Understanding forensic IT specialists' capabilities and defining their roles is critical to a successful engagement. Take these steps to ensure the candidate you're considering is right for the assignment.
R Determine if the engagement will be a matter of information preservation, financial or economic analysis, a review for relevant data captured during the forensic process, or something else.
R Decide the type of specialist you need. Does your case require a vendor relationship, in which the specialist would respond to requests and execute tasks as ordered? Or do you need a consultant who can play a role in setting strategy and establish a productive team environment?
R Verify experience. Ask for references and contact them. Determine if the specialist previously has been qualified as an expert in court. If not, ask about the specialist’s experience and work history. Experience managing multiple complex IT systems can be an advantage, especially if your case requires data collection. Work with counsel to determine if the specialist could be qualified as an expert witness in your case based on the facts and circumstances.
R Check for credentials. The International Information Systems Security Certification Consortium offers a Certified Information Systems Security Professional (CISSP) certification that requires a passing score on a written exam plus five years of professional experience in information security or four years of experience and a college degree or certain credentials. A CPA with knowledge of accounting and technology can be certified by the AICPA as a Certified Information Technology Professional (CITP) based on experience and education in seven technology-related areas.
R Ask about formal and continuing education, including courses the specialist has taken in the past 12 months. Continuing education is essential as the field continues to change rapidly.
R Ask about the specialist’s most recent case similar to your engagement. Specifically, you’ll want to hear about the number of reviewers and the hours required and testimony or other reports provided. Ask for a description of how the services contributed to the engagement’s objectives. It can be helpful to ask about the number of gigabytes collected and reviewed, but remember that differences in data type and size can skew the relevance of this statistic.
R Ask how processes and technology would be used to minimize the time and cost of your review. The review—the process of determining the relevance and responsiveness of the detail within the data captured during the forensic process—can be the most expensive and time-consuming part of the engagement. Confirm that the software used has been accepted by the courts and ask how data is safeguarded. Attorneys have used lapses in the evidence chain of custody and poorly documented evidence collection techniques to have evidence excluded.
R Confirm that the specialist is qualified to be an asset throughout the project life cycle, including offering competent, informative and persuasive testimony should the matter progress that far.
R Make sure the specialist is familiar with the Federal Rules of Civil Procedure, specifically the sections that address electronically stored information (16, 26, 33, 34, 37 and 45), the Federal Rules of Evidence and state-specific rules. For example, South Carolina requires that digital evidence collection be conducted by a licensed private investigator. However, the state does not require the person who examines the evidence for the purpose of giving an opinion to be licensed.
—By Marie Ebersbacher, CPA/ABV, CFE, a shareholder at Mayer Hoffman McCann PC in Los Angeles, and Scott Cooper, CMC, a senior managing director at FTI Consulting Inc. in Los Angeles. Their e-mail addresses, respectively, are firstname.lastname@example.org and email@example.com.