Return to lecture notes index
January 20, 2011 (Lecture 2)


Forensic professionals fill many different roles. In the most traditional areas, they serve the legal system. But, their talents also find home in industry and national defense. Today we will explore different ways forensics professionals server as part of different types of teams, as well as how the goals and resources vary with each role.

The "Crime Lab": The Police/Prosecution Expert

The lives of people and business leave many footprints in the information world. Sometimes investigations begin with these footprints. Cases of this kind include various "hacking" or "intrusion" crimes, "device access fraud", and sometimes other types of cases, such as financial crimes or traditional fraud. But, in many cases the first evidence unconvered of a potential crime might be in the physical word -- stolen property, assaults, or people living beyond their means. In these cases the investigation often turns to the information world to fill in gaps, to corraborate events, or to trace events when the physical evidence trail goes cold.

Typically the initial investigation into these matters begins with police or other traditional law enforcement agents. After receving complaints or observing something unusal, they begin an investigation. In the course of that investigation, by voluntary cooperation or involuntary warrant, they obtain evidence that requires forensic analysis. Such evidence may be storage devices, such as hard drives, CDs, cellphones, and thumb drives. It may also be records that require technical expertise to understand, such as those from Internet Service Providers (ISPs), portals, and application service providers. As this evidence is examined and understood, it may answer some questions and ask others. As a result, the process can be iterative, until the prosecutions case is made, or a determination is made not to pursue it.

On the prosecution side of the fence, the goal is simple -- prove, beyond a reasonable doubt, that the accused committed the suspected crime (or that such cannot be proven beyond a reasonable doubt). The forensics professional working for the prosecution uses her/his talents to advance this goal.

The forensics professionals employed by the prosecution might work for a police department or other enfrocement agency, they might work for the prosecuting attorney's office, e.g. the Attoreny General's office, or they might work for a supporting organization, e.g. a state crime lab. The might have titles such as "Forensic technician", "Forensic scientist", "Forensic investigator", or "Forensic analyst".

But, regardless of the title, the forensics professional in this type of role has fivedifferent goals:

It is important to understand that the goal of a criminal prosecution is to prove a case, "Beyond a reasonable doubt." We'll have attorneys expand on this later this semester. But for now, just note that it isn't a tipping of the scales. This is a strong standard of proof. It means that the case must be proven to the point that any lingering doubt a reasonable person might have about the accused's guilt is not sufficient to affect the reasonable person's belief about the guilt of the accused."

Note: I have sometimes heard the phrase "shadow of doubt" bantered about in old movies and among lay people. But, I have never heard this phrase used to define a legal standard by anyone in the legal community. I suspect that none within the community knows, "What is a "shadow?"

In England, from which we derive the "reasonable doubt" standard, juries are no longer instructed using this phrase. Instead, they are often simply asked to "Be sure the defendant is guilty" before reaching a guilty finding. I suspect that jurists there are now more concerned that juries might confuse themselves with an incorrect prior understanding of the phrase "reasonable doubt", than they are about letting juries apply their own "reasonable person" standard to "Being sure the defendant is guilty".

So, now we see the name of the game for forensics in the state's investigation and prosecution of an alleged crime. The state usually gets the first chance to collect the evidence, because they initiate the investigation. They also get the first chance to examine the evidence, because it is in their posession. The goal is to collect and analyze everything that needs to be collected and analyzed to prove (or disprove) to the "reasonable doubt" standard an accused's guilt.

For prosecution forensics experts, the critical steps are (a) identifying the necessary artifacts, (b) analyzing it to find within it important the relevant evidence, and (c) explaining the findings and their relevance to others.

It is also the case that the defense will, in due time, receive copies of the presecution's findings. And, when they do, they will attempt to raise reasonable doubt, often through their own technical analysis. The prosecution's experts will assist the prosecuting attorneys in understanding these various perspectives on the forensic evidence, and how to react to it, e.g. stand with the present analysis, collect more information, or back away from prior findings.

Criminal Cases, The Defense Expert

The focus of a typical prosecution is on proving the suspect commited the alleged crime beyond a "Reasonable doubt". So, what then is the goal of a defense? Some might think that it is to disprove that that it is to disprove that a crime occured, or that if it did, it is to disprove that the defendant was involved. But, this isn't quite right.

In my experience, most defenses rest on raising "reasonable doubt". And, this is absolutely not synonymous with disproving the allegations. An ethical prosecutor can only prosecute someone for a crime that he believes was committed by the accused. The ethical prosecutor must believe the prosection theory.

This is not the case for a defense. The prosecution must meet their burden beyond a "reasonable doubt". If that -doubt- can be raised, the defense has done its job. It is not the defense's burden to demonstrate exactly what did happen -- just to raise "reasonable doubt" about the prosecution's theory.

In my experience, this difference is critical to the defense, because the defense does not have the same opportunity as the prosecution to collect, preserve, and analyze evidence. The prosection may spend months preparing, plan elaborate "sting operations", and collect the evidence -- and the accused very early on. By the time the defense is organized, much might have already been lost to history. Disproving the prosecution's case beyond a reasonable doubt might not be possible -- even for a truly innocent defendant.

So, what then is the role of the defense's foreniscs expert? Generally speaking, the defense begins by reviewing the prosecution's reports for evidence of "Manifest error", e.g. glaring mistakes, often of a technical nature. Next, the defense expert turns to a deeper read of the reports, and looks for what I call "Flying leaps". These are situations where the prosecution's conclusions are not contradicted by the evidence, but where there are other reasonable explanations.

The next steps for the defense are fact-finding. The defense might, for example, have an alternative explanations that might compete with prosecution theories that seems, intially, very far fetched. It just seems, based on the evidence, to be too improbable to cause "reasonable doubt". But, the defense might be able to elevate this type of defense hypothesis to one that generates reasonable doubt if some corroborating evidence can be found. So, defense experts will help attorneys and investigators to understand other potential theories, what evidence might possibly exist to reinforce them, and to request or find this evidence. For example, in "computer cases", sometimes the actions of hackers or identity thiefs might be confused for those of the accused. How rigorously did the prosecution establish the identity of the actor? What information did they use? What other information might exist?

The other "fact finding" role often played by defense experts is what many of us call "Due diligence". We re-examine the evidence examined by the prosecution. We ensure that they found is really there. We make sure everything they trust is really credible. As part of that process, we look, for example for evidence of spoilage. This might include, what are often known as "chain of evidence" issues, for example, files changed while in the prosecution's custody, or evidence of spoilage prior to seizure, such as viruses, hackers, or imposters leaving records insecure and subject to corruption, reducing their credibility.

As was the case for the prosecution, the process might be iterative. The findings will likely be documented in writing. And defense experts will likely be asked to explain them, to their own attorneys, to the other side via "discovery" of their reports, and sometimes in open court.

In short, whereas the prosecution's experts focus on proving a case, the defense experts focus on finding reasons for doubt.

Civil cases

In my experience, civil cases tend to be tangled. There tend to be claims and counter-claims running in both directions. In effect, as soon as one party sues, the other party sues back. The situation is very different than in criminal cases, where the prosecution is the "first in" and gets to frame the case -- but has a disproportionate burden. Each party seems to have different chunks of the evidence in most cases.

In most civil cases, the basis of the suit, and counter suit, is a alleged tort, a damaging action of omission or commission. In most cases, the standard for proving a claim in a civil case is "A Preponderance of evidence", sometimes described as "Clear and convincing evidence", and sometimes described as "Tilting the scales" or "Making more believable than not." Regardless of how it is explained, this is a lower standard of evidence than for criminal cases. And, it is applied symmetrically to each side. So, the name of the game for each side is the same: Prove the claim by a "Preponderance of evidence".

Let's forget about the details of how claims and counterclaims come to be. This is the domain of the lawyers. In forensics in civil cases, we care about (a) finding evidence to support our sides claims, (b) finding evidence that calls into question the other sides claims, and (c) helping our team and the judicial process (a) and (b), which might involve conversations, reporting, depositions, and testimony.

In a criminal case, the prosecution dumps evidence onto the defense. In most cases, if taken a t face value, this is enough to warrant a conviction. Prosecutors rarely interested in acquiring evidence beyond this point, because they believe that what they have excludes "Reasonable doubt". As a result, they don't necessarily seek more, regardless of the defense's theory or analysis. Most of the truly meaty "motions for discovery" are either (a) defense motions making demands upon the prosecution, or (b) prosectution motions for the findings of defense experts.

But, in a civil cases, there are often several rounds of discovery, where each side, during the course of investigating the various claims, makes demands of the other side to produce evidence in their custody. Sometimes this happens in a cooperative way. But, more often, a judge must become inolved to attempt to balance various interests, such as, for example, the probative value of the evidence in the case, and the damage that might arise through the loss of trade secrets. Often times when the court orders the release of information by one side, it comes with rules about how it can be used or to whom it can be released (this happens sometimes in criminal cases, also). The wresting over discovery, protective orders, etc, is all the domain of the attorneys.

Forensics experts are charged with helping the attorneys to understand what evidence is likely to exist and what it might demonstrate, favorably or otherwise. If the evidence is acquired, the forensics expert's job is to provide the analysis and interpretation. As an investigation unfolds, there might be several rounds of discovery, analysis, and reporting.

One interesting difference between the civil process and the criminal process is that, in civil cases, witnesses may be deposed pre-trial. A deposition feels like an interview, with attorneys for one side asking a witness questions. But, a deposition is really a proxy for testimony at trial. So, attorneys for bths sides are likely to be present. And, if there is any hint of a conflict of interest, the witness might well also have an attorney present. To the laity, depositions are odd in the fact that the attorneys will make objections to questions (and sometimes answers) -- but there is no judge to rule upon them. Instead, the judge will exclude anything objectionable after-the-fact, but before the trial-proper. Sometimes an attorney will recommend that a client not answer a question, even though the judge can exclude the answer later. This is always a source of fun. Ultimately, the attorneys will likely fight it out with the judge later -- and, depending on the judge's position, the witness could be asked to provide the answer later.

Similar to the deposition is the interrogatory, a request for more information taking the form of written questions for which written answers are expected. In my observation, interrogatories are often used to get basic, straisght-forward facts needed to prepare and frame an investigation, whereas depositions are often used to probe more deeply into more nuanced issues -- and issues where it is desirable to get an answer in real time, with no opportunity for the other side to consider how best to frame it.

In any case, in addition to assisting their legal teams with the now commonplace tasks, in civil cases, forensics experts will help their lawyers draft interrogatories and prepare for the deposition of important witnesses.

Corporate Incident Response

The corporate world employs forensics professionals to assist with incident response. But, the definition of an "incident" is probably much broader than you think. Forensics experts might investigate cases where hacking was discovered to determine (a) the weaknesses involved, and (b) the extend of the exposure/damage. But, corporate incident response can be prompted by other things.

For example, if a well-placed executive, scientist, or engineer leaves for a competitor, an intenral investigation may be conducted to ensure that no secrets were moved, such as by email, USB drives, etc.

Or, a response might be warranted if a court or other compentent authority, makes request for information. In most cases the information will be regularly kept records. But, in some cases, they might require forensic analysis to be recovered. In other cases, this type of effort might be made even where no legal obligation exists, e.g. to help locate an endangered child.

There are, of course, other types of incident responses. For example, companies might turn to their own forensics experts to assist in recovery in the event of a disaster for which inadaquate safeguards existed.

Corporate Planning and Policy Making

Large corporations employ many types of experts to secure their information. They do this for many reasons. Sometimes, they have a legal obligation, such as the custodial duties required of schools w.r.t. their educational records or medical providers w.r.t. health records. Sometimes they do it as the result of contractual obligations agreed with others. Sometimes they do it to safeguard thier own money-making technology. And, sometimes they do it as a matter of good will, for example, not releasing client information, even if thy have no duty to maintain its privacy. (We'd like to think that they don't maintain secrets about product safety, environmental failings, etc). But, regardless of what they have, any company has information that must be safeguarded.

Forenics professionals will often be part of planning and policy making. This is because forensics professionals are very skilled in the "What ifs", e.g. "If this system is compromised, what is lost? Who is affected?" They answer these questions both through thought experiments and also through actual analysis.

The Corporate World vs the Judicial World

In civil and criminal processes, forensics experts are often confronted with unfamiliar systems, processes, and technologies. By contrast, forensics professionals employed within a company become experts in their company's specific tehnologies, system organizations, business processes, data formats, etc.

There are career implications here. The most senior truly technical, e.g. nonmanagerial, members of a company's team often have very long careers with the same company. This gives them time to become familiar with the comapny's business processes, technologies, and "corporate history" of legacy systems. Jumping from company to company, in the later stages of a truly technical career, can come with some career penalty. This is not often paid at the lower ranks, and might not be paid in managerial positions.

By contrast, varied experience is of tremendous value to prosecutors who might investigate crimes in various industries. The same is true of defense teams who might be confronted with evidence drawn from many, many sources.


Needless to say, there are all sorts of defense and intelligence functions that benefit from forenics know-how. These positions might be uniformed military jobs, civilian intelligence jobs with an international focus, or those focused on domestic infrastructure.

Some of these jobs are very similar to those that exist in private corporate settings. But, some are very different. They are, shall we say, information gathering or system-affecting, rather than information securing and system protecting. In these cases, forensics experts are often relied upon to help those doing the penetrating hide their tracks.

In trying to hid some action, one tries to maintain a minimal profile and act only when necessary. But, a big part of the game is also distraction. Penetrating actions, or the leaking back of information, is covered by disguising it as other types of activities or allowing other types of activities, native or induced, to distract from it. Forensics experts are experts in system activities and the footprints they leave. As such, they are experts in finding possible distractions, in addition to observing possible eveidence left behind.

I've never worked in this area. Sorry ya'll. But, if you want to read about something interesting -- do a Web search for "StuxNet".

Warning to all Readers

These are unrefined notes. They are not published documents. They are not citable. They should not be relied upon for forensics practice. They do not define any legal process or strategy, standard of care, evidentiary standard, or process for conducting investigations or analysis. Instead, they are designed for, and serve, a single purpose, to help students to jog their memory of classroom discussions and assist them in thinking critically about the issues presented. The author is certainly not an attorney and is absolutely not giving any legal advice.