Laying out the role of the computer forensics neutral expert

The challenge is to achieve consensus on the approach to preserving, performing analysis and review, and then producing relevant data

When discovery in litigation involves the inspection of computer systems, setting out reasonable and effective protocols often involves a neutral expert in computer evidence. Working for the court, oftentimes at the direction of a special master, the neutral expert will engage with both parties, and often with computer forensics experts, to craft a reasonable inspection protocol. The challenge is to achieve consensus on the approach to preserving, performing analysis and review, and then producing relevant data. Protecting the producing party’s privacy/privilege while identifying only data that is responsive to the inspection demand must be balanced with the requesting party’s goal of finding all relevant evidence. Considering technology, discovery and forensic tools, and any agreements by the parties, the neutral expert must propose or assist with crafting an inspection protocol the parties to the litigation can agree to.

Depending on the type of litigation, a company’s most sensitive data may be at issue and subject to discovery. Adequate review is hindered if full access to the relevant sources of data is not provided. Establishing the provenance of important documents, examining versions of source code, recovering evidence of the use of external media or the transfer of proprietary data can only be accomplished through the proper preservation and analysis of the right data sources. Conference calls to meet and confer to identify relevant sources and confirm preservation are crucial early in the inspection process. The neutral expert can work with the party’s IT administrators or consulting computer forensics expert(s) to map the sources of potentially relevant data.

The potential evidence sought may inform what type of analysis is relevant. Some issues will involve common data sources, such as laptop and desktop user computers, email and shared network data. Other issues may require the examination of other sources of data, such as client relationship management (CRM) data or a source code revision control system. Whether the issue in the litigation involves allegations stemming from the use of a former employer’s client list or the alleged theft of IP, the neutral expert may need to take into account these additional data sources and prepare a reasonable review protocol.

In cases involving the review and production of sensitive data, the consulting and neutral experts sometimes need to come up with a more elaborate protocol to address all the parties’ concerns. On a number of occasions, setting up a “clean room” with restricted access, no outside network connectivity and computer workstations for experts from both sides has been necessary. Protocols for the review and identification of relevant data are established. Procedures for turning over responsive data and the work product of subject matter experts are also spelled out. In these cases, the neutral expert will facilitate the work of other experts and the production of data among the parties.

On occasion, a producing party will insist that data be preserved and initial analysis be performed on-site. This is usually the least efficient path to take in performing the analysis and production. Forensic staff must remain on-site, and depending on the volume and type of data analysis, mobile computer resources must be made available. It is a challenge to mimic the significant computing and data staging resources of a dedicated forensic lab in the field. Semi-portable server-class equipment might be brought into the producing company’s location; however, there is always a struggle for suitable work space and it can be very disruptive to the company. In addition, forensic staff performing work will be spending all their time on this particular analysis when on-site. In the lab, during times spent waiting for searches to run or other computing tasks, staff can work on other tasks, which will require less billable time than dedicated on-site operations. The neutral expert should propose the right preservation and analysis tasks, work out an efficient protocol and carry out the production protocol agreed to by the parties in the litigation.

A common production protocol for analysis performed by the neutral expert may involve the distribution of prepared reports and lists, with minimal content, to provide basic results to inform all parties. Detailed analysis results and the documents and other data identified during analysis will be provided to the producing party first with an agreed upon length of time for review and opportunity to raise objections. The data is then provided by the neutral expert to the requesting party once authorized. Another common approach is to process responsive data on a legal review platform. Data can then be reviewed by the producing party’s legal team and marked for production in a common review database.

Working out inspection or analysis issues between opposing experts will require that your consulting expert has experience in various types of systems and analysis protocols and is supported by an experienced team. Although there are a number of paths that computer forensics consulting experts may take, there are many areas of common experience, such as the hardware or software tools we may use or the chain-of-custody issues and basic evidence preservation and analysis steps employed, which provide a great deal of common ground for the neutral expert to call upon.

Contributing Author

author image

Peter Garza

Peter Garza is the managing director of Forensic West, Legal Services at DTI. Garza has worked as a consulting, testifying or neutral expert on hundreds...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.