Some interesting statistics
- There are 76 computers per 100 in the population.
- Some 90% of Internet users have always-on high-speed broadband.
- 97% of all businesses have broadband.
- 70% of all businesses have a website.
In many homes and businesses computers have been in use for several years. Low-cost, high-capacity hard-disk storage means that very little data is ever deleted; if it is, it can be fairly easily recovered. For all these reasons, evidence from computers can be important in a very wide range of civil and criminal cases. This evidence may be crucial and central to the matters in hand, or may provide corroboration, indications of planning and intent, alibi or absence thereof, or (now easier to introduce) point to propensity and ‘bad character’.
A computer expert can:
- identify potential sources of evidence (including archival back-ups, PDAs, mail servers and USB devices) and
- safely acquire and preserve items without contamination using generally accepted protocols such as those published by ACPO.
Wherever possible, a forensic disk image of original material is created, and it is this image that is subjected to detailed analysis, with a copy thereof provided to ‘the other side’.
A detailed analysis can potentially:
- find substantive documents, files and records
- locate emails
- provide detailed historic traces of Internet browsing
- track use of specific programs
- build chronologies of activity
- reliably recover deleted material, even where a disk has been ‘reformatted’
- access normally hidden parts of a computer disk (such as the Registry and Restore Points in Windows).
No computer expert can cover the entire computer and telecommunications field, and ‘forensic computing’ is still too new to have developed a single generally recognised qualification or registration scheme. There are courses run by universities, law enforcement, product vendors and others, many of which award post-nominals. But some of these may be no more than certificates of attendance.
In this fast-changing arena, expertise has to be kept up to date, e.g. cellphones are now an area of expertise separate from computers in general.
For instructing lawyers, there is no substitute for considering carefully the precise sorts of computer expertise required. Pick up the telephone and interrogate possible candidates. Ask the following.
- What skills and experience are on offer?
- What had to be done to acquire each of the qualifications claimed?
- What references are available?
- If there is any possibility that a computer will need to be examined, does the expert possess and know how to use the widely recognised forensic tools such as EnCase, FTK, ProDiscover, X-Ways, NetAnalysis and Black Bag?
- If there is an investigatory element, is the expert aware of the underlying law, and does he keep immaculate records?
- In your conversation, can the expert explain himself clearly and candidly
- Is the expert prepared to acknowledge the limits of his expertise?
Types of Instruction
The following are some of the questions an instructing lawyer should ask himself so that the requirements of an expert are accurately pitched.
- What is the computing environment – the home, a small office, a large business, a very large business, a network, a website, e-commerce, financial services?
- Is it a Windows PC, an Apple, a mini or a mainframe, the Internet?
- Is knowledge of a particular commercial environment or computer application likely to be important?
- Will the expert have to locate and preserve evidence, including that which may not be immediately obvious?
- Is a covert investigation called for?
- Is the owner(s) of the computers particularly sophisticated – and hence does the situation demand a higher quality of expert?
- Are there any unusual issues – e.g. encryption, specialist hardware such as cash-tills and ATMs?
- For claimants, do you think it is likely that computer evidence will be challenged?
- For defendants, both civil and criminal, what indications have you had from the client about the nature of the defence?
- Will there be issues of disclosure – adequacy, compliance, formulation of supplementary requests?
- If there are multiple computers, or multiple litigants and/or defendants, will you need help with case management?
Because of the complexity of computers and computer evidence, the quantity of material that may need to be considered and the potential costs, instructing lawyers should employ relevant expert assistance early on in a case. Have a reasonably clear idea of what you want, but also listen carefully to your expert’s suggestions for improvements and modifications to the instructions. An approach consisting of well-defined stages should offer much better management control.