By Jeffrey Hartman
Let’s be fair. Most IT people are competent and qualified. Some are exceptional. Our 4Discovery team has the opportunity to work with these capable folks on a nearly daily basis in the course of our engagements. Most IT professionals are not, however, Computer Forensics Experts. They just have not had the training or access to the sophisticated hardware and software tools found in high-end forensics shops. Further, most IT staffers have little to no experience testifying in high pressure situations, leaving them vulnerable to aggressive questioning on the stand. Trying to utilize IT professionals as Computer Forensics Experts can have dire consequences, particularly when they are on the payroll of the organization or law firm that may be required to produce them as witnesses.
This fact was illustrated in painfully dramatic terms during the recent testimony of Ben Kruidbos, the IT Director for the State’s Attorney in the George Zimmerman / Trayvon Martin case. Kruidbos (as seen in a nearby photo), had been tasked with performing certain work related to the forensic examination of Trayvon Martin’s cell phone. During the course of this examination, Kruidbos discovered potentially damaging text messages and photos recovered from Martin’s phone, including photos of what appear to be Marijuana plants, a hand holding a semi-automatic pistol, and underage nude females. Believing that this digital evidence could be relevant to the case, and suspecting that his boss, the Special Prosecutor had not turned this evidence over to the Defense, Kruidbos took it upon himself to contact the Defense attorneys and provide them with this information. Kruidbos claimed he did this out of concern for his own “legal exposure”. Then, the law of unintended consequences kicked-in, and Kruidbos was called as a witness…by the Defense.
Kruidbos was grilled under cross-examination by the lead prosecutor, Bernie de la Rionda, about his actions, and it wasn’t pretty. Kruidbos was effectively forced to admit that he “assumed” that the Prosecution failed to provide the Defense with the same Electronically Stored Information (ESI) from Martin’s cell phone. Bottom line: The defense team did have the same data that the prosecution had, they just had it in it’s raw “source file” format…not produced in a nice, neat report with a ribbon on top. Making matters worse, Kruidbos made what appeared to be erroneous statements about the data, and how the cell phone forensics software (Cellebrite) extracts digital evidence from mobile devices. Terms like “source file,” “data dump,” and “report” were, at times, inaccurately used to describe certain categories of ESI during portions of the IT Director’s testimony.
While on the stand, Kruidbos, represented by his own private attorney (an indication of how sideways his involvement in this case had become), found himself in the unenviable position of confirming the value of his own departments information protection policies, and then describing how he allegedly violated those same policies by providing evidence to Zimmerman’s Defense team, without permission from the Prosecuting attorneys. Ouch.
Was the Prosecution “Hiding the Ball?”
The Prosecution knew these potentially damaging photos and text messages existed on Martin’s phone. Were they legally required to point them out to the Defense attorneys? Well, probably not. The Prosecution had already produced the massive source file to the Defense attorneys, they had no motivation to make it easy for the Defense attorneys to find the digital needles in the haystack. We see this all the time. A massive amount of ESI is recovered from a computer or mobile device. The Plaintiff’s experts find the smoking gun. The Defendants attorneys request this ESI during discovery, and the Plaintiffs produce it…in the form of a big, ugly collection of confusing ESI. “If you think the smoking gun is in there, you will have to find it yourself!”
Ben Kruidbos has been fired, the Prosecution lost their case, (although no one is suggesting the jury verdict was the result of these IT events,) and Kruidbos has achieved a degree of unwelcome fame for transitioning from an IT Director of somewhat questionable competence to an unemployed electronic evidence Whistleblower.
1. Experts. When the stakes are particularly high, or when you believe ESI will require authentication, use an outside expert
2. Peer Review. Some of this stuff is pretty complicated. If your case hinges on the interpretation of a body of complex digital evidence, make sure your expert utilizes a peer review methodology so that another set of eyes is used to validate key findings.
3. Staying Current. The software and hardware used to perform computer forensics (particularly the software used on mobile devices) is improving and changing rapidly. Files and digital “bread crumbs” that could have been easily overlooked just a year ago are routinely uncovered today. Make sure your experts stay current on their training, certifications, and gear.
4. The little thing called the law. Even those gifted IT professionals that have developed passable computer forensics skills probably have not received training on electronic evidence handling, discovery ethics, and the law. Failures in these areas can result in the inadmissibility of electronic evidence, sanctions, or worse.
Want More Info?
Contact Jeffrey Hartman
Or visit us at www.4Discovery.com