Lawyer Monthly Magazine - May 2019 Edition

MAY 2019 51 Expert Witness www. lawyer-monthly .com Are there any regulations which can block the process of you and your team locating deleted files? Not regulations so much as agreements between the parties. Typically, in order for the team to be allowed to investigate, the parties involved agree to a stipulation that limits the team to specific types of searches or procedures. If the devices containing the evidence are instead ordered by the judge to be produced, there still are likely to be limits to what we can search for. In some cases, we are required to act as the gatekeepers of the evidence, producing only responsive data no matter who has hired us or is paying us. If additional data is drawn out besides what was required in the stipulation, there is a “clawback” provision that keeps it out of evidence. You have worked on cases determining fake documents: how is this determined? How can such a result impact legal cases? In many cases, one side will present electronic evidence that is only a purported scan or printout of an email or another document, without providing the underlying actual electronic evidence. We forensic guys barely consider that to be evidence. The underlying headers of email contain Message IDs and the names and IP addresses of the mail servers traversed on the way from sender to recipient. Tracing these back can show fakery. There was one case where we had only a scanned document that was purportedly a printout of an email. It was hard to find what was underlying it, until we noticed that the time/ date header said PDT (Pacific Daylight Time) on a date that was actually in PST (Pacific Standard Time). With added concerns of cybersecurity and data placement, can you share what you predict you will be instructed on in Courts? Generally, we are instructed to dig deeper to find what may have been compromised. Computers contain many logs that are helpful in putting together a picture of what happened. There are records of successful remote logins and of unsuccessful remote logins. There may be IP addresses embedded in malware install files that have been deleted but are recoverable. There may also be IP addresses embedded in remote access logs or VPN (Virtual Private Network) logs. And of course, there’s malware galore. Are phones and mobile devices a significant part of your work? Yes. More and more over the past 10 years, mobile devices are significant parts of evidence, especially in Criminal Law and Family Law. It’s easy enough for an officer to grab a phone from a suspect and take it to a local FBI or local law enforcement kiosk and suck everything off of it. Various jurisdictions limit what can be reviewed because our whole lives might be on there. Because it just fits in our pocket, we often don’t realize we’ve got a portable supercomputer with large amounts of storage that we’re carrying around with us. My iPhone holds more than 25,000 times the data of the first hard drive data recoveries I did at the beginning of my career. I would say that mobile devices are involved in more than half of the criminal defense cases I see these days. And of course, a philanderer may have the names, phone numbers, photos, and conversations with his or her extracurricular love interest sitting right there, inches away from their spouse. It doesn’t take much to review all of that incriminating – and often racy – information. What does the future hold for digital forensics and testimony? I think we will see smarter and smarter programs automating more and more of the process of discovery. Artificial intelligence will make inroads into the tools we use. When I began in this career, everything was manual – we had to search for individual letters and punctuation across 10 million bytes. But hard drives now hold trillions of bytes and a manual search of modern storage devices and complex data structures would take half CONTACT Burgess Consulting and Forensics 3421 Empresa Drive, Suite B, San Luis Obispo, CA Tel: 866-345-3345 805-349-7676 steve@burgessforensics. com of forever, so more advanced tools are necessary. But pressing a button isn’t all that is involved. The expert witness will need to understand the underlying operating systems and structures, how the forensic programs derive their results, and to be able to explain them in simple enough terms for attorneys, judge, and jury to understand. I expect we’ll have human experts in the courtroom for a long time to come. LM