Contact Berryhill Computer Forensics ... via email (info@computerforensics.com) or call us toll-free at 1-888-745-1405.

Need CLE Credit?

Schedule a computer forensics CLE presentation at your firm or by webinar with Berryhill Computer Forensics.

Subscribe to d3 —due digital diligence — our FREE quarterly eNewsletter

Enter your email address and click "Go." You will be taken to a sign-up page to complete your subscription. Click your browser's "back" button to return to this page.

 
 

Having a Computer Forensics Expert in Your Corner

By Jon Berryhill

What if opposing counsel informs you they’re calling a computer forensics analyst as an expert? Even if you don’t need an expert to analyze computer data, it can pay to have one in your hip pocket.

Computer forensics and eDiscovery can involve computers belonging to your client and/or the opposing side. If there were computer evidence (or the potential for evidence) germane to a case, you would be best served to have an experienced computer forensics analyst look at the data. A computer forensics expert can work as a special master or can sign a non-disclosure agreement in order to protect confidential information. If opposing counsel hires an expert, you will want to have their analysis and conclusions reviewed by your own expert. Occasionally, opposing counsel will share the imaged (copied) hard drives from computers involved in the discovery.

If you are deposing opposing counsel’s computer forensics expert, it can be extremely valuable to have your own expert in attendance. Often, they can identify flaws in the other expert’s answers, or suggest a line of questioning. We recently provided this service to a client. During the depositions, the other side’s experts essentially refuted much of what was in their own analysis. Before the case ever went to trial, opposing counsel had withdrawn its computer forensics experts.

Have you ever considered acting as your own computer forensics expert? A few years ago, a defense attorney contacted our company and asked to rent (use) our forensics equipment to view and analyze a hard drive image of his client’s computer made by investigators. As experienced professional computer forensic experts, we were concerned about this request, and offered our analysis services, which this defense attorney declined. The attorney paid for the use of our equipment, and until recently, we had not heard what became of the case.

Unfortunately for his client, this attorney lost the case. His client spent the next few years in jail as a result. We were approached on this case after the client had secured a new attorney to handle an appeal. The original trial judge provided a declaration expressing his opinion that the defendant had been poorly represented. Our company was the only other party asked to provide a declaration, which we did, stating our professional opinion that the computer forensics evidence was incomplete and not conclusive. Perhaps if the attorney had not tried to act as his own expert, his client might have been spared prison time.

Finding a Computer Forensics Expert

How do you go about finding an experienced computer forensic analyst? One way is to ask colleagues who have used a computer forensics expert. You can also search the web, including various expert witness listings. But make sure to properly investigate any expert you are considering. Most importantly, check their references.

With References, Dig a Little Deeper

References can be a great resource when investigating computer forensics experts. While there are reputable experts, some may exaggerate their credentials. Some may provide historical client lists, but none of these clients are willing to accept your call. When asking for a reference list, make sure it is a list of people willing to take a call from you. Call the references, and ask questions such as, “Were you happy with the work product? Would you hire them again? How did their work impact your case?”

Be wary of claims boasting of years of experience or an “alphabet soup” of letters after someone’s name. Some experts may exaggerate their years of experience by including experience with computers and/or computer data recovery, rather than actual forensic analysis. Various certification courses exist, but there are no standards. Real case experience, having things go right and wrong in the field, generates layers of tried and true expertise. To best understand the importance of hiring a seasoned expert, consider the parallel you can draw between new attorneys and seasoned veterans who have tried many cases. The depth of real case experience can’t be taught in any classroom, as every case is unique. Ask the expert “How many years have you actively worked on computer forensics cases? How many cases have you personally worked on? Have you ever testified in court? How has your work impacted cases?”

Occasionally there may be a need for multiple analysts from the expert company to assist in the recovery, imaging, and processing of data. Ask for details about the number of analysts actually working on your case. Ask, “What are their qualifications? What is their experience with actual computer forensics work? On how many cases have they worked? Will they be available during analysis to discuss whether further analysis will be needed? Is the person doing the analysis the one who will be available to testify?” Keep in mind that there are no formal requirements in place to be labeled as a computer forensics expert. That is why reference checks and asking the right questions are critical to protect your small firm and clients.

Seasoned and Qualified

Computer forensics is the acquisition, analysis and presentation of computer evidence, and a good expert must be skilled in all three of these areas. For every finding presented by the expert, demand the facts to support the conclusion. It is valid for an expert to express opinions, but to stand up in court, opinions must be supported by facts. It won’t do your case any good if the expert only uses “geek speak.” Having an expert who can’t effectively present the facts or communicate conclusions based on fact (both verbally and in writing) may blow gaping holes in your case. Experts with exceptional communication skills can explain findings in terms understood by the watchful, critical (and not necessarily technically savvy) eyes of the judge, opposing counsel, opposing expert, and the jury.

Rates can vary, and some experts may charge a flat fee for common tasks. There are some common computer forensics tasks that don’t vary considerably in terms of time or work required.

Common Computer Forensics Tasks Approximate Time Required*
1. Forensic quality image of hard drive 40–200 minutes per 100GB (Depending on size and age of hard drive)
2. Duplicate set of hard drive image files (a copy of the raw material) 30–60 minutes per 100 GB
3. Keyword search of image 1–4 hours for 10 keywords on a 100 GB drive (Varies based on size of drive, how full the drive is, and number of keywords; does not include time required to analyze hits.)
4. Extract active files, recover deleted files, create file listing, and provide copy on optical or magnetic media 1–2 hours

• These are approximate times. Many variables can affect these tasks, but if you're dealing with a healthy drive, the time should not vary from these ranges too much.

Jon Berryhill has led over 600 computer forensic investigations spanning the past 14 years. He has served as a Special Agent in the U.S. Air Force Office of Special Investigations and worked extensively with the California Department of Justice Advanced Training Center. He has been certified in California State Court and Federal courts as an expert witness in computer crime.

 

Choosing a Computer Forensics Specialist