Latest News

Expert Testimony: The “How To’s” for Selecting the Right Digital Forensics Expert

What is an Expert?

In the field of digital forensics, there is no governing body at the national or state level than accredits examiners is being competent in their field.  The industry does not have a bar exam or other system in place to ensure that experts in digital forensics possess even the minimum qualifications necessary to practice in this field.  This complicates selecting a digital forensics expert, and the complications multiply when numerous forms of digital evidence are in a case.  For example, an expert may be competent in computer forensics, but have no experience in mobile phone or GPS forensics.

Depending on your state or jurisdiction, the test used to determine whether or not expert testimony will be allowed by the court may be the Frye test ( Frye v. United States . 293 F. 1013 (D.C. Cir. 1923) 1 , Daubert test ( Daubert v. Merrell Dow Pharmaceuticals , 509 U.S. 579 (1993)) 2 , Porter test ( State v. Porter , 241 Conn. 57, 698 A.2d 739 (1997) 3 , cert. denied, 523 U.S. 1058, 118 S. Ct. 1384, 140 L. Ed.2d 645 (1998), Sec. 7-2 Connecticut Code of Evidence), 4 or other test outlined in that state’s code. Many states have practice manuals and a set of specific statutes that govern experts and expert testimony. Contacting your state bar association is an excellent way to locate this type of information. The Federal system uses Section 700 of the Federal Rules of Evidence, and specifically Rule 702 to define expert witness testimony.

Federal Rules of Evidence: Rule 702. Testimony by Experts:

If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise, if (1) the testimony is based upon sufficient facts or data, (2) the testimony is the product of reliable principles and methods, and (3) the witness has applied the principles and methods reliably to the facts of the case.

No matter which rule governs your particular case, all experts must first qualify as an expert in any case in the United States where they will be asked to provide expert testimony.  When determining what expert is best for your case, it is important to establish a selection criterion. 

What evidence is part of your case?

If your case includes multiple types of evidence, such as computers, mobile phones, social media accounts, and call detail records, it is critical that your expert is qualified and all of these areas.  To cover all the bases, it may be necessary to have multiple digital forensic experts on a single case to cover all the forms of evidence. Given the complexity and myriad of sub disciplines within digital forensics, this is a highly probable reality.

What type of case do you have?

The expert you employee should have expertise and experience in a particular type of case that you have.  If you have a data breach with a loss of personally identifiable information, an expert in cyber security and protocols related to proper cyber hygiene is exactly what you need. However, that same expert may not have the correct tool set to handle a medical malpractice case where a mobile phone examination is needed to determine the location of a doctor the night before, or to recover deleted text messages that might be of evidentiary value.

The Prequalification Process

Once you have determined a list of potential experts, it is helpful to go through a prequalification process to determine which one is the best fit. Resumes and curriculum vitae should be examined, and the following questions can assist in the decision making process. 

Does the examiner have forensic training and experience?

Well a technical expert may have an impressive resume, digital forensics is a niche and specialized field.  Technical certifications related to networking, computer repair, or other information technology disciplines are not the same as digital forensic certifications.  There are numerous certifications specific to digital forensics that show a level of competency.  The certifications also greatly improve the likelihood that the expert will be able to qualify as an expert in court.

CASE EXAMPLE

In the NC vs. Cooper homicide case Google map evidence was critical in the defense of Bradley Cooper according to defense counsel. In order to proffer this evidence, the defense attempted to call Jay Ward as their expert.  Jay Ward had over 15 years of experience in network security and information technology.  Despite this, the court ruled that he could not testify to the evidence because he lacked the necessary qualifications:

"The State focused on Ward's lack of training and experience as a forensic computer analyst. The trial court agreed with the State and, on 19 April 2011, ruled that Ward could not testify specifically about the Google Map files."

https://lawprofessors.typepad.com/evidenceprof/2013/09/in-2006-i-was-living-inchelsea-one-day-my-wife-our-friend-and-i-went-to-thewhole-foodsin-chelsea-while-we-were-in-the-c.html#

What are the fees charged by the examiner? Are they reasonable? 

Wow there is a range of hourly rates within all professional services, there is a range that is reasonable.  If rates are too high it should raise suspicions, and if they are too low this is likewise the case. If they are too high, you're potentially getting fleeced, and if they are too low it should bring in the question if the expert has the appropriate tools and expertise to do the work.  Remember, anyone can hang a shingle on their door and claim to do digital forensics since there is no governing agency for the field.  The best way to get an estimate on appropriate hourly rates is to get quotes from numerous repeatable digital forensic companies.

What tools and software does the examiner have? 

Since there is no governing agency ensuring that a client will have an actual qualified examiner, knowing the tools and software that the digital forensics expert utilizes in the process of their examination is critical. This is because the true barrier to entry to actually doing digital forensics work is the cost to acquire the forensic tools and software to do the work properly.  A list of example forensic certifications and the corresponding forensic tools, software, and disciplines are as follows: 

Computer Forensics

Magnet Forensics Certified Examiner (MCFE)
Certified Expert in Cyber Investigations (CECI)
Encase Certified Examiner (EnCE)
Digital Forensics Certified Practitioner (DFCP)
Certified Blacklight Examinar (CBE)
Certified Computer Examiner (CCE)
Certified Forensic Investigation Professional (CFIP)
Certified Mac Forensics Specialist (CMFS)
OSForensics Certified Examiner (OSFCE)

Cell Phone Forensics

XRY Certified Examiner (XRY)
Cellebrite Certified Operator (CCO)
Cellebrite Certified Physical Analyst (CCPA)
Cellebrite Advanced Smartphone Analysis (CASA)
Cellebrite Certified Mobile Examiner (CCME)

Cell Phone Tracking and Location

Certified Telecommunications Analyst (CTA)
Certified Wireless Analysis (CWA)
Certified Telecommunications Network Specialist (CTNS)
Certified IP Telecommunications Specialist (CIPTS)

GPS Forensics
Blackthorn Certified Examiner (BCE)

CASE EXAMPLE

In a civil case that later became a Federal RICO case, the opposing expert was ordered by the court to provide forensic images (copies) of all the computers at the defendant’s location. The opposing expert used an information technology tool to make copies of the computers. This tool is not a forensic tool and does not have the capability to provide the forensic hash algorithms or cyclical redundancy checks that allow an examiner to know, without a doubt, that the evidence is above reproach.  Our examiner testified as an expert witness in the case explaining the problem with these copies.  At the end of our expert's testimony, the judge ruled from the bench in favor of the plaintiff due to the improper handling of the evidence by the opposing expert and the lack of cooperation by the defense due to their refusal to provide the original evidence items to us.

What to Expect from an Expert

When you contact a forensics expert, you may not know exactly what you need or where the Data will be located that could be a potential evidentiary value. Further, depending on the case, the steps that must be taken for a proper examination and very considerably.  An expert should be able to assist you in every step of the process, including: 

  1. Obtaining evidence
  2. An expert should be able to assist you in the technical portions when developing motions and orders to access evidence. In many instances, if the evidence is not asked for correctly with the proper technical terminology, it will result in receiving the wrong information, or nothing at all.
     
  3. An expert should be able to assist you in determining where valuable data is to your case. This includes if the data is on local devices such as mobile phones and computers, network share drives, in cloud storage, or social media accounts.

    1. Analysis
    2. In order to perform an analysis, it is often required that a protocol be in place before an work can even begin. An expert should be able to assist you in creating a protocol for the examination of evidence, and this protocol should provide the necessary information to ensure all parties involved that the original evidence items will remain exactly as they were before the examination.  Every attempt should always be made in a digital forensics analysis to preserve digital evidence as a "snapshot in time" of exactly how they existed upon seizure or forensic imaging (copying). 
    3. Your expert should be able to verify the work of an opposing expert to determine if the findings are valid.  This involves performing an independent analysis of the evidence to ensure all the facts are accurate, and also that all of the evidence has been completely analyzed. It is not uncommon for some experts to find their alleged "smoking gun", and then proceed to end their examination prematurely as they have not taken all of the data into account.

      1. Court Preparation
      2. If a case is going to go to trial, your expert should be able to assist you in understanding what an opposing expert is going to say based upon their forensic report. Further, your expert should be able to assist you in writing direct examination for themselves, and in preparing cross examination for an opposing expert.

Expert testimony is the culmination of everything that goes into a digital forensic examination, from consultation, acquisition, analysis, reporting, and finally to the courtroom.  Selecting the expert with the appropriate technical expertise and experience is vital, but just as important is that expert’s ability to explain technical concepts, forensic procedures, and digital artifacts in plain language.  The use of jargon and acronyms is detrimental to the triers of fact.  At the end of the day, if an expert has an airtight analysis but cannot communicate effectively to a judge and jury, the words are meaningless.  As a final parting recommendation, when selecting an expert choose one or you can have a conversation with. If that expert cannot explain technical details to you in an accessible way, they likely don't understand what they are talking about themselves.

Lars Daniel, EnCE, CCPA, CCO, CTNS, CTA, CWA, CIPTS
Practice Leader – Digital Forensics
Envista Forensics

 

Mileage Down, Vehicle Deaths Up:  The Untold COVID Death Toll!

When the COVID 19 pandemic began, millions of Americans were forced to begin living a “new normal” where they were staying home more and driving less.  Logically, this “new normal” should have decreased the number of motor vehicle accidents along with the number of catastrophic and fatal accidents. 

However, recent data suggests that this is not the case.  Despite the significant decline in miles driven in 2020, there was a significant increase in the number of fatalities from motor vehicle accidents.  The National Highway Safety Administration (“NHTSA”) reports that fatalities arising from motor vehicle accidents rose about 30% during 2020.  The National Safety Council reports that nearly 42,000 people died because of motor vehicle accidents in 2020, representing the largest tally in 13 years. The National Safety Council reports that while miles driven per vehicle decreased about 13% in 2020, the mileage death rate was up 24%.

While the NHTSA and National Safety Council are not providing any reasons for the increased fatalities, data suggests that those that did take to the roads in 2020 were less cautious.  California reported an 87% increase in speeding tickets for driving over 100 mph during the first month of the statewide lockdown.  Further, data suggest that older individuals, who tend to be more cautious while driving, were staying home, while younger drivers, who are typically more prone to risk-taking, were less inclined to stay home.  Further, the use of alcohol and/or drugs to cope with COVID related stress also contributed to the increase in fatal accidents.  Thus, while people were driving less, those that were out on the roads were engaging in riskier driving behaviors. 

Editor’s note: The transportation industry needs to fully understand the cause of this unusual phenomenon.  If this disturbing trend continues long after returning to normalcy, the industry will be faced with the loss of life, bad publicity, and increased costs.  The transportation industry will be required to focus on whatever changes are necessary, including the use of available technology to meet the increasing need to move people and products throughout the country but to have its folks do so in as safe of a way as possible.    

About the Author

Ross J. Di Bono II is an attorney in Zarwin Baum’s Casualty & Professional Liability Defense Practice Group. He concentrates his practice on complex civil litigation, primarily defending his clients in catastrophic injury cases involving transportation, construction, products liability, and premises liability matters. If you have any questions, please do not hesitate to contact Ross at 215.569.2800 x1427 or by email at [email protected].

Zarwin Baum DeVito Kaplan Schaer Toddy, P.C.

 

What to Expect: Changes to OSHA Under the Biden Administration

President Joe Biden has taken a number of actions that indicate an increased focus on worker safety, and increased pressure on the Occupational Health and Safety Administration (OSHA). On his second day in office, the president signed an Executive Order on Protecting Worker Health and Safety directing the OSHA to issue new COVID-19 guidance. He also ordered the agency to investigate whether new standards are necessary and to target enforcement to protect a greater number of workers from COVID-19 hazards. This order, coupled with Biden’s nomination of former union leader Marty Walsh as Secretary of Labor, with oversight for OSHA, and the Obama-Biden administration’s pro-labor history, portend an aggressive and robust enforcement of workplace safety.

Here is a checklist of what employers can expect from the new administration.

1. New COVID-19 guidance has been issued.

Following a directive from Biden, OSHA released new COVID-related guidance. The new guidance, which provides insight into what a new standard would likely include, says employers should:

  • Provide all workers with face coverings unless their work requires a respirator
  • Provide COVID-19 vaccinations at no cost to eligible employees and guidance on screening and testing
  • Implement safety measures that do not distinguish between vaccinated and non-vaccinated employees
  • Provide paid sick-leave and implement non-punitive policy for quarantine and isolation
  • Assign a workplace coordinator to be responsible for COVID-19 issues

2. Larger employers, employers with whistleblower complaints will be targeted.

President Biden’s executive order told OSHA to target larger employers and employers with whistleblower complaints for investigations. The directive also called forhigher fines for COVID-related citations and stricter oversight and coordination with state plans.

3. The number of OSHA inspectors will increase.

As a candidate, Biden specifically called on former President Trump to “double the number of OSHA investigators.” If additional hiring begins immediately, implementation of new inspectors will likely take around 18 months.

4. Leaders with pro-labor leanings will oversee OSHA.

Biden nominated former union leader and Boston Mayor Marty Walsh as Secretary of Labor and tapped Julie Su, the head of California’s Labor and Workforce Development Agency who formerly worked as a civil rights lawyer, for the Deputy Secretary of Labor role.

5. The original Electronic Reporting rule will be restored.

A 2017 Obama-era rule began requiring certain employers to report employee injuries and illnesses electronically for public viewing. The rule was never formally repealed by Trump, and Biden will likely restore the original version of this rule to force employers to report detailed injuries and illnesses. Without legal challenges, this information would be made public.

6. General Duty Clause (GDC) citations for COVID-19 violations of CDC guidelines will increase.

The GDC, which states places of employment must be free from hazards “likely to cause death or serious physical harm” to employees, is used only when there is no OSHA standard for a particular hazard, like COVID-19. Biden will likely immediately issue more GDC citations for employers who violate the CDC’s COVID-19 violations.

7. A permanent infectious disease standard may be finalized.

After H1N1, President Obama prepared a permanent infectious disease standard, which would require high-exposure workplaces to implement infection control programs to protect workers. Look for Biden to resurrect this proposed standard and push for its adoption, even if the pandemic ends, to ensure future preparedness.

8. The 2016 OSHA anti-retaliation rule may be enforced.

Biden will likely begin re-enforcing a 2016 OSHA final rule prohibiting employers from retaliating against employees for reporting injuries/illnesses.

9. The Fair Pay & Safe Workplaces Act will likely be reinstated.

Under this act, government contractors and subcontractors are required to disclose any and all OSHA citations if the contract/bid exceeds $500,000.

10. Climate Change standard may be implemented.

The new administration may require OSHA to develop a federal standard on workplace heat stress for indoor and outdoor workers. It would most likely mirror the Cal/OSHA (California OSHA) heat standard.

What employers should do

In light of the expected increase in workplace safety enforcement, employers should ensure their safety and health programs are compliant with all OSHA rules and continue providing safe workplaces by identifying and eliminating safety hazards.

A full service, moment of crisis to final resolution team, Sheehy, Ware & Pappas P.C. has an extensive track record helping clients across nearly every industry secure favorable results on Occupational Safety and Health Administration matters nationwide. Contact the OSHA lawyers at Sheehy Ware & Pappas for assistance with all OSHA matters at www.sheehyware.com/practice/osha/.

 

Social Media AI Aims to Foil OSINT Teams

The Artificial Intelligence (AI) inside Facebook, Twitter, and Instagram has fundamentally changed focus in 2021. The good news for insurance is that the new AI has shifted the content users see back to its roots: selfies, personal stories, family photos, documentation of fitness goal achievement and lots of data about peoples’ personal lives.

The creepier news is that refinement of the AI presents a “Stepford Wife” user experience where bragging and lifestyle photos are now center stage. The AI is so laser focused on presenting positive, nonpolitical content that individual users’ data is more exposed than it has been in years. All the political camouflage for personal data (diluting personal photos inside of a long stream of political posts) is stripped away, leaving pure personal information.

So how is social media protecting this user data? The venues are attacking external bots with renewed vengeance. Content bots, scanning bots, scraping bots are all now facing new, complex technical challenges that have been applied across almost every social media platform. The anti bot technology is so aggressive that even human users are being penalized for using ‘bot like’ behavior.

There are consequences for Insurance OSINT teams. As Investigators search social media profiles, their behavior is similar to a bot, where many profiles are opened in rapid succession and lots of friend profiles are also opened. Once flagged as a bot, even human OSINT investigators have seen their search profile deleted instantly in the middle of an investigation by social media anti-bot AI rule. Once an investigator’s search profile is deleted, it is not possible to access social media data. Furthermore, the AI can now penalize an IP address, preventing new profiles from being used on those machines for up to 30 days.

2021 has been an important year for social media, and the venues have responded with their best technical answers. As social media data becomes more and more useful for insurance investigations, it is more critical than ever to check the work product delivered by social media software and teams. For those using automated social media solutions, it’s time to double check that the solutions still locate profiles accurately. It is also important to ensure whole profile is being delivered instead of just a handful of posts that could be captured before the AI closed the down the bot.

Social media data is stronger than ever as a method to document lifestyle, injury recovery, and ongoing behavior. If your investigation team is current with the new technical environment, the data will be robust. We all just have to work a little smarter to get it. 

By: Marci De Vries-Todtz, CEO, Fraud Sniffr Inc.

 

Looming Collisions


In many rear-end collisions involving a vehicle that is stopped or moving slowly in the lane of travel, it is common for the driver of the striking vehicle to say that they did not realize the lead vehicle was stopped or moving very slowly until it was too late to avoid the crash. Drivers in these situations likely experienced a phenomenon called “looming.”

Human factors experts address the issue of looming in vehicle collision cases to determine whether the driver perceived and responded to the slower moving or stopped vehicle in a reasonable amount of time and whether the driver’s actions were a cause of the crash.

What is Looming?

Many vehicle crashes involve a driver rear- ending a slow-moving or stopped vehicle on the highway.

These crashes often involve vehicles that have recently entered a lane of travel but have not yet accelerated to highway speeds or disabled vehicles that have slowed or stopped in the lane
of travel. A driver’s ability to avoid rear-ending a slow-moving
or stopped lead vehicle depends on a number of factors, but often depends on a driver’s ability to detect their rate of closure to the slow-moving vehicle. While drivers can easily determine that they are approaching or getting closer to a lead vehicle, it is difficult for drivers to estimate closing speed, or how quickly they are approaching the lead vehicle, until the vehicles are close together. In the field of human factors, the perception of the rate of closure to a lead vehicle is commonly referred to as “looming.”

Consider the following example:

Under real-world driving conditions, a driver traveling at 65 mph on a highway that encounters an 8-ft wide vehicle stopped in the lane of travel will not be able to estimate the closing speed until he or she is only 195 feet away from the stopped vehicle. At a speed of 65 mph, the driver then has only about 2 seconds to respond and avoid the collision.

Why only 195 feet in this example? Because that is the calculated point of looming detection.

The point of looming detection (PLD) is the distance from an object or vehicle at which an observer is first able to detect the rate at which he/she is closing in on that object and will strike it unless action is taken[1]. The PLD is calculated using three factors: the relative speed between the two vehicles, the width of the lead vehicle, and the looming threshold value.

The looming threshold value is the point at which a driver can perceive that they are approaching a lead vehicle rapidly. The primary visual cue used to determine closing speed is the rate of change in image size of the lead vehicle on the retina. When drivers are far away from a lead vehicle, the image size grows very slowly and a driver is unable to perceive the rate of closure because the looming threshold has not yet been reached (Figure A). But as a driver gets closer to the lead vehicle, the image size starts to grow very rapidly and allows the driver to perceive the rapid rate of closure and the need to take evasive action to avoid a collision (i.e., the looming threshold is reached) (Figure B).

 For demonstration purposes only. Figure not drawn to scale.

Research on perception-reaction time (PRT) in response to looming indicates that most drivers who experience looming under real-world conditions are able to respond to looming by braking within 1 second or less. This PRT value assumes that drivers are looking at the slower-moving vehicle at the instant the threshold is reached. However, a reasonably attentive
driver who is scanning the roadway environment may not be looking at the slower-moving vehicle at the instant that looming becomes perceptible. Interestingly, drivers who look back at the lead vehicle after the looming threshold has been surpassed can respond in less than 0.5 seconds, on average[2].

In addition to looming, information available in the roadway environment can also affect a driver’s ability to perceive that a vehicle is stopped or moving slowly in the lane of travel.
There are situations when sufficient information is available in the roadway environment to inform a driver that a vehicle is stopped. For example, a vehicle stopped with cones or triangles behind it, a vehicle stopped at a red light with brake lights illuminated, or a vehicle stopped next to a prominent stationary object such as an overpass are all situations where a driver does not need to perceive looming to know that a vehicle is stopped or moving slowly in the lane of travel.

A human factors investigation of a rear-end collision involving a slow-moving or stopped vehicle on a high- speed road includes:

  • Calculating the point of looming detection
  • Determining the appropriate perception-reaction time for the driver
  • Analyzing whether there was sufficient information available in the roadway environment for a driver to determine that the lead vehicle was either stopped or moving slowly

About Exigent

Exigent is a legal technology provider and consulting organization that is breaking industry boundaries and raising the bar for data-driven decision-making. Through a powerful combination of technology, analytical thinking, and financial acumen, Exigent’s multidisciplinary team develops solutions to drive change in business, in the legal department and beyond. Whether it is AI for contract management or supplying expert witnesses through its Forensic Consulting and Medical Legal Services divisions, Exigent provides businesses with the questions and answers they need to make the most of the digital disruption. For information about Exigent, visit exigent-group.com.

If your case involves a rear-end collision with a slow-moving or stopped vehicle, contact Dr. Nancy Grugle to discuss how looming may have played a role in the collision.

Nancy L. Grugle, Ph.D., CHFP

Human Factors Expert | Forensic Consulting Telephone. 610.255.2171 | Mobile. 720.879.1162


[1] Krauss, D., Todd, J., and Heckman, G. (2012). The “critical window,” looming and implications for accident avoidance. ITE Journal, pp. 36-41.

[2] Markkula, G., Engstrom, J., Lodin, J., Bargman, J., and Victor, T. (2016). A farewell to brake reaction times? Kinematics-dependent brake response in naturalistic rear-end emergencies. Accident Analysis and Prevention, 95, pp. 209-226.

 

 
<< first < Prev 1 2 3 4 5 6 7 8 9 10 Next > last >>

Page 9 of 17