Tech Audit

In Search Of E-Expertise

  •  
  •  
  •  
  • Print

A nightmare for most trial lawyers would be to find a “smoking gun” e-mail that makes their case, only to have it thrown out or misinterpreted in court due to a truly technical technicality. Though this happens all the time to paper records for legal reasons, now that electronic documents are discoverable, there are all sorts of new technical reasons why even the most damning discoverable documents can fail in court.


Unfortunately, the technology of digital evidence is outside the scope of knowledge of most lawyers, so outside experts are necessary. Finding someone who can not only manage the discovery of electronic records but also defend those records in court is often crucial to winning.

“A lot of would-be experts have been coming out of the woodwork claiming to be experts,” says Erin Kenneally, a forensic analyst and attorney with the San Diego Supercomputer Center. “It’s really important not to take someone at their word but to find out exactly what they can do for you.”

New federal discovery rules scheduled to take effect in December mandate that lawyers meet and confer about discovery within 120 days of the start of a case. That means lawyers must think early about electronic discovery and know where digital evidence might be hiding. That’s especially true in federal court, where rules limit the number of interrogatories that can be used to ask the other side about evidence.

Experts in e-discovery are necessary for many reasons. For example, an out-of-sync clock can be evidence that someone tried to change or delete material from a computer. But a clock may be changed for innocent reasons, too, and it is up to forensics experts to tell the difference.

Evidence such as e-mail is easily forged, and it takes a competent examiner to determine whether tampering occurred. And experts also need to make sure lawyers know how to request or produce evidence. Many lawyers will try to produce electronic documents in the least convenient form–for example, printing e-mails so that digital evidence such as metadata is stripped out.

Training and Testimony

But there are no standards for who is an expert in computer forensics, and a lot of amateur detectives have joined the game. “Measures of reliability in this area are often based on market share, not scientific data,” says Kenneally. “A judge will say, ‘Gosh, if this is what law enforcement uses, it must be reliable.’ ”

The International Association of Computer Investigative Specialists does provide certification and training in forensics, but it is only open to law enforcement professionals. Many forensics experts find it useful to be certified by Guidance Software, which makes EnCase, a de facto standard for analyzing digital data. And though the National Institute of Standards and Technology doesn’t certify experts, it does publish scientific data that can be used to authenticate documents in court.

Certification doesn’t solve all problems. Lawyers must find witnesses who can explain technology in terms a judge or jury can understand. Even though digital forensics experts generally defend their tactics in written affidavits, they often must get on the stand. And e-discovery experts may be called to testify on matters of opinion, not just complicated techniques. John Simek, a computer forensics specialist with Sensei Enterprises in Fairfax, Va., has had to testify about the fitness of a parent based on Internet usage. “A typical question might be, ‘You said this man spent five hours on the Internet searching for porn. Is that unusual?’ ” says Simek. “I have to be able to come back with my experience and say, ‘I’ve done hundreds of cases and this is in the top 10 percent.’ ”

In the end, the issue is not finding an expert, but finding the right expert. “No one can pretend to be an expert in everything in electronic records,” Kenneally says. “It’s better to make sure you know what someone can do early on, rather than have them cut to ribbons on the witness stand.”

Give us feedback, share a story tip or update, or report an error.