced that the suspected activity is ongoing, there may be evidence elsewhere that is not readily apparent and that has not been presented for analysis.  Second, what other corresponding activity is taking place to support the claim and is there an alternative way to get the evidence?  Cliches are cliché for a reason, and there’s usually more than one way to skin a cat.  Finally, if all other avenues have been explored, it may be time to have a very honest conversation about the possibility that the suspected activity is not actually occurring.  This naturally takes more people skills and less technical skills.

Cannot Be Understated

Neutrality as a standard practice and mindset in digital forensic examinations cannot be understated.  I understand the human element, especially in government sectors.  If you see evidentiary guilt over and over again, it’s human nature to fall into a pattern of pushing the digital forensic “easy button” and not looking at the big picture.  But if you do, you are ultimately devaluing your work, your service to the public and your reputation as a forensic examiner.

In some ways, being a private-sector consultant combats this naturally.  Every new client and every new case is a fresh start.  We don’t assume anything, we don’t rush to judgement, we simply let the evidence point us to the facts, which most often leads all parties in the case to the truth.  There’s no denying that we set out in every case to make our clients happy, but not at the expense of neutrality or credibility.  Simply put, it’s not worth money to sacrifice ethics.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
(Virginia DCJS #11-14869)
Based in Richmond, Virginia
Available Globally

We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6

Wednesday, December 2, 2015

The Value of Expert Witness-Attorney Relationships



December 2, 2015

The Value of Expert Witness-Attorney Relationships

The term “expert witness” may get tossed around a little more than it should.  Since leaving law enforcement, I can attest to the fact that I’ve seen so-called “experts” of all shapes and sizes.  Some are very professional and knowledgeable and some just want to call themselves an “expert” in something to boost their resume (and no doubt their billing rate).   

But experts are not restricted to the private sector.  Indeed, my first designations as an expert were through repeated work and testimony involved in law enforcement and criminal investigations.  While the procedure of qualifying an expert through appropriate questioning, voir dire and thorough documentation has been written about extensively and ruled on by the courts, what is less often brought to light is the importance of the relationship between the expert witness and the attorney(s) involved in the case. 

There are good experts and bad experts, just like there are good attorneys and bad attorneys.  I’ve worked with both kinds.  This isn’t an insult to anyone in the legal profession, it’s just a simple fact.  In any discipline you will find people who are professional, competent, prepared and educated and those who are not.  In my experience, the attorneys who take the time to thoroughly prepare for trial by extensive interviewing of the client, the expert, any and all witnesses and careful review of the evidence and how it relates to the law are by far the best to work with.  Sadly, this is the exception rather than the norm.  



Working with a competent, professional attorney can make the expert’s job much more effective and serve the client more fully.  And when the case is concluded, that’s really what we all want – for the client (whether the client is society or an individual) to be well-served by our efforts.  We can’t dictate the outcome, we can only strive to put forth the best case possible and hope the outcome reflects the truth.  So what should an effective expert-attorney relationship look like?  Here’s a few things I’ve learned so far:

1)      Thoroughly research your expert witnesses and interview them before engaging their services.  Factors that should be considered include: do they have experience testifying in jury trials, do they have appropriate credentials for the job, do they have the requisite knowledge, skills & abilities and can they articulate what may be very technical testimony in terms a lay-person can understand.  If the answer is no to any of these, it may be a clue to keep shopping… even if it costs more.

2)      Constant communication with experts is vital.  Waiting until a day or two before trial to reach out to your expert to solidify their findings and testimony is not acceptable.  This rings especially true for attorneys in the public sector (prosecutors) when their expert is a law enforcement investigator.

3)      Educate yourself about the expert’s findings and testimony.  Do you know the difference between SMS, MMS and iMessage text messages?  Do you know why certain information cannot be obtained from Apple devices vs. Android devices?  Do you know what types of information is retrievable and what is not from the unallocated space of a hard drive?  While your expert is the actual SME on these topics, questioning them at trial or deposition with a decent background of knowledge will help the testimony go smoother and help the finder of fact understand things better.  It will also show opposing counsel that you know what you’re talking about.  You’ll find most experts are happy to help educate you and the more educated you are about specific topics that may present themselves in legal matters, the more effective you’ll be over time.

4)      Review your expert’s testimony before trial or deposition.  I know this may seem a “no-brainer” to most litigators, but speaking from the other side of the witness stand, I can honestly say that about 65% of the attorneys I’ve worked with in the past have actually done this.  It’s a horrible feeling for your expert to take the stand and not have any idea what you’re going to ask, so please do the expert and the client a favor and review these things before court.



Positive, productive relationships between attorneys and experts are not only important, but they’re always a work-in-progress.  I have two very good attorney friends – one prosecutor and one defense attorney – with whom I stay in regular contact, whether we have a case together or not.  It’s not just a quid-pro-quo service-oriented relationship.  It’s a symbiotic relationship based on mutual respect and understanding.  They know I’m the SME when it comes to electronic investigation and digital forensics.  I know I’m not an attorney or a legal expert.  I’ve known these attorneys for years and they both refer me to other attorneys because of this relationship.  Simply put, it’s more than just business.

I’ll wrap this up with a note about the charlatans.  Regular readers of this blog probably know very well my stance on certification vs. experience, but the note about charlatans goes way beyond that.  I was in a professional association meeting earlier this year during which another member extolled the fact that he has a 25-page curriculum vitae and is a qualified “expert” on everything from handwriting analysis to accident reconstruction.  This irritated me because by professing he’s an “expert” in multiple disciplines for which he may not have any formal training, experience or real knowledge, he devalues us all who do.  In my experience, true experts specialize in one or two disciplines and hone their knowledge and skills over time.  Blowhards just want another feather in their cap to increase their billable rate.

Bottom line, it’s up to you to choose an appropriate expert for your case.  Research them, talk to them and fully vet them.  You won’t regret the work on the front-end and the value the right expert can add to your case could very well make the difference between winning and losing.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
(Virginia DCJS #11-14869)
Based in Richmond, Virginia
Available Globally

We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6