Letting EDD Evidence Speak for Itself


By now, you undoubtedly have mastered the new electronic data discovery amendments to the Federal Rules of Civil Procedure. You keep up with the rapidly evolving case law. You probably even know the difference between a computer forensic expert and an EDD vendor, and the differences in the types of services each provide.

It’s likely, however, that you haven’t faced the challenge of presenting electronic evidence to a jury, through the testimony of a computer forensic expert. If you have (at least based on discussions with a number of well-known computer forensic experts from around the country who’ve actually testified in court), it’s likely you simply relied on the talking head to present opinions to the jury.

If you simply ask your expert to verbally describe how the electronic information was secured, how it was analyzed and what information was important to justify your position in the case, you are taking a big chance.

Without the use of appropriate demonstrative evidence, you run the risk of confusing a jury with unintelligible technical jargon. You may expose your expert to impeachment on the basis of qualifications or methodology simply because the jury didn’t understand what the expert did or why his opinion should be deemed reliable. Finally, without demonstrative evidence, you run the risk of boring the jury so they sleep right through your expert’s key testimony.

Every attorney who deals with electronic evidence at trial must use some form of demonstrative evidence if he or she wants the jury to understand the expert’s testimony. Please note — this doesn’t mean simply dropping a screen capture or two of a vendor’s spreadsheet into a Microsoft Corp. PowerPoint slide.

It means using a compelling mixture of different types of demonstrative evidence to educate the jury — and in all likelihood the judge — about a number of factors. In order to believe the expert’s ultimate conclusions, the jury must understand how the computer hardware that holds the electronically stored information works; what software was used to create the information; what metadata associated with key evidence was created or altered; just what metadata is; and how the metadata might be relevant to your theory of the case.

The jury must understand what forensic hardware and software were used by your expert to harvest the information in a forensically valid way to avoid charges of spoliation or falsification of data. In the process, the demonstrative evidence should also be used to subconsciously condition the jury to believe your expert is knowledgeable and credible.

If the pertinent information is on an individual PC, consider using an exemplar computer in court that’s prepared in advance for easy disassembly. Most jurors have no idea what is under the hood of a PC. Simply having an anatomy lesson where the cover is pulled so they can see the different components will help make them comfortable with the concepts they are about to learn.

It’s also a way to demonstrate visually how your expert followed proper protocol and harvested the data by removing the hard drive using a write-blocker to protect the data before it was copied. You should also have an actual hard drive that can be opened to show the jury how it works.

Granted, you could do the same thing with pictures, or just describe the process, but by using tangible evidence you engage the jury’s attention and begin to establish a rapport with the jury. It always helps to have something to pass to the jury, even if it’s just a disassembled hard drive.

You can then move to graphics to explain concepts like sectors and slack space on the drive. The jury will then be in a better position to understand what happens when a file is deleted and what data can actually be restored. At this point you can begin to introduce basic concepts of data recovery through the use of forensic software.
BASIC LESSON

This basic lesson can also be helpful simply as a way to explain how information is stored electronically. You can then expand on the lesson using other graphics to show how electronic information is stored on PDAs, BlackBerrys or other storage devices as the facts or your case dictates.

You can also use these basic principles of electronic storage to discuss how a server works, and from there you can move on to an explanation of network architecture. There are many network-mapping products available that can be used to generate compelling graphics of the network structure you are dealing with. Check with your client’s IT department, as they may already have such information available or can easily create it for you.

Typically, the output will be an image file of some sort that can be dropped into PowerPoint or shown using trial presentation software.

FACTORS

Once the basics are covered, give a tutorial on metadata and system files before moving on to the forensic software that was used to capture and analyze the information. Use simple examples, such as a document or an e-mail.

Consider presenting them dynamically. Open a Microsoft Word file and then examine its metadata, either using Word itself or a metadata analysis/ removal program, such as Metadata Assistant (from Payne Consulting Group) or Workshare Protect (from Workshare Inc.).

If system files are going to be an issue, this is a logical place to explain how an operating system works. If e-mail is the big issue, you’ll need to explain what an e-mail server is, how it was configured and how it works on a day-to-day basis.

Graphics using clip art and diagrams are helpful in showing how an e-mail is created, transmitted, received, stored and retrieved. Use simple animation techniques in PowerPoint to make the explanation come alive.
FORENSIC TOOLS
Only after you have laid this basic foundation is it time to turn to the forensic tools involved. Typically this will involve working with reports created using EnCase (from Guidance Software Inc.) or Forensic Tool Kit (from AccessData Corp.).

At this point, consider using a few (just a few) screen captures dropped into PowerPoint to demonstrate what is on the forensic expert’s desktop when he or she performs an analysis. It helps establish credibility to briefly show how much information is available to be analyzed, and how it can be sliced and diced to ultimately arrive at the information that is relevant to your case.

Avoid page after page of data tables or information exported into Microsoft Excel spreadsheets. Show just enough that the jury is convinced the expert knew what he or she was looking for and found it. From there, your expert can restore the actual files that are germane to the case, and then look at the documents or e-mail and any related metadata.
At this point the expert can confidently offer his or her ultimate opinions on who altered the e-mail, who deleted the document or when these nefarious activities occurred.Much of this basic demonstrative evidence can be re-utilized from case to case, so it’s worthwhile to invest the time and effort at the outset to create a compelling show.

If you build the presentation logically, and mix tangible items with graphics and live demonstrations, you have a much better chance of persuading a jury to believe your expert. After all, would you rather rely on a fast-talking computer geek telling the jury to just take his word for it, or on an expert who can show how and why she did what she did to arrive at her ultimate opinions?

Bruce Olson of Davis & Kuelthau is a trial lawyer and legal technologist. Based in Green Bay, Wisc., he is co-author of the American Bar Association’s “The Electronic Evidence and Discovery Handbook.”

By Bruce Olson

Law Technology News – www.lawtechnews.com

August 17, 2007

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1187254929712

Leave a Reply

You must be logged in to post a comment.