When you are charged with a computer crime, you want an attorney that will do everything he or she can to defend you. Staying out of prison, avoiding a criminal record and protecting your family is important to you. Then why would you hire an attorney for a computer crime if that attorney doesn’t know anything about computer forensics?
As an attorney, we have to be experts in everything. That’s what makes this job so fun. While we cannot be experts in everything all of the time, we need to have a basic understanding of the issues that we will face. Its the same reason why the days of the general practitioner are pretty much dead. There is just too much out there to know. Thus, I don’t expect that many attorneys will become a computer forensics expert, they should have a basic understanding of what it is and how to use it to craft a defense. However, most don’t because many lawyers went to law school before the modern computer became common place. Thus, many still have a fear of computers and technology in general. Even though this attorney may be great in other areas, selecting this same attorney to defend you in your computer crimes case could lead to disaster.
Computer forensics is the art and science of applying computer science to aid the legal process. It is a vast subject area that first requires a deep knowledge of computers and networks which is why many lawyers don’t even bother learning it. Thus, it is impossible to even tough on the most basic concepts of computer forensics in this article. Instead, I will highlight how and why it is important for the lawyer to understand computer forensics when defending computer crime cases.
In just about every case, the State will have a computer crime expert who will discuss computer forensics. Thus, you may need an expert as well. If you have one, he or she can help you make sense out of their expert’s reports and testimony. However, this person is not a lawyer. Relying solely on their input essentially turns the defense of the case over to a non-lawyer. Would you want a surgeon to operate on you based upon the advice of someone who is not a doctor? Furthermore, you may not always be fortunate enough to have a client that can afford an expert. Thus, you need to be able to understand what their expert is saying both in their reports and testimony.
This will also prevent the “deer in a headlights” look that experts often create when they “teach” the defense lawyer. As the defense lawyer, you should be doing the teaching, not the State’s expert. However, I have seen defense lawyers ask open ended questions in an attempt to understand the expert’s testimony. The expert winds up doing more damage that they did on direct as the expert is teaching everyone, including the jury and the defense lawyer on cross examination. This leads to sloppy, almost non-existent cross examination. Quite often, the case may be lost right then and there as the jury may wind up totally believing the expert. And after all, without anything to really impeach the expert’s testimony, why wouldn’t they?
Experts aren’t always experts but they sure think that they are. Quite often, they have been trained on how to testify. Some almost seem to have a script. If you don’t know what you are talking about, they will walk all over you. If you can talk the talk, you’ll not only gain their respect, but you’ll also scare them. Your cross can be much tighter and focused. More importantly, you can more easily take them off script by using their terms and by knowing their methods and policies. Your job is to know more than they do on the key issues in your case. You have the benefit of having everything you want right in front of you while they are on the witness stand with nothing. I have been able to impeach expert witnesses with their own policy manuals. I ask open ended questions where the answer cannot hurt me to test their knowledge. An “I don’t know answer” is not very damaging but a wrong answer is. As soon as you get the wrong answer, you can use their own materials to impeach them. Nothing takes the wind out of the State’s case faster than to show that the emperor (the witness) has no clothes.
Besides trial issues, a defense lawyer cannot make sense out of the discovery without a working knowledge of computer forensics. Again, while a defense expert can help, they should not be relied upon to interpret the entire case. In my cases, I rarely need my expert to tell me what the defenses are. Instead, I need the expert to testify as I cannot.
Just about every computer crime case involves some degree of computer forensics. If the defense attorney just assumes that police are correct, then the attorney is not properly defending the client. Computer forensics involves the collection, preservation, filtering and presentation of digital evidence. In each stage of this process, something can go seriously wrong that could make it seem like the client is guilty when they are in fact, innocent.
Collection of digital evidence is when artifacts considered to be of evidentiary value are identified and collected. They can take the forms of external disks, computers, phones, video game consoles, servers and any other device capable of recording data. The large number of storage devices and their ever decreasing size present a big problem for law enforcement. For defense attorneys, who collects this evidence and how is very important to the case especially when non-law enforcement people collect evidence.
Closely related to collection, is the preservation of digital evidence. In order for digital evidence to be reliable, the evidence needs to be complete, accurate and verifiable. Any alterations in the data can lead to a number of defense arguments. While most law enforcement labs have systems in place to prevent this from ever becoming an issue, lay people such as store employees or corporate security can completely alter the original data. Of course, only a defense attorney that understands computer forensics can pick up on this and make an issue out of it.
The filtering process is where the analysis is done. Evidentiary/suspect files are extracted and non-suspect files are filtered out. Due to the increasing size of hard drives and the lack of staff, this process can take many months. The computer crime defense lawyer must have a good grasp on exactly what the examiner is doing and why. Quite often, the examiner will rely upon automated tools to speed up the filtering process. While this allows them to “cut to the chase” pretty quickly, it may also present one side of the story. Defense lawyers cannot rely upon their own experts to know what to look for when crafting a defense. Instead, they must have a grasp of everything the examiner could have done but chose not to for whatever reason. What files were not examined? What settings were used with the automated tools? As a result, what files were ignored and why? What do those files show? What could they have shown? To be effective, the state must nail down everything. When they don’t, they hand the defense a blank slate to which the defense attorney can write down and present to the jury, just about anything.
Presentation of the suspect of the evidentiary data normally starts with the examiner extracting the artifacts and organizing them onto a form of media such as a DVD. In addition to the media that the data is saved on, reports and testimony are also a part of the presentation. In just about every case, the examiner will use some type of computer forensic software which will generate a report. The defense must understand how this program works and how to read and make use of the report. As previously indicated, sometimes what is most important in a case is not just what is included in a report but what is left out. Nailing the examiner down to the reports and then exploiting the gaps in them can only be done if the defense attorney has a good understanding of the entire computer forensics process.