Selecting a Digital Forensic Expert

At the risk of stating the incredibly obvious (when the merely obvious will suffice), device forensics is a specialized field. Which is why witnesses who testify regarding device forensics are generally qualified as experts under the rules of evidence. After all, conclusions and opinions about data on a device, and the story the data can tell, is the reason for having the witness testify.

But can the forensic examiner communicate to your audience what you, the lawyer, need to convey? Did your last device examiner, when trying to explain their work and their findings, sound something like a professor who thinks she is the smartest person in the room, a witch doctor, or simply someone speaking a foreign language?  Can you understand the expert’s report, or does it read like it is written for another examiner (or, worse, like “you can’t really get there from here”)?

While some audience members (whether a jury, a judge, your client, or whomever) may have IT experience, or at least be proficient users of computer devices, few people have any real experience with digital forensics. Your witness must teach your audience and be credible, and that is aside from any Daubert challenge.

Some quick tips for selecting a device examiner:

1.       Make sure you can understand your expert. Someone in your audience will have a similar, or lesser, understanding of such technical testimony than you do. Do not just throw up your hands and say, “well, I’m just really slow on things like this, other people will get it.” Don’t count on it. The examiner needs to be able to explain material like a teacher, whether in writing or verbally.

2.      Scrutinize credentials as you would with any other expert. While you may get lost in an alphabet soup of certifications, dig into what they mean and what they involve. Lacking credentials? That is a situation with many qualified experts across industries, so conduct due diligence accordingly, including whether the examiner has testified (or been precluded from testifying) on the subject matter at hand. In many ways, device forensics varies like areas of legal practice, and an expert in one area or with one type of device may not be an expert in another area or with another type of device.

3.      Not everything in device forensics is straightforward. Sometimes a timestamp does not signify what you might intuitively think it signifies. For example, a timestamp in data relating to a browser may indicate when the browser tab was launched, not when the search was conducted. Or a notation in a file for “CallType” may be “16,” and it must be established what “16” means. Does the examiner cite known, reliable sources in support of findings, or, alternatively, has the examiner generated test data based on known device interaction? Just because the examiner says what you want to hear does not mean the examiner is correct, and you want more than solely the expert’s conclusions as gospel. Treat as suspect any conclusion from an examiner that is not supported by citations to authority or replicated through documented test data.

4.      Has the examiner validated findings through another method, tool, or against other artifact (forensically meaningful data) from the device? Often, a significant artifact in one file can be corroborated with artifact from another file.

5.      Apply Daubert factors to the work, or whatever criteria apply in the jurisdiction, and conduct due diligence as you would with any other expert witness.

6.      The examiner should be drawing conclusions, not the software tool. If the examiner strictly parrots what a software tool produces, you may not be getting a complete picture or explanation.

In short, choosing the right device forensic examiner is as much about communication and credibility as it is about technical proficiency. Your expert should not only understand the deep technical workings of a device but also be able to explain them clearly and convincingly—to you, your audience, and ultimately to the court. If your expert’s report sounds more like a spellbook than a structured opinion, you’re asking for trouble. The goal is clarity, context, defensibility, and persuasion—not mystique.

Remember: just because someone can extract data from a device does not mean they can interpret it accurately, or communicate it effectively. Select your expert with the same care you would apply to any other critical piece of your case strategy. A good forensic witness does not just speak the language of devices—they translate it.