Computer Forensics And The Neutral Expert

Laying out the role of the computer forensics neutral expert (InsideCounsel, 27 May 2014) – When discovery in litigation involves the inspection of computer systems, setting out reasonable and effective protocols often involves a neutral expert in computer evidence. Working for the court, oftentimes at the direction of a special master, the neutral expert will engage with both parties, and often with computer forensics experts, to craft a reasonable inspection protocol. The challenge is to achieve consensus on the approach to preserving, performing analysis and review, and then producing relevant data. Protecting the producing party’s privacy/privilege while identifying only data that is responsive to the inspection demand must be balanced with the requesting party’s goal of finding all relevant evidence. Considering technology, discovery and forensic tools, and any agreements by the parties, the neutral expert must propose or assist with crafting an inspection protocol the parties to the litigation can agree to. Depending on the type of litigation, a company’s most sensitive data may be at issue and subject to discovery. Adequate review is hindered if full access to the relevant sources of data is not provided. Establishing the provenance of important documents, examining versions of source code, recovering evidence of the use of external media or the transfer of proprietary data can only be accomplished through the proper preservation and analysis of the right data sources. Conference calls to meet and confer to identify relevant sources and confirm preservation are crucial early in the inspection process. The neutral expert can work with the party’s IT administrators or consulting computer forensics expert(s) to map the sources of potentially relevant data. The potential evidence sought may inform what type of analysis is relevant. Some issues will involve common data sources, such as laptop and desktop user computers, email and shared network data. Other issues may require the examination of other sources of data, such as client relationship management (CRM) data or a source code revision control system. Whether the issue in the litigation involves allegations stemming from the use of a former employer’s client list or the alleged theft of IP, the neutral expert may need to take into account these additional data sources and prepare a reasonable review protocol. In cases involving the review and production of sensitive data, the consulting and neutral experts sometimes need to come up with a more elaborate protocol to address all the parties’ concerns. On a number of occasions, setting up a “clean room” with restricted access, no outside network connectivity and computer workstations for experts from both sides has been necessary. Protocols for the review and identification of relevant data are established. Procedures for turning over responsive data and the work product of subject matter experts are also spelled out. In these cases, the neutral expert will facilitate the work of other experts and the production of data among the parties.

Provided by MIRLN.

Image courtesy of