P.O. Box 232197
Centreville, VA

What is a computer forensics expert witness?  What is computer forensics and a computer forensics expert witness?  What is E-Discovery or Electronic Discovery?  What percentage of computer forensics expert Witnesses has been performing Computer Forensics for over five years?  What is the definition of an Expert Witness?  

As early as 1980, the simple definition of an Expert Witness, is one who is "A person is qualified to testify as an expert if he has special knowledge, skill, experience, training or education sufficient to qualify him as an expert on the subject to which his testimony relates." (Calif. Evidence Code sec 720)

Since the advent of the personal computer, it has made life considerably easier for the average person in the ability to communicate and perform tasks which required days of manual labor in hours.  Productivity gains, in the form of the ability to re-use drawings or the ability to edit pages papers, without retyping and reformatting the entire document, such as a term-paper, thesis or dissertation, proposal or legal complaint.  The fax machine will eventually become obsolete as document scanners are used in the storage and transmission of documents, either by courier in optical or magnetic media or by e-mail.  Some individuals will use the Internet for research and others will for purposes that are not so nice.

This is where the art of computer forensics, the ability to provide expert testimony comes into play and so do I, Steven Moshlak.  A good forensics professional needs to be "...half-engineer, half-lawyer and half-computer" to complete the mission, YOUR MATTER!  The individual performing the forensic investigation need to approach ANY situation in with an unbiased approach in order to present an opinion based upon the facts and not swayed by "the color of money."

Depending on what your matter is, criminal or civil, the role of an Expert Witness is to provide testimony based upon facts and the utilization of his / her life's experience.  In the area of criminal law, law enforcement has taken on a role to curb, if not try to eliminate computer crime.  As ideal as this may seem, as fast as one scam is quashed, another three pop-up in its place to make life miserable for one or more poor end-users.  The Federal Bureau of Investigation's Organized Crime Division, Texas Rangers and the U.S. Army's CID, USAF's OSI and USN's NIS units have some of the most talented individuals within their respective organizations.  Ironically, because of re-organization and re-prioritizations a large part of the civilian computer crimes are now investigated either by a Regional Computer Forensics Lab or one operated by state and local law enforcement agencies. Granted that most law enforcement agencies do not have a "crime lab," they rely upon sworn personnel to perform the intake, the investigation, the computer forensics and testify to the effect of what they find (not necessarily what they have not been trained to locate).  Speaking of training, most attend a three to five day seminar (probably on a December-February class in Florida, Nevada or California), "become certified," generally speaking, have less than 20 hours of total hands-on training on one tool and are then recognized as "experts" by the courts.  However, certain agencies, in order to maintain "checks and balances" retain experts in their field, rather than run the risk of a conflict of interest issue, have Special Investigative Divisions.  Other issues include whether they do have the "latest and greatest" tools which have the ability to be accurate and they have the know-how is something that your attorney will question.

I, as well as a number of other experts, believe that one tool isn't enough and that verification and validation is required before a factual finding of guilt is found.  We use the latest tools from AccessData and Logicube; the same people who supply government agencies their tools, as well as Eurosoft and a number of other tools.  From a case perspective, peer-to-peer networking is an example.  The risk of having a peer-to-peer network is that it opens up a can of worms by letting others view or storing incriminating data on a defendant's computer.

From a civil perspective, the computer has become a "treasure trove" of information.  Whether it is a corporate CEO trying to "bury" his assets, emails or other incriminating memos, if it is on a computer or server, it will probably turn up.  Most family law issues (Divorce, spousal and child support) have become increasingly more dependent upon computer data, simply because of the traceability in data regarding assets has become very important.  E-mail can point to issues ranging from inappropriate conduct to the proof of innocence or the act or complicity of an act of a crime or tort.

There are other factors, such as HIPPA, Sarbanes-Oxley, Clinger-Cohen and numerous state regulatory issues regarding privacy issues and truth in corporate reporting.  Corporate leaders and members of the medical community are becoming more reliant upon the usage of computers to manage their affairs and by doing so, in the event there is a single point of contact failure, a requirement exists for someone who is responsible to examine the computer for evidence on their behalf.  This may include password recovery and data forensics when building a time-line of events.

If you have any questions, please feel free to contact us and we will be happy to talk with you about the concerning issue.

Yes, about the question of "What percentage of computer forensics expert Witnesses have been performing Computer Forensics for over five years?"  Of an unscientific poll, approximately 10% have responded that performed they have performed this work out of 3200 responses.  By extrapolating this figure, there are very few with 10, 15 or even fewer with 20 years or more of experience, tools and knowledge.  Whomever you select, choose the right person or company that will meet your needs.