Q&A with Keith Jones, Computer Forensic Expert Witness and Senior Partner of Jones Dykstra & Associates (www.jonesdykstra.com)

Topic: How can lawyers successfully select and work with a computer forensic expert witness?
 
Q: How can lawyers find a qualified computer forensic expert witness?

Keith Jones: Legal professionals can employ many different methods for finding an expert witness in the field of computer forensics.  Many people claim to be computer forensic experts, but they do not have enough knowledge or experience to provide iron-clad testimony, should the need arise. 

Asking for referrals from a trusted source is usually the best way to find a quality person.  Realize that you are hiring an individual expert, so even though the company you’re hiring has a great reputation, be sure you know the credentials and background of the specific person who will work on your case. 

Once you have a few candidates, do your own research on those potential experts – verify their resume and background.  Remember that opposing counsel will be doing their homework on this, in an effort to possibly discredit your witness. 

In addition to having impeccable credentials as an expert witness, the computer forensic specialist should also have excellent communication skills.  If the case goes to trial, he or she will need to effectively explain complicated technical subjects to judges and juries that may have had  no prior technical training.

Q: What kinds of credentials and certifications should a lawyer look for in a qualified computer forensic expert?

Keith Jones: Legal professionals should inquire about whether the individual (not company) that they are considering as an expert has at least one or more the following non-product-oriented certifications:

- Certified Information Systems Security Professional (CISSP)
- International Society of Forensic Computer Examiners (ISFCE) Certified Computer Examiner (CCE)
- Certified International Information Systems Forensics Investigator (CIFI)

Also, lawyers should be aware of the following forensic software packages, which are often used to properly collect and preserve electronic evidence. 

- EnCase® by Guidance Software.
- The Forensic Toolkit® (FTK)
- ProDiscover®
- X-Ways Forensics

Note that training certifications on the above products do not automatically qualify someone as a computer forensics expert.  They only mean that the person has gone through the training course and passed the exam that was created by the vendor.  The expert’s previous testimony record and other “in the field” computer forensics experience are often more valid points for evaluation.

Q. What should a lawyer be vigilant about when working with a computer forensic witness?

Keith Jones: The most damaging thing to a lawyer/expert witness relationship is the possibility of miscommunication.  The attorney and the expert need to be on the same page when it comes to which pieces of information are important, and which are less so.  The legal professional needs to challenge the expert as much as possible and ask bold questions to pull out the salient points and expose vulnerabilities.  This leads to fewer gaping holes that opposing counsel can exploit to discredit your client and your witness. 

Also, remember that many criminal investigations result from low-profile administrative or civil disputes.  Therefore, all electronic evidence must be handled with the utmost care and attention, in case the data becomes relevant on a much more serious level.  The legal professional would be strongly advised to keep copies of evidence inventory and chain of custody documentation.  Failure to handle evidence properly can be a damaging or fatal blow to your client’s future case down the line, if not during the matter at hand.

Q:  At the outset of working on a case, what should the attorney provide to the computer forensics expert in terms of information, direction and guidance?

Keith Jones: It’s a fine line. Usually when an expert starts a case, he or she doesn’t want to know too much to reduce any question of bias. If the attorney is bringing a case to trial, he or she already believes his side of the story.  If somebody is accused of stealing something, then the attorney already believes that the crime did occur.  The expert cannot allow him/herself to be convinced of any such conclusion prior to examining the evidence, so the lawyer must be careful not to attempt to persuade the expert prior to the investigation.

Computer forensic experts need to examine electronic evidence in an unbiased manner.  The lawyer needs to give them just the most essential information, so they don’t get biased, but so they can ask pertinent and probing questions.  If the lawyer gives the expert too much information, that can work against you.  As an expert, though you want to know the whole story, you have to decide what you absolutely need to know, and what you don’t really need to know.

Q. You've served as a computer forensic witness on many high-profile cases, including US v. Duronio.  How did you effectively communicate highly technical information to the jury?

Keith Jones: The Duronio case was very complicated in terms of explaining computer logs and showing how data got from point A to point B.  I had to walk the jury step by step to show how the defendant placed a “logic bomb” of malicious computer code inside the computers of his employer (Paine Webber).  I had to explain the basics of how a computer functions to show how I figured out that the digital bomb was placed on the company’s IT system by Mr. Duronio.  A computer forensic witness often needs to explain very simple things like that, even though they may seem obvious.

In this case, I had to go a lot further and prove that what I was saying was true, even when the defense was calling it untrue.  Experts need to be able to break down the information to a digestible form that can be understood by the jury.  Also, they must be prepared to back up their statements, even when questions come from an unexpected or contradictory direction.

Q: What are the primary keys to a successful attorney/expert witness relationship?

Keith Jones: First, the lawyer and the expert witness need to acknowledge that they come from completely different backgrounds.  The attorney shouldn’t assume that the expert is going to know anything about law, and the expert shouldn’t expect attorney would know anything about computers.  The terminologies and subject matter for both fields are vastly different.

Both need to thoroughly understand what the project entails.  The attorney has to realize that people can’t see electronic data – it’s not a tangible object, it’s abstract.  Therefore, the attorney and witness need to work together to make it “real” for the audience – the judge and jury.

Q: In your experience, what are the most dangerous pitfalls for attorneys when working with an expert witness - what mistakes are made most often?

Keith Jones: The biggest mistake I’ve seen attorneys make is when they hire computer forensic experts who are not the “cream of the crop.”  If the self-proclaimed expert has no college degrees, and just a bunch of certifications from software vendors, that’s pretty hard to defend against when attacked by opposing counsel.  I’ve seen people’s backgrounds explode on them and the attorney who hired them, and I’ve seen “experts” make up their own methodology to do computer forensics without basing it on any proven expertise or approach.

Unfortunately, there’s no universally agreed-upon certification that distinguishes a quality expert from a charlatan.  This is why exclusively using experts who come recommended by credible sources is such an important priority for the lawyer to consider. 

 
Q: In collaboration with attorneys, what ways have you found to effectively communicate and display technical information to judges and juries?

Keith Jones: Any type of visual presentation is good.  However, I’ve seen other experts put up tables and graphs images blown up on poster board and that puts even me to sleep.  Ideally, you want a movie that’s very visual; at minimum, use PowerPoint or something that moves a little bit.  Granted, you can’t do this in every single scenario - it depends on the level of your case.  When I have the ability to use PowerPoint to get our point across, it makes my job a lot easier and my testimony is more easily understood and absorbed.
 

Q.  What concrete steps can an attorney take to maximize chances of success in selecting and working with a computer forensic expert witness?
 
Keith Jones: The #1 thing is that the attorney should get along with and like working with the expert.  See if there’s a personality conflict before you hire the expert. You want the chemistry between you to work when you’re on the stand, so you’re not at cross-purposes during the trial.

Secondly, let the buyer beware when working with large computer forensic firms.  A lot of major consulting companies will do a “bait and switch” – the people that present their credentials to you in the selling phase aren’t necessarily the individuals that will be your assigned experts.  Be sure to ask and investigate who would actually work on your account, so there are no surprises later in the game. 

Lastly, verify people’s backgrounds.   You would be shocked to know what some so-called professionals will fabricate to get the job.  As legal professionals, you are used to doing your homework, so a decision about hiring an expert witness should be subject to the same kind of scrutiny and due diligence that you bring to your substantive legal work.