Defending against the forensics
This is what separates the all star attorneys from the amateurs. Let’s face it, most of the good criminal defense attorneys have more than two decades of experience under their belt which means that they grew up without computers. Unless they received some education since then, chances are they don’t know much about computers let alone computer forensics. How could the attorney then properly defend the client? The answer is that they probably can’t. In fact, I once spoke with an attorney who said that he doesn’t even know how to turn on a computer only to find out a few weeks later that he was representing someone charged with a child pornography offense. Its sad really because I am sure that information is never given to the client up front. Clients probably assume that if a lawyer is willing to take the case, they know what they are doing. That couldn’t be father from the truth.
Thus, in order to attack the forensics you have to know the forensics. Otherwise, the State’s expert will walk all over you. Without a proper challenge, the jury may be mesmerized by their testimony and the defense attorney will seem powerless to stop them. In order to take control of a witness, the defense attorney needs to demonstrate to the witness that he/she knows how to walk the walk and talk the talk. I have not only studied computer forensics, I have actually lectured on the subject. Thus, I know how to call the witness out on their BS when I spot it.
If you don’t have the ability or the time to teach yourself computer forensics then the defense attorney should hire an expert or a fellow lawyer to consult with. Preferably the expert/consultant will be hired before trial to help formulate a strategy but will also be present at trial to listen to the expert’s direct testimony to help formulate last minute cross examination questions. If the expert will not be called as a witness, this shouldn’t be a problem. However, if the expert witness will be called as a witness permission must be sought to break the sequestration order.
Like any witness, the best way to destroy an expert witness is to show lack of credibility and failure to perform a complete investigation. Not to sound like Yogi Bera, but most experts know what they know and nothing more. They develop a certain script. If you can lead them off script into other areas that they are not expecting they may absolutely nothing about it. Again, this is where knowledge of computer forensics really comes in handy. Since you never want to ask questions you don’t know the answer to, you don’t want to start questioning the expert about issues outside of their report unless you are confident that those issues cannot harm your case. If you can get the expert to admit that they don’t know about that file and/or that issue or they didn’t look into it, you can seriously damage their credibility.
Also keep in mind that the State may try to introduce this witness as a fact witness and not an expert. Nevertheless, the witness will still testify as an expert. This creates a number of evidence issues. A motion in limine and/or a request for a 104 hearing well in advance of trial should be strongly considered.
Finally, you will want to focus on all of the areas of the hard drive that the expert did not look at. Chances are they did not go through every last piece of data. This is where you’re expert/consultant can come in really handy. You will want to draft your cross examination questions very carefully using the funnel approach to avoid stepping in it.