A recent discussion on an international podcast spawned several offspring topics about what bona-fide occupational qualifications (previously known as BFOQs) are key to success in the field of digital forensics. This question has several answers, some of which are not readily apparent to many who may be pursing coursework and a career in digital forensics, but they are often intangible assets that differentiate between a good examiner and a great examiner. One of these has very little to do with the nuts-and-bolts of digital forensics: Knowledge of the Justice System. We’ll explore the system and elements to this key to success here, concentrating on those elements particularly in the United States.
Key Element #1: The Difference in Types of Justice Systems
In the United States, there are several different types or levels of court system. They are also divided into levels inside their own particular system. For instance, there are Federal, State and Uniform Courts of Military Justice (UCMJs), which handles solely military justice matters (i.e., Army, Navy, Air Force, Marine, Coast Guard). The Federal and State Courts are each divided into “lower” and “higher” courts. The lower courts are usually District Courts and the higher courts are usually circuit, appellate and supreme courts. Trials are conducted at the District and Circuit levels, but cases are only reviewed and ruled upon based upon evidence presented at trial in Circuit Courts in the Appellate and Supreme Courts. No additional evidence is heard at the Appellate or Supreme Court levels, only written and oral arguments by the litigators involved.
In addition to the different venue and types of courts, there are types of cases – Criminal or Civil. Criminal cases are those which an accused is arrested based upon a complaint or criminal accusation and faces a fine, jail/prison time or some other punishment laid out in the criminal or penal law. Civil actions are those brought before the court when there is a dispute between two entities, such as two companies or a company and a former employee. Divorces, intellectual property theft, monetary or property disputes and other types of lawsuits are heard in Civil court. Some cases can cross-over between both courts, depending on the circumstances. In Virginia in 2016, Pro Digital was involved in a divorce case which had a criminal element to it, so different parts of the case were heard in two different courts. While most minor cases start in lower courts District courts and proceed up to the Circuit level, many cases may start directly at the Circuit Court level.
Key Element #2: How The Courts Work Differently
State & Federal Courts do operate somewhat differently, but the differences mainly lie in the types of cases that are heard in each court. In State Criminal Courts, cases brought by local and state law enforcement are heard. Usually, private citizens can also take out certain criminal charges on someone they feel has committed a crime against them and the police are either not willing or unable to conduct an investigation. In Federal Criminal Courts, cases are usually brought by one of any number of 3 or 4-letter federal law enforcement agencies (FBI, DEA, ATF, HSI, etc.) and have specific jurisdiction over the cases via Federal Law. For instance, many child sexual abuse material (CSAM) cases are brough before federal criminal courts because the images are traded/downloaded/traffic across the internet, so the nexus of the case is interstate commerce… Because all traffic over the internet has to cross state lines, whether the accused left their house in commission of the crime or not. Add into the mix that many local law enforcement agents belong to Federal Task Forces for CSAM, drug investigations, etc., which can also affect in which court the case is heard.
Civil Actions in State Court are generally between two people who either entered into a contract/agreement locally (including marriage) or conduct business on a more local level or inside a state’s boundaries. Federal Civil actions usually deal with the Civil side of interstate commerce, larger national/international business disputes, anything covered under entities like copyright or patent law and so forth. Essentially, the court in which the case you’re working is heard in is determined by jurisdiction. Only courts with jurisdiction to hear a particular case will be appropriate to do so.
Key Element #3: Practical Application
So what does all of this mean and why is it important to digital forensic practitioners? Whether you know it or not, implement this mindset or not or ever see it in practice or not, you may very well become a first-hand participant in the justice system. Even incident response professionals have the potential to be called as a witness if their investigation leads to criminal charges or a civil action. As such, we should always begin with the end in mind. When being assigned or at the intake phase of a case, ask yourself (or your team) some basic questions:
- What basic facts does this case deal with?
- What elements of the case/incident are relevant to prove or disprove?
- Who are the potential bad actors and where are they located?
- What best practices need to be put in place to ensure that your investigation is conducted in an appropriate manner for court?
- What documentation should you have with regard to your methods, procedures, findings and conclusions AND…
- Is that documentation appropriate and acceptable for use in Court?
Beyond those basic front-end questions, there are considerations after you conduct your analysis and come to your conclusions. The first is how the system moves along. It is not unlikely that you could be called for a pre-trial hearing to testify about any number of issues such as access to the evidence (pre-examination), irregularities with the evidence or limitations to the analysis of the evidence. During this testimony, you may be qualified as an expert witness, and if you’ve never been through the qualification process, you’ll want to work with the attorney handling the case to ensure that you’ll have success in that process. For more details about that process, please check out this recent article.
After any pre-trial hearings are concluded, the attorney(s) handling the case should have lengthy discussions with you about your procedures and findings. Everything you do in the course of your data acquisition & analysis needs to be defensible and repeatable so that someone with similar qualifications could do what you did and come to the same conclusions. This is where details matter.
But what matters most — and what is arguably the most intangible piece to this whole process — is not just the ability to relay what you did, why you did it and how you came to your conclusions, but to do so in a manner that is understandable to non-technical people. Lawyers, Clients, Executives, Judges and juries are largely non-technical people. You will need to possess, hone and refine the ability to explain your findings to them in a manner that they will easily understand. Bonus points if you can make it interesting!
Wrapping It Up
Some may read this article and wonder what on Earth it has to do with digital forensics? To paraphrase Steve Whalen of Sumuri, forensics is the application of methods & procedures to come to conclusions that are sound and presentable in a court of law. That’s what is meant by “begin with the end in mind”. We all have stories about that one case or the one examiner who did a halfway-job and somehow skates by without anyone calling them out on their sloppy work. The larger issue is not the one examiner, rather what that examiner represents in our industry. If we accept that our work product will be lackluster, bare minimum or just plain bad, that will eventually affect all DFIR practitioners. And none of us wants that!
We Find the Truth for a Living!
Computer Forensics — Mobile Forensics — Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc