Selecting a Forensic Examiner

The FBI handled more than 9,500 computer forensics cases in fiscal year 2005, which ended in September, compared with about 3,600 in fiscal 2000, according to a recent FBI briefing. There is no doubt that cyber crime and computer related investigations are on the rise. The best defense against becoming a statistic is to prepare for the worse and constantly improve IT security measures.

Recently, a potential client told me he contacted an Information Technology (IT) consulting firm regarding a computer forensic matter. The company promised to retrieve all deleted material and provide it on a readable CD-ROM.

The prospect asked whether our services differed from this, and whether we offered anything the IT firm did not. I told him the differences were immense, and are frequently overlooked by most people claiming to provide computer forensic services.

Employers, security directors and attorneys will often engage independent computer consultants, computer forensic experts or examiners to recover or secure data from computers.

While such consultants may have the skill necessary to do an excellent job, there may be some hidden legal problems with respect to licensing.

Forensics is the use of scientific knowledge to collect, analyze, and present evidence to the court. It literally means “to bring to the court,” and this implies the need for legal as well as technical training.

For example, California state law (Section 7521 Business & Professions Code) requires forensic computer examiners to be licensed private investigators or employees of a licensed investigation firm.

It’s important to use a trained forensic computer examiner from a licensed Private Investigation Agency for the results to be unimpeachable in a court of law.

Even in states where this license is not required, evidence gathered by someone without the appropriate legal training could be ruled inadmissible in court.

Computer forensic investigators draw on an array of techniques for discovering data from a computer, often for recovering deleted, encrypted, or damaged files (graphics, documents, images and so forth).

All of this information is crucial to companies and their legal counsel, especially during discovery, prior to depositions, or in preparation for criminal or civil litigation.

There are no huge tricks involved in simply discovering deleted files. There are many software programs available that can do it. The difference is in the investigation. An IT technician is not an investigator and lacks the investigative skills to discover the necessary evidence.

DRM is often called in after the fact. We can usually glean volumes of additional, overlooked material the IT experts failed to discover.

Much of the information to be recovered may not be found in simple deleted files. It may be hidden in other data files such as HTML, e-mail entries, and information recovered from hard disk areas such as the virtual memory, slack space or recycle bin. Many other locations, none of which would be available to an IT technician, may hold valuable information.

IT technicians usually lack the tools necessary to search most of the slack space in the questioned computer. For instance, there are ways to salvage a significant portion of old, deleted web-based E-mail. Yet many IT technicians generally disregard these messages as being irretrievable.

Most importantly, if they were able to find this material, IT consultants hired by the company could not successfully testify to their findings in court.

Opposing counsel would probably have these searches thrown out as the product of illegally obtained information, due to the requirement that such information must come from licensed investigators. This is called the “fruit of the poison tree” syndrome.

So, what should you do if a computer forensics investigation is required? Here are some considerations:

  1. Select an employee who can remain unbiased to conduct the investigation (with the guidance and privileged advice of qualified employment counsel). The employee must be able to keep all matters confidential; or
  2. Retain an independent employment attorney who can perform the investigation with the understanding that his/her efforts may be subject to litigation discovery; or
  3. Choose a licensed and experienced investigation firm which has specific expertise in workplace investigations.

How to Select a Reputable Computer Forensic Firm

Investigation firms that truly specialize in computer forensic investigations are few and far between.

The Bureau of Security and Investigative Services (BSIS), an agency within the California Department of Consumer Affairs, licenses and regulates private investigators. BSIS reported that as of July 2006, there were approximately 9,813 licensed investigators in the State of California. Only an estimated 5% or less of these investigators has the training and credentials to perform computer forensic investigations.

Most private investigators don’t have the experience or understand the sensitive legal issues involved in dealing with situations that could result in costly litigation.

Here are some crucial guidelines for finding a qualified investigation firm to perform computer forensic investigations.

  • Agreements and Fees: Experienced and reputable firms provide proposals and contracts prior to accepting cases. If one is not provided, request a projected budget estimate at the very least. It’s common to pay a retainer at the start of the case. However, it’s perfectly okay to ask the firm for references before making a payment.
  • Attorney and Law Enforcement Involvement: Experienced investigators understand the relevance of involving qualified counsel in the investigation. Firms that do not seek to involve your legal counsel should not be retained to conduct your investigation. The decision to prosecute the illegal acts of your current or past employees lies between you and your legal counsel and, ultimately, the District Attorney’s or United States Attorney’s office. Prosecution can be quick and easy or time consuming, complicated and expensive, depending on certain variables. A competent Private Investigation firm can let you know in advance the probable amount of time your case would require if prosecuted. Generally, the better job your investigator does, the faster your case will go through the court system. In fact, less than 5% of people prosecuted as a result of our investigations actually go to trial. Instead, they opt to “cop a plea” in the face of a bewildering amount of solid evidence.
  • Experience: Ensure the firm, as well as the employees assigned to your case, have the experience and qualifications necessary to conduct the investigation. Very few investigation firms specialize in workplace-related investigations. Choose a firm that is familiar with employment law-related investigations, who knows criminal law and is familiar with civil torts and union environments. The firm must know how to navigate areas that present a legal minefield–one wrong move can lead to unwanted litigation.
  • Insurance: All reputable private investigation firms carry general liability insurance. Some states require insurance prior to issuing a license. Ask for a Certificate of insurance and ensure the coverage is “per occurrence,” not “claims-made.”
  • Proof of License: Private investigators are required to be licensed in all but eight states (Alabama, Alaska, Colorado, Idaho, Mississippi, Missouri, South Dakota, Wyoming). Florida, Georgia, Louisiana and Oregon havelimited reciprocity agreements with California. When going to another state for investigative services, request a copy of their license, or their required permits or business licenses. Perform your own due diligence to avoid vulnerability to litigation.
  • References and Reputation: Reputations vary widely in our industry. Quality investigation firms are well known in the business community and are active in their professional trade associations. Require no less than three references, and check them thoroughly. Ask about their litigation and claims history and experience.
  • Reports: Detailed reports should immediately follow all investigative assignments. A report should be submitted prior to the invoice unless a retainer is required. The information provided in a report should be concise and accurate. Don’t hesitate to ask for report or statement samples.
  • Willingness to Testify: You should verify the willingness of all private investigators to testify in court in criminal, civil, unemployment hearings or arbitrations, if necessary before the investigation begins. If the investigator is subject to subpoena or deposition, the firm hiring investigators is generally expected to pay the investigator’s fees and expenses for time spent in trial testimony and preparation for trial, even if the Company did not ask the investigator to be in court.
  • Certifications and Training: Certified Computer Examiners (CCEs) may hold multiple certifications in a variety of disciplines, the most prestigious of which is the Certified Forensic Computer Examiner (CFCE). Less than 10% of applicants actually attain this. Another respected certification you may consider is that of a Certified Electronic Evidence Collection Specialist (CEECS). This speaks to credibility and involvement in the computer forensics community. In short, only hire a professional person with the qualifications to do the job.
  • Tools of the Trade: Determine whether your potential investigators really have a full-scale computer forensics laboratory. Some purported experts simply “make do” with whatever equipment they have. As new technology is always emerging, state of the art labs include frequent software and equipment updates.

California Private Investigator Act and other Laws

The California Department of Consumer Affairs (DCA) requires that any firm or individual who investigates alleged misconduct or makes determinations of credibility for the benefit of an employer must possess a private investigators license. Therefore, the only truly qualified Computer Forensic Examiners are also Private Investigators.

Anyone who violates the law may be subject to a fine of $5000 or imprisonment of one year in county jail, or both.

The law applies to the unlicensed investigator, and not to you as the employer who hires them. However, an employee terminated for misconduct may be able to challenge the validity of an investigation that was not conducted by a licensed private investigator.

This means you could be subject to litigation, and possibly punitive damages, for any actions or decisions you make based on the investigation.

The Act does not apply to investigations conducted by one of your actual employees, or to an attorney at law who is personally licensed to practice law in this state.

Attorney-Led Investigation

A qualified attorney can certainly conduct most types of investigations. However, this raises some attorney-client privilege issues.

If the investigation is ever the subject of litigation, you will almost certainly need to present all or part of the investigation results as evidence at trial. If the attorney who performed the investigation is also advising you as to what actions or decisions to take as a result of the investigation, the attorney may be forced to testify about otherwise “attorney-client privileged” matters.

Even if the privileged matters could be compartmentalized, as a witness in the case, the attorney could, under many circumstances, be precluded from representing you in litigation.

Practical Significance

If you want something done right, hire the best people in the first place. DRM is often asked to go in after “unqualified consultants” irretrievably altered evidence, inadvertently wrote over evidentiary files, or gathered information which was thrown out of court because it was not legally obtained.

Although I am certainly not in favor of converting computer forensic examiners into licensed private investigators, I do however believe the Bureau of Security and Investigative Services (BSIS), which is an agency within the California Department of Consumer Affairs, that issues licenses and regulates private investigators (PI) and private patrol operators (PPO) should have oversight and require computer forensic examiners (CFE) to follow similar guidelines and adhere to state and government laws, issuing a specific license to CFE�s.

In addition, our services are often faster and less expensive because we have the tools to get the desired results.

For more information, please feel free to contact us.

This article is intended to provide useful information on the topic covered, but should not be construed as legal advice or a legal opinion. State laws may differ from the federal law and from one state to another.

About the Author:

George J. Ramos, Jr. is managing partner and senior executive investigator at Diversified Risk Management, Inc. (DRM), a licensed, nationwide investigation firm; he has nearly 20 years of experience in labor and employment relatedworkplace investigations. The firm offers a broad range of specialized risk management and investigation services that are designed to control loss and minimize exposure by providing innovative and strategic business solutions. DRM assists corporations, non-profit organizations and law firms in identifying, mitigating, and responding to risks through a comprehensive and integrated suite of professional service offerings.

Mr. Ramos can be reached at 800.810.9508 or by email.