Computer Forensics

My Time With The Judge

By David Stenhouse

This computer forensics career has landed me in interesting projects working for interesting people, with a single matter standing out—United States v. Triumph Capital Group, Inc. I was 32 years old and thrust into a case that has become a cornerstone in my career, provided insight for a Federal Judge and helping him understand testimony of opposing computer forensics experts. I was the Judge’s personal expert.

The assignment placed me in a Bridgeport, Connecticut courtroom listening to the testimony of opposing computer forensics experts for a 5-day laptop evidence suppression hearing. While the government’s expert testified on how the laptop was collected, reviewed, and their findings, the defense put up their opposition to the government expert’s opinions. The Judge wanted to better understand the subject matter and didn’t want to rely on opposing views for his education. He wanted his own expert not swayed by either side. Insert me.

The Judge admittedly didn’t know much about computers. And while that brings about an image of an older person not keeping up with technology, his hiring of me was forward-thinking. He wanted a better understanding of computers to make a proper decision. Over two decades have passed, yet what I learned in that Connecticut courthouse was embedded in me and is still in use—the teaching of tech to clients.

Explaining The Complex In Simplistic Terms

Law firms hire experts to educate and opine on their matters. My boss at the time of this assignment was the person who lured me away from the public sector, telling me “You are always going to be educating attorneys and judges. That’s what we do”. Those words become more cemented in my mind as time goes on. In 2001, I was trying impress prospective clients with the wizardry of recovering deleted files, however, I have since learned my value is not tied to hardware or software. It is the ability to explain the complex in the most simplistic terms. Impatient individuals lacking communication skills can have a difficult time with this position.

There exists a view that to teach difficult subjects is to imagine the recipient as a 4th-grader, as if teaching the concepts to a child. I don’t like to view my clients as simplistic children. They are well-educated individuals dedicating most of each day to master their field. I do the same, so in that realm we are alike. With that in mind it’s best for me to explain a topic using analogies more in-line with the recipient’s age and expertise. Explaining how a computer’s filesystem is similar to a library card catalog may float right over a 23-year-old associate, yet it may click with a seasoned partner who grew up with the Dewey Decimal System.

The Judge

My 9-year law enforcement career had landed me in front of Judges before this role. The first experience was defending a traffic violation I had issued. The man behind the bench told me to calm down while I was rattling off memorized facts. Years later in my federal career, I found myself sitting on a Judge’s living room couch alongside an Assistant U.S. Attorney procuring a search warrant. Each time I found myself in front of a Judge, I was in a role to state facts and explain why those facts were important.

This latest assignment brought about a different experience. Judge Alan H. Nevas was more of a grandfather figure than an intimidating decision maker on the bench. A former U.S. Attorney for the District of Connecticut and appointed to the bench by President Reagan in 1985, he had 40 years of life experience beyond me. Yet he was kind, humorous, and inquisitive. Knowing I wasn’t acclimated to the role, he treated me well, understanding that I was to provide value to his work. I truly enjoyed our discussions, some of which ended in laughter.

I started the assignment by meeting his staff and unpacking a large box full of computer equipment, spreading it across his conference room table. While the group had lunch, I spent an hour or more using a PowerPoint presentation explaining how hard drives stored information and basic computer functions. Disassembling the computer and pulling components out, I described each part’s role in the computer’s operation. I then disassembled a hard drive and explained how files were stored, deleted, and further overwritten. All eyes in the room were focused on the computer guy.

Judge Nevas and his staff asked me questions like “when I do this with my computer, what happens?”—a perfect example why it is so important to understand what your own actions are causing on an electronic device, applying that to better understand what is occurring on another user’s similar device. Computers, cell phones, USB drives, and other storage devices generally operate in the same manner across similar types of devices and operating systems. After reviewing thousands of devices, I have seen that user habits tend to be similar no matter the demographic. I believe what a person finds on their own computer may be found likewise on another’s.

So, when I am asked to explain activity on an iPhone, I will turn it around and ask the client if they use an iPhone, going from there and trying to find some similarity between what I am describing and their own experience. It’s easier to explain technology to a person when they have seen it with their own eyes.

In The Courtroom

I would listen to the experts’ testimony while taking notes on a yellow legal pad, scribbling down points I thought the Judge may have not fully understood, basing those choices I garnered from our discussions. Trying to determine what a person fully knows about technology is never easy. Using technology and understanding what is happening in the background is akin to driving a car and knowing the mechanics of an engine’s operation. For most of us, the former is much easier than the latter. Yet now and then I am surprised by how much clients understand about how the latest tech functions.

Before I traveled to Bridgeport, I had been told the Prosecution and Defense were apprehensive about another expert having the Judge’s ear without either side knowing what I would be saying. My role was to not be one of presenting opinions on testimony, but one of a technical advisor. I was just there to explain the nuts and bolts of computers—a role that I took seriously. As the testimony rolled on from the government’s expert to the defense, I was impressed by both experts’ abilities to withstand hours of direct and cross examination. Yet, I didn’t take a side.

During breaks, I headed to his chambers with my notes in hand, sitting on his couch and discussing points where he needed further understanding. I had brought along a computer with my forensics tools installed and connected to a digital projector. I wanted him to see what and examiner sees, so if expert testimony included descriptions of a certain file type I would pull up the same type of file. Displaying this information on a conference room wall and allowing him to see it firsthand other than through the spoken testimony was valuable. If a Windows link file (a Windows “shortcut” file with a .lnk file extension) was mentioned, I would pull one up and view it with my tools, pointing out certain information the file recorded so he understood what the experts were describing. Once again, seeing it is better than hearing it.

I would catch the Judge locking eyes with me during testimony, prompting me to write down the subject at that moment for the next break. Sitting on his couch and going over basic computer functions with Judge Nevas made me a bit nervous. He was a client, yet he wielded a bit more of a background than most. Judges have always intimidated me, and they should. A Judge is my gatekeeper as an expert in the case before them. If the Judge says I’m not an expert, well…I’m not an expert. I worried about the information I was giving him, as I wanted it to be perfect and for him to have confidence in me.

An expert should be confident what they are explaining is landing on understanding ears, as the relationship is a two-way street. The expert may believe the client is understanding what is being explained. And the client may believe they also understand, however both may be wrong. I find this out when a client attempts to draft a legal document for me to sign. An attorney taking an expert’s finding and running with it may end up embarrassed if they did not fully understand what was being explained. As a result, the expert may not be fully trusted to convey facts or opine in future matters—a devastating blow to the expert’s reputation. I know the legal community talks and word gets around, so at my end getting this all correct is vital.

Do You Understand The Subject Matter?

Technical concepts are not easy for anyone. My clients undoubtably think I know more about technology than I really do, so I may have to first educate myself about what I am telling them. Occasionally they ask me questions for which I do not have an answer, requiring some research. This field is confusing enough with tech changing weekly, so my experience with any subject may be in its infancy at the time I am asked about it. While difficult to learn, technology can be understood by those that take the time to educate themselves. If you have paid an expert to explain technology, use their knowledge to educate you because receiving general information about the expert’s review of the evidence is only the beginning. As an example, if your expert provided you a list of deleted files from a computer examination, some insight into the list should follow about when the files may have been deleted, how, and possibly by whom?

What Do The Findings Mean To Your Case?

A finding that looks important to me may be irrelevant to my client. Sometimes I am kept in the dark with minimal direction at the beginning, so I don’t know for sure what is sought. Whatever direction I am given, none of it matters unless the client understands what I am telling them about what I found. How do they know if what I located can be applied to their matter?

On my engagements I like to ask my clients at the beginning if I was to provide information that helped them in their matter, what would it be? What is it that you hired me to find? What is it you think is buried in the data you are hoping I will locate? Somebody in a meeting decided to hire me. I want to know what was discussed just prior to that decision.

This seems to be advocacy; however the client’s answer provides me clarity in what they are seeking. Now we have a good path to understand what they believe I can do for them. I may not be successful at providing their dream scenario but I have have a good understanding what they are seeking. What I need to do next is make sure what they are hoping for is even possible, but that requires them to understand what is possible.

The Final Verdict

The experience speaks for itself. Over 20 years later, I am writing about my time with the Judge. It was my best education in this field, being tested in my ability to explain technology to someone who didn’t understand it. I needed Judge Nevas to comprehend how things worked so he could meld that information with the opposing experts’ opinions. My role has never changed—I am still helping legal personnel better understand how all of this electronic data is stored, used, and extracted in a format that can be easier to read. I enjoy that part of the work.

Quoted in Computerworld, Laptop Magazine, Businessweek, and other print and online news outlets, David Stenhouse brings 20+ years of computer forensics experience working with law firms and corporate clients. He is currently President of DS Forensics, Inc..

A former Special Agent in the U. S. Secret Service and Trooper with the Washington State Patrol, he is now so blessed to spend each day running a business with his best friend, high school sweetheart, and wife, Shay.