Friday, December 14, 2012

The Perils of Using the Local Computer Shop for Computer Forensics

In a recent article posted by the Association of Certified E-Discovery Professionals, Robert Hilson writes about the loss of priveledge documents due to the Attorneys' "absent" supervision.

"It is a familiar story. A client discloses thousands of privileged documents from an electronic universe of many millions due to alleged failures to supervise a computer consultant. The mistaken production results in a heated clawback motion, in which a judge finds that the attorneys did not take the “reasonable steps” required by law to prevent the disclosure.

Those are the facts arising from Blythe v. Bell, a little-reported lawsuit over the control of a sportswear manufacturer in Hickory, North Carolina. The case, in a state business court in Catawba County, bears uncanny resemblance to the high profile J-M Manufacturing skirmish and countless more suits that are either unreported or have yet to happen."
 
 
"Hickory Brands hired a service provider called Computer Ants, whose owner and operator, Thomas Scott, testified to never having performed forensic services in the context of a lawsuit.  Scott, who the defendants tasked with producing documents responsive to search terms from a total of 308 million potentially relevant files on 35 computers and six servers, had previously worked as a truck driver and a security manager for Bass Pro Shop."
 
The result was the delivery of 1,700 sensitive documents to the opposing counsel that resulted in a heated clawback motion, in which the judge found that the attorneys did not take the "reasonable steps" required by law to prevent the disclosure.
 
This case highlights what I wrote about in "Digital Forensics for Legal Professionals" on selecting an expert and the difference between a computer expert and a forensic examiner.
 
 
I cannot express strongly enough the risk associated with picking a computer for digital forensics contractor to use in civil and criminal cases. 
 
A recent experience helps to illustrate this:
 
I recently testified in a military court where the government was offering an expert for a fraud case and I was asked to explain the difference between hiring someone with my background versus the alternative expert, a government employee, who had a Masters Degree in Network Security, but did not have any forensic training or experience.
 
To his credit, he freely expressed that he did not know anything about forensic examinations, how to craft language to get information from ISPs or how to find the custodian of records for same.
 
I explained for the court, specifically the military judge, prosecutor and defense counsel how to go about tracking an IP address from the service provider and connect it to a particular subscriber.  As well and the process for locating information regarding on-line fraud on a computer.
 
The result was that the court approved me as the expert for the defense, however, the prosecutor immediately withdrew the charges.  So I did not get hired.  But the important thing is that I got a chance to educate a judge and some attorneys on the difference between a qualifed examiner and a network security administrator.
 
While he had tons of expertise in what he does, it is not what we do as forensic examiners.  As the case I mentioned above points out, failing to hire the right kind of expertise is risky for clients and attorneys.
 
And while it can be an expensive mistake in a civil case, it can be devasting in a criminal case where a person's freedom and perhaps even their life is in the balance.

1 comment:

  1. Great stuff, Larry! I'm constantly asking myself how I can do better, what else I can explore, examine, or look at, or what I could do better on my next exam.

    ReplyDelete

I have moderated my comments due to spam.